Microsoft Digital Defense Report 2024

Table of Contents

• Microsoft Digital Defense Report 2024 1
• In this report 2
• Cyber Point of View stories 2
• Overview 3
• About this report 3
• Report scope 3
• Report viewing and navigating 3
• Our commitment to preserving privacy 3
• Threat actor terminology used in this report 3
• Key information 3
• Our commitment to developing technology responsibly 3
• Links 3
• Introduction 4
• Complex, challenging, and increasingly dangerous 4
• Our unique vantage point 6
• Society | Microsoft Stakeholders | Microsoft Customers 7
• Microsoft’s unique vantage point 7
• An extra 13 trillion security signals per day 7
• 1 ,500 unique threat groups tracked 7
• Microsoft’s cybersecurity approach 7
• Microsoft security investments 7
• 34 ,000 dedicated security engineers 7
• Current and emerging threats 7
• Cybersecurity at Microsoft: the CISO’s perspective 8
• Chapter 1 The evolving cyber threat landscape 9
• Key developments 10
• The evolving cyber threat landscape 10
• Blurred lines between nation-state threat actor activity and cybercrime 10
• The many faces of hybrid war 10
• The need to impose deterrent consequences for cyber aggression 10
• 600 million identity attacks per day 10
• Nation-state influence operations converge on elections 10
• 2.75 x increase in human-operated ransomware-linked encounters 10
• Ingenuity and scalability of fraud tactics surging globally 10
• Introduction: The evolving landscape of cybersecurity 11
• Threat actors and motivations 12
• KEY TO MOTIVATIONS MAPPING 12
• Nation-state actors 12
• Russia 12
• China 12
• North Korea 12
• Iran 12
• Influence Operations 12
• Financially motivated 12
• Groups in development 12
• Nation-state threats 13
• Nation-state threat activity by the numbers 13
• The Education and Research sector became the second most targeted by nation-state threat actors 13
• Top 10 targeted sectors worldwide 13
• Nation-state threat actor targeting 14
• Regional sample of activity levels observed 14
• Russia 15
• Targeting by region 15
• Most targeted sectors 15
• China 15
• Targeting by region 15
• Most targeted sectors 15
• Iran 16
• Targeting by region 16
• Most targeted sectors 16
• North Korea 16
• Targeting by region 16
• Most targeted sectors 16
• Cyber Point of View: Japan 17
• Japan’s new Defense Whitepaper outlines its cybersecurity measures 17
• Blurring lines between nation-state threat actors and cybercriminals 18
• The many faces of hybrid war 19
• How Iran is using cyber-enabled influence operations to degrade Israel 19
• Iran’s most targeted countries prior to the Israel-Hamas conflict (July–October 2023) 19
• Iran’s most targeted countries after the start of the Israel-Hamas conflict (October 2023–June 2024) 19
• Russia’s wide-reaching tactics for spying on Ukraine’s military and its allies 20
• Daily count of Aqua Blizzard malware detections 20
• Midnight Blizzard threatens IT supply chain 20
• Midnight Blizzard’s most targeted sectors 20
• Operational technology (OT) systems are at risk in hybrid warfare 21
• Links 21
• Distribution of internet-exposed Unitronics controllers communicating over PCOM protocol as of June 2024 21
• Chinese cyber threat activity in and around the South China Sea 22
• Chinese threat actors target military and IT entities in the South China Sea 22
• Deterring the most advanced threats 23
• Cyber Point of View: Australia 24
• The power of public/private partnerships 24
• Links 24
• Election interference 25
• Nation-state threat actors and elections 25
• Russia, Iran, and China influence efforts converge on US election 25
• Election-related influence operations timeline 26
• Links 26
• Elections create another opportunity for impersonation threats 27
• Examples of homoglyph techniques 27
• Actionable Insights 27
• Ransomware 28
• Landscape and trends 28
• Top human-operated ransomware groups 28
• Organizations with ransom-linked encounters continues to increase while the percentage of those ransomed is decreasing (July 2022–June 2024) 28
• How cybercriminals are tampering with security products 29
• Actionable Insights 29
• Links 29
• Octo Tempest: a case study and a cautionary tale 30
• Tactics, techniques, and procedures used by Octo Tempest 30
• Initial access 30
• Discovery 30
• Credential access, lateral movement 30
• Defense evasion, execution 30
• Persistence 30
• Actions on objective 30
• Disrupting ransomware threat actors 31
• Links 31
• Cyber Point of View: Israel 31
• Combatting ransomware collectively 31
• Fraud 32
• Landscape and trends 32
• The ever-growing threat of cyber-enabled financial fraud 33
• Novel trends and nightmare scenarios in the world of e-commerce 34
• Actionable Insights 34
• Phishing 35
• Top email phishing types 35
• QR code phishing 35
• Links 35
• Business email compromise (BEC) 36
• Other noteworthy post-compromise behaviors observed 36
• Top post-compromise BEC behaviors 36
• Actionable Insights 36
• Impersonation 37
• Deepfakes 37
• Sectors impersonated in consumer phish 37
• Corporate impersonation 37
• Actionable Insights 37
• Links 37
• The dire state of techscam 38
• Actionable Insights 38
• Daily malicious traffic volume (millions) 38
