As details from the Microsoft Digital Defense Report 2023 reveal, cyberthreats continue to grow in sophistication, speed, and scale, compromising an ever-growing pool of services, devices, and users. As we confront these challenges and prepare for a future where AI can help level the playing field, it’s imperative to act decisively on each of these ten insights.
Get insights straight from the experts on the Microsoft Threat Intelligence Podcast. Listen now.
10 essential insights from the Microsoft Digital Defense Report 2023
As a company committed to making the world a safer place, Microsoft has invested heavily in security research, innovation, and the global security community. We have access to a diverse range of security data which puts us in a unique position to understand the state of cybersecurity and to identify indicators that can help predict the next moves of attackers.
As part of our longstanding commitment to create a safer world, Microsoft’s investments in security research, innovation, and the global security community include:
Learn more about this image on page 6 in the full report
The vast majority of successful cyberattacks could be thwarted by implementing a few fundamental security hygiene practices. Using the hyper-scale cloud makes it easier to implement them by either enabling them by default or abstracting the need for customers to implement them.
Cyber hygiene bell curve taken from the 2023 Microsoft Digital Defense Report (MDDR). Learn more about this image on page 7 in the full report
Fundamentals of cyber hygiene
- Enable MFA
This protects against compromised user passwords and helps provide extra resilience for identities. - Apply Zero Trust principles
The cornerstone of any resilience plan is to limit the impact of an attack. These principles are: (1) Explicitly verify. Ensure users and devices are in a good state before allowing access to resources. (2) Use least privilege access. Allow only the privilege needed to access a resource and no more. (3) Assume breach. Assume system defenses have been breached and systems may be compromised. This means constantly monitoring the environment for possible attack. - Use extended detection and response (XDR) and antimalware
Implement software to detect and automatically block attacks and provide insights to the security operations software. Monitoring insights from threat detection systems is essential to being able to quickly respond to cyberthreats. - Keep up to date
Attackers take advantage of unpatched and out- of-date systems. Ensure all systems are kept up to date including firmware, the operating system, and applications. - Protect data
Knowing your important data, where it is located, and whether the right defenses are implemented is crucial to implementing appropriate protection.
Microsoft’s telemetry indicates an increased rate of ransomware attacks compared with last year, with human-operated ransomware attacks tripling since September 2022. Going forward, we expect ransomware operators will seek to leverage automation, AI, and hyperscale cloud systems to scale and maximize the effectiveness of their attacks.
The ransomware landscape
Learn more about this image on page 2 in the full report
Ransomware elimination and the Foundational Five
We have identified five foundational principles which we believe every enterprise should implement to defend against ransomware across identity, data, and endpoints.
- Modern authentication with phish-resistant credentials
- Least Privileged Access applied to the entire technology stack
- Threat- and risk-free environments
- Posture management for compliance and the health of devices, services, and assets
- Automatic cloud backup and file-syncing for user and business-critical data
Microsoft Entra data reveals a more than tenfold increase in attempted password attacks when compared with the same period from a year ago. One way to deter would-be attackers is to use non-phishable credentials such as Windows Hello for Business or FIDO keys.
Chart showing number of password attacks compared with this time last year. Learn more about this image on page 16 in the full report
Did you know?
One of the main reasons password attacks are so prevalent is due to a low security posture. Many organizations have not enabled MFA for their users, leaving them vulnerable to phishing, credential stuffing, and brute force attacks.
Threat actors are adapting their social engineering techniques and use of technology to carry out more sophisticated and costly BEC attacks. Microsoft’s Digital Crimes Unit believes increased intelligence sharing across the public and private sectors will enable a faster and more impactful response to BEC.
# of daily BED attempts observed April 2022- April 2023. Learn more about this image on page 33 in the full report
Did you know?
The Microsoft Digital Crimes Unit has taken a proactive stance by actively tracking and monitoring 14 DDoS-for-hire sites, including one situated in the dark web, as part of its commitment to identifying potential cyberthreats and remaining ahead of cybercriminals.
Nation-state actors have increased the global scope of their cyber operations as part of information gathering. Organizations involved in critical infrastructure, education, and policymaking were among the most targeted, in line with many groups’ geopolitical goals and espionage-focused remits. Steps to detect possible espionage-related breaches include monitoring changes to mailboxes and permissions.
