Get insights straight from the experts on the Microsoft Threat Intelligence Podcast. Listen now.
Microsoft Digital Defense Report 2022
Insights from trillions of daily security signals
Unique advantage point
The goal of the Microsoft Digital Defense Report, now in its third year (previously called Microsoft Security Intelligence Report with over 22 reports archived), is to illuminate the evolving digital threat landscape across four key areas of focus: cybercrime, nation state threats, devices & infrastructure, and cyber influence operations while providing insight and guidance on how to improve cyber resiliency.
Microsoft serves billions of customers globally, allowing us to aggregate security data from a broad and diverse spectrum of organizations and consumers. This report draws on our breadth and depth of signals intelligence from across Microsoft, including the cloud, endpoints, and the intelligent edge. This unique vantage point gives us a high-fidelity picture of the threat landscape and the current state of cybersecurity, including indicators that help us predict what attackers will do next. We see transparency and information sharing as essential to helping our customers become more cyber resilient, and to the protection of the ecosystem.
In this high-level summary of the report, you will learn about the state of cybercrime, how Internet of Things (IoT) devices are becoming an increasingly popular target, new nation state tactics and the rise of cyber mercenaries, cyber influence operations, and, most importantly, how to stay resilient during these times.
- 43 trillion signals synthesized daily, using sophisticated data analytics and AI algorithms to understand and help protect against digital threats and criminal cyberactivity
- 8,500+ engineers, researchers, data scientists, cybersecurity experts, threat hunters, geopolitical analysts, investigators, and frontline responders across 77 countries
- 15,000+ partners in our security ecosystem who increase cyber resilience for our customers
Cybercrime continues to rise, driven by dramatic increases in both random and targeted attacks. We have observed increasingly diverse threats in the digital landscape with developments in cyberattack methods and criminal infrastructure used to augment the kinetic war during the Russian invasion of Ukraine.
Ransomware attacks pose an increased danger to all individuals as critical infrastructure, businesses of all sizes, and state and local governments are targeted by criminals leveraging a growing cybercriminal ecosystem. As ransomware attacks have become more audacious in scope, their effects have become more wide-ranging. A sustainable and successful effort against this threat will require a whole-of-government strategy to be executed in close partnership with the private sector.
Upon analysis of our response and recovery engagements, we consistently found weak identity controls, ineffective security operations, and incomplete data protection strategies among the impacted organizations.
This year saw a significant increase in indiscriminate phishing and credential theft to gain information which is sold and used in targeted attacks such as ransomware, data exfiltration and extortion, and business email compromise.
Cybercrime as a service (CaaS) is a growing and evolving threat to customers worldwide. The Microsoft Digital Crimes Unit (DCU) observed continued growth of the CaaS ecosystem with an increasing number of online services facilitating cybercrimes, including business email compromise (BEC) and human-operated ransomware. CaaS sellers increasingly offer compromised credentials for purchase and we’re seeing more CaaS services and products with enhanced features to avoid detection.
Attackers are finding new ways to implement techniques and host their operational infrastructure, such as compromising businesses to host phishing campaigns, malware, or use their computing power to mine cryptocurrency. Internet of Things (IoT) devices are becoming an increasingly popular target for cybercriminals using widespread botnets. When routers are unpatched and left exposed directly to the internet, threat actors can abuse them to gain access to networks, execute malicious attacks, and even support their operations.
Hacktivism was on the rise over the past year, with private citizens conducting cyberattacks to further social or political goals. Thousands of individuals were mobilized to launch attacks as part of the Russia-Ukraine war. While it remains to be seen whether this trend will continue, the technology industry must come together to design a comprehensive response to this new threat.
Accelerating digital transformation has increased the cybersecurity risk to critical infrastructure and cyber-physical systems. As organizations harness advances in computing capability and entities digitize to thrive, the attack surface of the digital world is exponentially increasing.
The rapid adoption of IoT solutions has increased the number of attack vectors and the exposure risk of organizations. This migration has outpaced most organizations’ ability to keep up as malware as a service has moved into large-scale operations against civil infrastructure and corporate networks.
We have observed increased threats exploiting devices in every part of the organization, from traditional IT equipment to operational technology (OT) controllers or simple IoT sensors. We have seen attacks on power grids, ransomware attacks disrupting OT operations, and IoT routers being leveraged for increased persistence. At the same time, there has been increased targeting of vulnerabilities in firmware – software embedded in a device’s hardware or circuit board – to launch devastating attacks.