• Account takeovers (ATOs) 39
• Confirmed ATOs in Azure Small Business segment 39
• Actionable Insights 39
• Links 39
• Identity and social engineering 40
• Insights on identity attacks and trends 40
• Attacks on identity infrastructure in the spotlight 40
• Actionable Insights 40
• Threat actors are bypasssing MFA, using innovative AiTM phishing attacks and token theft 41
• Actionable Insights 41
• Exploiting applications to access high-value resources 41
• Actionable Insights 41
• Identity attacks in perspective 42
• MFA attacks 42
• Post-authentication attacks 42
• Infrastructure compromise 42
• Security to the max: the optimal mindset for security professionals 43
• Technical debt makes maintaining a secure environment challenging 43
• “Secure by default” settings reduce identity compromises 44
• Actionable Insights 44
• MFA adoption: percentage of Entra ID monthly active users signing in with MFA 44
• Social engineering “next generation” 45
• Teams and Skype phishing 45
• SIM swapping 45
• Helpdesk social engineering 46
• How easy is it to carry out different types of social engineering attacks? 46
• EASY 46
• MEDIUM 46
• HARD 46
• Links 46
• Actionable Insights 46
• AiTM credential phishing 47
• Stormy skies: the rise of cloud identity compromise 48
• Links 48
• Cloud identity compromise 48
• Links 49
• Cloud identity abuse preparedness 49
• Actionable Insights 49
• Cyber Point of View: Canada 50
• How Canada is boosting security by investing in innovation and partnerships 50
• DDoS: Stealthier threats emerge 51
• Attack landscape 51
• A new threat: Application loop attacks 51
• Number of network DDoS attacks (January-June 2024) 52
• Actionable Insights 52
• Cyber Point of View: India 53
• DDoS attacks on the rise in India 53
• Daily number of attacks targeting the APAC region (February-June 2024) 53
• Actionable Insights 53
• Chapter 2 Centering our organizations on security 54
• Key developments 55
• Centering our organizations on security 55
• The Secure Future Initiative (SFI) 55
• Security stories from critical infrastructure frontlines 55
• Taking a threat-informed approach to defense 55
• Best practices for robust cybersecurity governance and accountability 55
• Hierarchical pyramid of cybersecurity needs 55
• Generative AI is fueling the need for data security policy implementation 55
• Collective action through deeper partnerships between industry and governments 55
• Supporting democratic elections 55
• Introduction: Tackling technical debt and shadow IT for a secure future 56
• Clearing out technical debt 56
• Putting security above all else 57
• Links 57
• Strategic approaches to cybersecurity: “Managing your own house” 58
• Data security 58
• Key components of an effective data security strategy 58
• An integrated approach to data security 58
• How generative AI is fueling the need for data security policy implementation 58
• Links 58
• Harnessing generative AI to define your data perimeter 59
• Readiness levels: Protecting and governing data while benefitting from generative AI 59
• 1 Prepare data 59
• 2 Limited implementation 59
• 3 Used to enhance productivity 59
• 4 Driving force for innovation 59
• Links 59
• Cyber Point of View: Sweden 60
• Using the cloud to protect against ransom attacks 60
• Hierarchy of cybersecurity needs 61
• AUTOMATE SECURITY OPERATIONS 61
• IMPACT… 61
• DETECT AND REMEDIATE THREATS 61
• IMPACT… 61
• SECURE DIGITAL ASSETS 61
• IMPACT… 61
• PROTECT ENDPOINTS 61
• IMPACT… 61
• PROTECT IDENTITIES 61
• IMPACT… 61
• Threat-informed defense 62
• Thinking differently to address threats 62
• The Silo Effect 62
• Pre-breach attack path analysis 63
• Single pane of glass 63
• Critical asset management 63
• Attack path management 63
• Links 63
• Attack path insights for threat-informed defense (June 2024) 63
• Optimizing governance and accountability 64
• Key elements should include: 64
• Avoiding blame. 64
• Making sure learnings or issues don’t slip through the cracks. 64
• Sharing responsibility. 64
• Requiring cross-team training and learning. 64
• Tips to build security literacy: 64
• Make it personal and human. 64
• Make it clear. 64
• Make it engaging and fun. 64
• Make it easy. 64
• Security incident decisions: Dispatches from the field 65
• Security incident decisions 65
• Preparation 65
• Communication 65
• Execution 65
• Preparation 65
• Communication 65
• Execution 65
• The following are the most common challenges we encountered during IR engagements: 66
• Links 66
• Cyber Point of View: Latin America 66
• Tough lessons for board members about cybersecurity 66
• Resilience maturity 67
• Operational 67
• For day-to-day IT operations, good preparation and maturity can ensure that an organization has good visibility of its estate, documented reliable playbooks, and rapid response capabilities based on automation. 67
• Readiness 67
• Prepare for a cybersecurity incident. 67
• Tactical 67
• Prepare for initial response to an incident to respond logically and efficiently. 67
• Strategic 67
• Take steps to improve overall security posture in the longer term. 67
• Supporting the ecosystem 68
• The passkey journey: a story of collaboration across the industry 68
