Microsoft Digital Defense Report 2020

We’re proud to provide the global community with the latest in a long series of security intelligence reports. The Microsoft Digital Defense Report is a reimagining of Microsoft’s Security Intelligence Report (SIR), first published in 2005, and it brings together more insights, from more teams, across more areas of Microsoft than ever before targeting a broader audience for consumption.

2020 has brought major disruptions to both the physical and digital worlds, and these changes are also evident in the cyber threat landscape. Certain types of attacks have escalated as cybercriminals change tactics, leveraging current events to take advantage of vulnerable targets and advance their activity through new channels. Change brings opportunity, for both attackers and defenders, and this report focuses on the threats that are most novel and relevant to the community in this moment.

Looking at the data and signals from the cross-company teams, three top-level areas came into the sharpest focus: cybercrime, nation state threats, and the remote workforce.

The state of cybercrime

A key area we address in this chapter is the opportunistic nature of cybercriminals as they capitalized on interest and fear related to the COVID-19 pandemic and other disruptive events. We also explore how email phishing in the enterprise context continues to grow and has become a dominant vector. Given the increase in available information regarding these schemes and technical advancements in detection, the criminals behind these attacks are now spending significant time, money, and effort to develop scams that are sufficiently sophisticated to victimize even savvy professionals. We also share leading indicators of where attacks might be headed next, as we provide a look into adversarial machine learning (ML), attacks on ML systems, and why it’s so important for organizations to take steps to secure them. Lastly, we take a look at our observations and recommendations for supply chain security on third-party services, open-source software, and Internet of Things (IoT) hardware, concluding with a look at changes to the regulatory landscape.

Nation state threats

Nation state actors are well-funded, well-trained, and have more patience to play the ”long game,” which can make identification of anomalous activity more difficult. Like cybercriminals, they watch their targets and change techniques to increase their effectiveness. To protect our customers, Microsoft spends significant resources monitoring and disrupting nation state attacks attempted on our platform. In this section, we explain the four main approaches Microsoft employs to thwart nation state actors: technology, operations, legal action, and policy.

We also provide our analysis of the intent behind nation state threats and how to defend against them. We look at top-level trends in country-of-activity origin, targeted geographic regions, and the top nation state activity groups detected. Finally, we examine some of the most common attack techniques used by nation state actors in the past year: reconnaissance, credential harvesting, malware, and virtual private network (VPN) exploits.

Security and the remote workforce

Almost overnight, the workforce of thousands of organizations around the world became entirely remote. Although workforces around the world, regardless of size, have been trending toward mobility in some aspects of their operations, few companies and learning institutions were set up to operate 100% remotely. Operational tasks like software or device patching and updates had previously been accomplished when mobile workers routinely returned to the office, but after the COVID-19 outbreak, this option temporarily disappeared.

In this chapter, we take a closer look at three important areas of consideration for an at-scale remote workforce: infrastructure, data, and people. We explain how organizations can support a secure, remote workforce through VPN architecture and the principles of Zero Trust. We explore how data protection practices continue to increase, as workforces become remote and teams collaborate on vital assets without being physically together. Correspondingly, we observe the continued increase in usage of information rights management to enforce policies aimed at protecting confidential information and intellectual property. Finally, we reflect on our enterprise-scale exercise in resilience and lessons learned as the world moves through a global pandemic and billions of individuals adapt to working, learning, and socializing from their home environments. Data protection practices continue to increase, as workforces become remote and teams collaborate on vital assets without being physically together.