The most targeted nations by region* were:
Snapshot of global nation stae threat actors, Fuller data breakdown can be found in the report. Learn more about this image on page 12 in the full report
Did you know?
This year, Microsoft launched a new threat actor naming taxonomy. The new taxonomy will bring better clarity to customers and security researchers with a more organized and easy to use reference system for threat actors.
Nation-state actors are more frequently employing influence operations alongside cyber operations to spread favored propaganda narratives, stoke social tensions, and amplify doubt and confusion. These operations are often carried out in the context of armed conflicts and national elections.
Blizzard actor category
Russian state actors expanded their scope of activity beyond Ukraine to target Kyiv’s allies, principally NATO members.
Typhoon actor category
China’s expanded and sophisticated activities reflect its dual pursuits of global influence and intelligence collection. Its targets include US defense and critical infrastructure, South China Sea nations, and Belt and Road Initiative partners.
Sandstorm actor category
Iran has expanded its cyber activities to Africa, Latin America, and Asia. Leaning heavily into influence operations, it has pushed narratives that seek to foment Shi’ite unrest in Gulf Arab countries and counter the normalization of Arab-Israeli ties.
Sleet actor category
North Korea has increased the sophistication of its cyber operations in the last year, especially in cryptocurrency theft and supply chain attacks.
Did you know?
While AI-generated profile pictures have long been a feature of state-sponsored influence operations, the use of more sophisticated AI tools to create more striking multimedia content is a trend we expect to persist with the wider availability of such technologies.
Attackers have increasingly targeted the highly vulnerability of information technology and operational technology (IT-OT), which can be difficult to defend. For example, of the 78% of internet of things (IoT) devices with known vulnerabilities on customer networks, 46% cannot be patched. A robust OT patch management system is therefore an essential component of cybersecurity strategy, while network monitoring in OT environments may help detect malicious activity.
Learn more about this image on page 61 in the full report
Did you know?
25% of OT devices on customer networks use unsupported operating systems, making them more susceptible to cyberattacks due to a lack of essential updates and protection against evolving cyberthreats.
AI can enhance cybersecurity by automating and augmenting cybersecurity tasks, enabling defenders to detect hidden patterns and behaviors. LLMs can contribute to threat intelligence; incident response and recovery; monitoring and detection; testing and validation; education; and security, governance, risk and compliance.
Microsoft’s researchers and applied scientists are exploring many scenarios for LLM application in cyber defense, such as:
Learn more about this image on page 98 in the full report
Did you know?
Microsoft’s AI Red Team of interdisciplinary experts is helping build a future of safer AI. Our AI Red Team emulates the tactics, techniques, and procedures (TTP) of real-world adversaries to identify risks, uncover blind spots, validate assumptions, and improve the overall security posture of AI systems. Learn more about Microsoft’s red teaming for AI at Microsoft AI Red Team building future of safer AI | Microsoft Security Blog.
As cyberthreats evolve, public-private collaboration will be key to improve collective knowledge, drive resilience, and inform mitigation guidance across the security ecosystem. For example, this year, Microsoft, Fortra LLC, and Health-ISAC worked together to reduce cybercriminal infrastructure for the illicit use of Cobalt Strike. This has resulted in a reduction of this infrastructure by 50% in the United States.
Chart showing 50% reduction in United States of cracked Cobalt Strike servers. Learn more about this image on page 115 in the full report
Did you know?
The global Cybercrime Atlas brings together a diverse community of more than 40 private and public sector members to centralize knowledge sharing, collaboration, and research on cybercrime. The goal is to disrupt cybercriminals by providing intelligence that facilitates actions by law enforcement and the private sector, leading to arrests and the dismantling of criminal infrastructures.
The global shortage of cybersecurity and AI professionals can only be addressed through strategic partnerships between educational institutions, nonprofit organizations, governments, and businesses. Since AI may help relieve some of this burden, the development of AI skills is a top priority for company training strategies.
35% increase in demand for cybersecurity experts over the past year. Learn more about this image on page 120 in the full report
Did you know?
The Microsoft AI Skills Initiative includes new, free coursework developed in collaboration with LinkedIn. That enables workers to learn introductory AI concepts, including responsible AI frameworks, and receive a Career Essentials certificate upon completion.
Follow Microsoft