Trace Id is missing
Skip to main content
Microsoft Security

Security is only as good as your threat intelligence

A blue shield with a white padlock on it

Now even stronger with AI

Longtime cybersecurity observers know how frustrating the fight for progress can be. Our profession demands constant vigilance, and the assurance of a job well done can be nothing if not elusive. Bad news dominates the headlines, and reports of doom and gloom abound, yet we do see cybersecurity success stories every day.

Every day our defenders quietly share information. Every day they raise the cost of crime for attackers and their vast criminal syndicates. Every day they leverage their considerable skill and talent to find the criminals faster and evict them sooner.

Threat intelligence (TI) works, and median adversary dwell times continue to drop. The current 20-day level represents a marked change from when attackers could lurk undetected for months.

We can thank better intelligence for this difference. We can thank better tools. We can thank better resources. And when we bring these forces together—specifically, TI, data at scale, and artificial intelligence (AI)—our impact as defenders will accelerate and amplify.

Data is how defenders see, and our vision has never been better. Cloud competition has dramatically driven down the cost of holding and querying data, allowing huge leaps in innovation. Lower costs have made it possible to deploy higher resolution sensors across the digital estate. The rise of XDR+SIEM has expanded data and signal from endpoint, to app, to identity, to cloud.

More signal provides more surface area for TI. This TI then feeds AI. TI acts as labels and training data for AI models to predict the next attack.

What TI can find, AI can help scale.

That intuition and experience behind an intelligence win can be modeled digitally with millions of parameters against our 65 trillion signals.

Microsoft takes an adversary-centric approach to threat intelligence. We actively track more than 300 unique threat actors, including more than 160 groups linked to nation states and more than 50 ransomware gangs.

The work demands creativity and innovation and the contributions of many, multidisciplinary contributors. Good threat intelligence puts people together—cybersecurity experts and applied scientists working together alongside authorities in geopolitics and disinformation to consider the whole of their adversaries so they can understand the what of an attack when it’s happening and intuit the why and where of what might happen next.

Security Insider Report

To see best-in-class threat intelligence in action, download A year of Russian hybrid warfare in Ukraine.

Artificial intelligence (AI) helps scale defense at the rate of attack. With AI, human-operated ransomware attacks can be disrupted even sooner, turning low confidence signals into an early warning system.

Human investigators piece together individual clues to realize an attack is happening. That takes time. But in situations where time is scarce, the process for determining malicious intent can be done at AI speed. Artificial intelligence makes it possible to link context together.

Just like how human investigators think on multiple levels, we can combine three kinds of AI-informed inputs to find ransomware attacks at the beginning of escalation.

  • At the organization level, AI employs a time-series and statistical analysis of anomalies
  • At the network level, it constructs a graph view to identify malicious activity across devices
  • At the device level, it uses monitoring across behavior and TI to identify high confidence activity

Spotlight on ransomware: A conversation with Jessica Payne

The best news about ransomware is that it is largely a preventable threat. A lot of reporting on ransomware focuses on the ransomware payloads, which can make it seem like an endlessly scaling threat of dozens of attackers, but what it really is, is a subset of attackers who use the same techniques but switch between available ransomware as a service payloads.

By focusing on the actors behind the attacks versus the payloads, we can show that most attackers who deploy ransomware aren’t using magical skills or developing bespoke zero-day exploits; they are taking advantage of common security weaknesses.

A lot of the attackers use the same techniques, so you can see where the threats overlap and apply mitigations for them. Almost every ransomware attack involves attackers gaining access to a highly privileged credential like a domain admin or a software deployment account – and this is something you can solve with built in tools like Group Policies, Event Logs, and Attack Surface Reduction (ASR) Rules.

In some orgs that have enabled ASR rules they saw a 70% reduction in incidents, meaning less SOC fatigue and less chances for attackers to gain initial access to chip away at their defenses. The organizations that are successful against ransomware are the ones who focus on this type of hardening.

Prevention work is essential.

One of the things I like to say is that prevention and detection are not peers. Prevention is detection’s guardian because it quiets the network and gives you the whitespace to find the most important things.

All-in-all, threat intelligence in the right hands makes the difference in preventing an attack or interrupting it automatically.

Learn more about how to protect your organization from ransomware, and read the full report.

A group of people walking on colorful blocks
Featured

Navigating cyberthreats and strengthening defenses in the era of AI

Advances in artificial intelligence (AI) present new threats—and opportunities—for cybersecurity. Discover how threat actors use AI to conduct more sophisticated attacks, then review the best practices that help protect against traditional and AI-enabled cyberthreats.

Today we’re entering a new era in AI improving security. Machine learning is commonplace in defensive technology today. But to date, AI has primarily been deep inside the tech. Customers benefited from its role in protection, but could not interact with it directly, and that’s changed.

We are moving from a world of task-based AI where it’s good at detecting phishing or password spray to a world of generative AI built on foundation models that upskill defenders everywhere.

TI and AI combine to help defenders go faster than ever before. I’m excited to see what you’ll do with it. Whatever it is, I know that together, we’ll better protect the planet.

Related articles

Defending Ukraine: Early Lessons from the Cyber War

The latest findings in our ongoing threat intelligence efforts in the war between Russia and Ukraine, and a series of conclusions from its first four months reinforces the need for ongoing and new investments in technology, data, and partnerships to support governments, companies, NGOs, and universities.

Three ways to protect yourself from ransomware

Modern ransomware defense requires a lot more than just setting up detection measures. Discover the top three ways you can harden your network’s security against ransomware today.

Learn the ABCs of Threat Hunting

When it comes to cyber security, it helps to be vigilant. Here’s how to hunt, identify, and mitigate new and emerging threats.