• Actionable Insights 68
• Links 68
• Cyber Point of View: France 69
• Enhancing France’s cybersecurity workforce 69
• Links 69
• Critical environments 70
• Security stories from the frontline of OT 70
• A three-step action plan: insights from testing OT applications 70
• Types of OT systems in datacenters 70
• Inherent risks of vulnerabilities in OT equipment 71
• Emerging challenges and trends 71
• Categorizing the vulnerabilities 72
• The challenges of securing OT networking protocols 73
• Network security of embedded devices 73
• Actionable Insights 73
• Cyber Point of View: Africa 74
• Increasing the cyber resilience of emerging economies 74
• Links 74
• Managing software and firmware updates in the critical infrastructure environment 75
• Difficulties in updating software in the OT environment 75
• Managing the OT software supply chain 76
• Actionable Insights 76
• Datacenter outages caused by firmware version mismatch 76
• Experiences with fully-managed device updates 77
• Key steps included: 77
• Links 77
• Collective action 78
• The digital transformation of defense and a call for partnership 78
• RAISE: The Roundtable for AI, Security, and Ethics 78
• Links 79
• How Microsoft helps support democratic elections 80
• Microsoft is also helping protect the online environment surrounding elections by: 81
• Defending the information environment 81
• Protecting data 81
• Identifying and responding to threats 81
• Links 81
• Cyber Point of View: UK 82
• A continuously improving security partnership 82
• Links 82
• Chapter 3 Early insights: AI’s impact on cybersecurity 83
• Key developments 84
• Early insights: AI’s impact on cybersecurity 84
• AI-enabled human targeting 84
• Emerging threat actor techniques 84
• Governments and industries working to advance global AI security 84
• Nation-state threat actors are using AI for influence operations 84
• Limiting foreign influence operations in the modern era 84
• AI for defense 84
• Staying a step ahead of threat actors in the age of AI 84
• Introduction: AI’s impact on cybersecurity 85
• Understanding how generative AI systems work 86
• How Copilots work 86
• Two key insights 87
• 1. Building is easy; testing is hard 87
• 2. Generative AI security is nondeterministic 87
• Links 87
• These attacks are different 87
• They’re nondeterministic: 87
• Map human ideas to generative AI safety 87
• For a person, you might... 87
• For a Copilot, you might... 87
• Emerging threat landscape 88
• The generative AI threat landscape 88
• System threats 88
• Ecosystem threats 89
• Sophisticated AI-enabled human targeting 90
• Targeting high-value individuals 90
• The defensive advantage 90
• The offensive advantage 90
• Emerging techniques in AI enabled attacks 91
• AI-enabled spear phishing and whaling 91
• Links 91
• “Résumé swarming” and steganography 91
• This text visibleto the human eye 91
• “Key words” arevisible only toscreening systems 91
• Deepfakes and other variations on social engineering 91
• Actionable Insights 91
• Nation-state threat actors using AI for influence operations 92
• Adversarial use of AI in influence operations 92
• China-affiliated influence actors favor AI-generated imagery 92
• Russia-affiliated influence actors using audio-focused AI across mediums 93
• Iran-affiliated influence actors are in the early stages of AI integration 93
• Limiting foreign influence operations in the modern era 94
• Limits on targets 94
• Limits on tools and techniques 94
• Links 94
• AI for defense 95
• Harnessing AI to detect cyberattacks 96
• Detecting hidden attacks with AI 96
• Disrupting attacks by combining endpoint detection and response with AI 96
• Extending AI across cybersecurity 96
• AI’s early impact on the security operations center (SOC) 97
• Examples 97
• Seven areas of efficiencies in Microsoft security operations 98
• Using generative AI to understand cyberattacks and create tailored mitigations 100
• Growth in complexity of MITRE ATT&CK tactics and techniques 100
• May 2015 100
• April 2024 Note 59 100
• From categories to context 100
• Rules-based approach 101
• With generative AI 101
• How governments and industries are advancing global AI security 102
• Government approaches to AI security 102
• The United States 103
• The European Union 103
• Other legislative initiatives 103
• Cyber Point of View: Albania 104
• Transparency, advanced technologies, and generative AI to combat malicious state-sponsored cyberattacks 104
• Collaborative policy initiatives for AI security 105
• July 2023 105
• August 2023 105
• November 2023 105
• January 2024 105
• February 2024 105
• March 2024 105
• April 2024 105
• May 2024 105
• June 2024 105
• International standards for AI security 106
• The benefits of international standards 106
• ISO/IEC 42001 106
• ISO/IEC 27090 106
• Actionable Insights 106
• Staying a step ahead of threat actors in the age of AI 107
• Links 107
• Appendix 108
• Additional information 108
• References 109
• Overview 109
• Chapter 1. The evolving cyber threat landscape 109
• Chapter 2. Centering our organizations on security 110
• Chapter 3. Early insights: AI’s impact on cybersecurity 110
• Contributing teams 111