To counter these and other threats, governments worldwide are developing and evolving policies to manage critical infrastructure cybersecurity risk. Many are also enacting policies to improve IoT and OT device security. The growing global wave of policy initiatives is creating enormous opportunity to enhance cybersecurity but also poses challenges to stakeholders across the ecosystem. As policy activity across regions, sectors, technologies, and operational risk management areas is pursued simultaneously, there is the potential for overlap and inconsistency in scope, requirements, and complexity of requirements. Public and private sector organizations need to seize the opportunity to enhance cybersecurity with additional engagement and efforts towards consistency.
- 68% of respondents believe the adoption of IoT/OT is critical to their strategic digital transformation
- 60% recognize that IoT/OT security is one of the least secured aspects of their infrastructure
In the past year, there has been a shift among nation state cyber threat groups from exploiting the software supply chain to exploiting the IT services supply chain, targeting cloud solutions and managed services providers to reach downstream customers in government, policy, and critical infrastructure sectors.
As organizations strengthen their cybersecurity postures, nation state actors have responded by pursuing new and unique tactics to deliver attacks and evade detection. The identification and exploitation of zero-day vulnerabilities is a key tactic in this effort. The number of publicly disclosed zero-day vulnerabilities over the past year is on par with those from the previous year, which was the highest on record. Many organizations assume that they are less likely to be a victim of zero-day exploit attacks if vulnerability management is integral to their network security. However, the commoditization of exploits is leading them to come at a much faster rate. Zero-day exploits are often discovered by other actors and reused broadly in a short period of time, leaving unpatched systems at risk.
We have seen a growing industry of private sector offensive actors, or cyber mercenaries, that develop and sell tools, techniques, and services to clients – often governments – to break into networks, computers, phones, and internet-connected devices. While an asset for nation state actors, these entities often endanger dissidents, human rights defenders, journalists, civil society advocates, and other private citizens. These cyber mercenaries are providing advanced “surveillance as a service” capabilities which many of the nation states would not have been able to develop alone.
Democracy needs trustworthy information to flourish. A key area of focus for Microsoft are the influence operations being developed and perpetuated by nation states. These campaigns erode trust, increase polarization, and threaten democratic processes.
In particular, we are seeing certain authoritarian regimes working together to pollute the information ecosystem to their mutual advantage. Campaigns that sought to obscure the origin of the COVID-19 virus offer an example. Since the start of the pandemic, Russian, Iranian, and Chinese COVID-19 propaganda boosted coverage to amplify these central themes.
900% year-over-year increase in proliferation of deepfakes since 2019
We are also entering what we expect to be a golden era for AI-enabled media creation and manipulation, driven by the proliferation of tools and services for artificially creating highly realistic synthetic images, videos, audio, and text and the ability to quickly disseminate content optimized for specific audiences. A longer-term and even more insidious threat is to our understanding of what is true if we can no longer trust what we see and hear.
The rapidly changing nature of the information ecosystem, coupled with nation state influence operations – including the merging of traditional cyberattacks with influence operations and interference in democratic elections – requires a whole-of-society approach. Increased coordination and information sharing across government, the private sector, and civil society is needed to increase transparency of these influence campaigns and to expose and disrupt campaigns.
There is an increasing sense of urgency to respond to the rising level of threats in the digital ecosystem. The geopolitical motivations of threat actors have demonstrated that states have escalated their use of offensive cyber operations to destabilize governments and impact global trade operations. As these threats increase and evolve, it’s crucial to build cyber resilience into the fabric of the organization.
As we have seen, many cyberattacks are successful simply because basic security hygiene has not been followed. The minimum standards every organization should adopt are:
The cyber resilence bell curve: 98% of basic security hygeine still protects against 98% off all attacks. Learn more about this image on page 109 of the 2022 Microsoft Digital Defense Report
Enable multifactor authentication (MFA)
To protect against compromised user passwords and help provide extra resilience for identities.
Apply Zero Trust principles
The cornerstone of any resilience plan limiting the impact on an organization. These principles are:
- Explicitly verify: Ensure users and devices are in a good state before allowing access to resources.
- Use least privilege access: Only allow the privilege that is needed for access to a resource and no more.
- Assume breach: Assume system defenses have been breached and systems might be compromised. This means constantly monitoring the environment for possible attack.
Use modern anti-malware
Implement software to help detect and automatically block attacks and provide insights to the security operations. Monitoring insights from threat detection systems is essential to being able to respond to threats in a timely fashion.
Keep up to date
Unpatched and out of date systems are a key reason many organizations fall victim to an attack. Ensure all systems are kept up to date including firmware, the operating system, and applications.
Protect data
Knowing your important data, where it is located and whether the right systems are implemented is crucial to implementing the appropriate protection.
Source: Microsoft Digital Defense Report, November 2022
Follow Microsoft