Each year, Microsoft releases the Microsoft Digital Defense Report–a comprehensive examination of the global threat landscape and the biggest trends in cybersecurity. Cyberthreats continue to grow in sophistication, speed, and scale, compromising an ever-growing pool of services, devices, and users. We believe that AI can help level the playing field, but security teams must have all of the insights and resources necessary to utilize the full promise of this technology.
The Microsoft Digital Defense Report 2023 is based on insights from 65 trillion daily signals synthesized by more than 10,000 security and threat intelligence experts across 135 million managed devices and over 15,000 security partners. Using this data, Microsoft tracked over 300 threat actors in 2023 and blocked over 4,000 identity attacks per second.
Here are 10 key learnings:
- Basic security hygiene still protects against 99% of attacks: While cyberattacks continue to increase in sophistication, the vast majority can be thwarted by implementing a few fundamental security hygiene practices. These include enabling multifactor authentication (MFA), applying Zero Trust principles, using extended detection and response (XDR) and anti-malware, keeping your devices and software up to date, and taking steps to protect sensitive data.
Security teams can leverage a hyper-scale cloud for easier implementation by either enabling these measures by default or abstracting the need for customers to implement them.
- Human-operated ransomware attacks are on the rise: According to Microsoft’s telemetry, human-operated ransomware attacks have increased by more than 200% since September 2022. Among the 123 ransomware-as-a-service (RaaS) affiliates that Microsoft tracks, 60% of attacks used remote encryption, and 70% were directed against organizations with fewer than 500 employees.
There are five foundational principles that every organization should implement to defend against ransomware across identity, data, and endpoints. These include leveraging modern authentication with phish-resistant credentials; applying Least Privileged Access to the entire technology stack; creating threat- and risk-free environments; implementing posture management for compliance and the health of devices, services, and assets; and using automatic cloud backup and file-syncing for user and business-critical data.
- Password-based attacks spiked to a 10x increase: Microsoft Entra data has revealed a more than tenfold increase in attempted password attacks from April 2022 to April 2023. One of the main reasons these attacks are so prevalent is due to a low-security posture. Many organizations have not enabled MFA for their users, leaving them vulnerable to phishing, credential stuffing, and brute force attacks. Security teams can protect against password attacks by using non-phishable credentials such as Windows Hello for Business or FIDO keys.
- Business Email Compromise (BEC) is at an all-time high: The Microsoft Digital Crimes Unit has observed 156,000 daily BEC attempts from April 2022 to April 2023. These attacks are growing more sophisticated and more costly as threat actors adapt their social engineering techniques and use of technology.
We believe that increased intelligence sharing between the private and public sectors could help counter this trend by enabling a faster and more impactful collective response. The Microsoft Digital Crimes Unit has taken a proactive stance by actively tracking and monitoring 14 DDoS-for-hire sites, including one situated in the dark web, as part of its commitment to identifying potential cyber threats and remaining ahead of cybercriminals.
- Nation-state actors have expanded their global target set: Nation-state actors are increasingly targeting critical infrastructure, education, and policymaking organizations as part of a broader information-gathering operation. This trend is in line with many groups’ geopolitical goals and espionage-focused goals. To detect possible espionage-related breaches, organizations should continuously monitor for suspicious or unauthorized changes to mailboxes and permissions.
As part of our effort to better track nation-state groups, Microsoft has launched a new threat actor naming taxonomy. This taxonomy will bring better clarity to customers and security researchers with a more organized and easy-to-use reference system for threat actors.
- Nation-state actors are combining influence operations and cyber attacks: In further nation-state news, threat groups are more frequently employing influence operations alongside cyber operations to spread favored propaganda narratives, stoke social tensions, and amplify doubt and confusion. These operations are often carried out in the context of armed conflicts and national elections. For example, Russian state actors expanded their scope of activity in 2023 to stretch beyond Ukraine and target Kyiv’s allies, primarily NATO members.
Additionally, while AI-generated profile pictures have long been a feature of state-sponsored influence operations, we expect to see increased use of more sophisticated AI tools to create striking multimedia content.
- IoT/OT devices are at risk: devices are incredibly difficult to defend, making them an attractive target for adversaries. Today, 25% of OT devices on customer networks use unsupported operating systems, making them more susceptible to cyberattacks due to a lack of essential updates and protection against evolving cyberthreats.
Additionally, of the 78% of IoT devices with known vulnerabilities on customer networks, 46% cannot be patched. Security teams must implement robust OT patch management systems if they hope to secure this critical vulnerability. Network monitoring in OT environments is also an effective strategy to help detect malicious activity.
- AI and large language models (LLMs) have the potential to transform cybersecurity: AI can enhance cybersecurity by automating and augmenting cybersecurity tasks, thus enabling defenders to detect hidden patterns and behaviors.
For example, LLMs can be used to inform threat intelligence; incident response and recovery; monitoring and detection; testing and validation; education; and security, governance, risk, and compliance. Microsoft has explored using LLMs for developing intelligent reports, informing chatbots for developer support, standing up a natural language interface with security data, and augmenting cloud data center security.
Microsoft’s AI Red Team of interdisciplinary experts is helping build a future of safer AI by emulating the tactics, techniques, and procedures (TTP) of real-world adversaries. This allows us to identify risks, uncover blind spots, validate assumptions, and improve the overall security posture of AI systems.
- Public-private collaboration is critical: As threat actors grow savvier and cyberthreats evolve, public-private collaboration will be essential in improving collective knowledge, driving resilience, and informing mitigation guidance across the security ecosystem. This year, Microsoft, Fortra LLC, and Health-ISAC worked together to reduce cybercriminal infrastructure for the illicit use of Cobalt Strike by 50% in the United States.
Another real-life collaboration example is the global Cybercrime Atlas– a diverse community of more than 40 private and public sector members that works to centralize knowledge sharing, collaboration, and research on cybercrime. Their goal is to disrupt cybercriminals by providing intelligence that facilitates actions by law enforcement and the private sector, leading to arrests and the dismantling of criminal infrastructures.
- The future needs more cybersecurity professionals: Ultimately, all of these trends necessitate a fully equipped network of sufficiently funded, sufficiently trained cybersecurity professionals. The ongoing shortage of these professionals can only be addressed through strategic partnerships between educational institutions, nonprofit organizations, governments, and businesses. AI can also help relieve some of this burden, but AI skills development must be a top priority for company training strategies.
The Microsoft AI Skills Initiative includes new, free coursework developed in collaboration with LinkedIn. That enables workers to learn introductory AI concepts, including responsible AI frameworks, and receive a Career Essentials certificate upon completion.
Want to learn more about the latest global cyberthreat trends and advancements in cybersecurity? Download the Microsoft Digital Defense Report 2023 and check out Microsoft Security Insider.