From Cybercrime to Cyber Resilience

The contrast between the rising cybercrime and the steps required to increase cyber resilience have never been so stark, as evidenced in the just released Microsoft Digital Defense Report 2022.

The state of cybercrime

From the cybercrime angle, Microsoft paints a gloomy picture of profit incentives driving a rising cybercrime ecosystem: from ransomware-as-a-service, over phishing-as-a-service to denial-of-service-as-a-service (no pun intended), and many other intermediary services, such as reselling of compromised credentials.

Cybercrime capabilities have been so successfully monetized as easy to consume services, that the whole ecosystem can be called cybercrime-as-a-service (CaaS).

Ransomware is certainly the most prominent and impactful aspect of the cybercrime business. From a technical standpoint, the main contributing factors to successful attacks are weak identity controls, including missing multifactor authentication (MFA), which makes phishing attacks so much easier.

However, reading between lines it's clear that Microsoft identifies its own legacy Active Directory (AD) product also as a key contributor to successful ransomware attacks.

In fact, implementing and maintaining AD security best practices requires expert knowledge which is often inaccessible (or too costly) for many organizations, leaving many opportunities for exploitation. That's why AD is unfortunately still the great attack amplifier.

Successful attacks are precisely the result of long-running campaigns in most cases involving AD identity compromise that later allows attackers to escalate privileges, access systems via lateral movement, and maintain persistence in the network.

Another topic in the report is IoT and OT device security, covering industrial devices now coming online and merging with IT infrastructure, as well as network routers and firewalls. Threat actors are of course increasingly focusing on those, as they typically enable critical infrastructure. This has caught the attention of many governments across the globe: this year we're seeing a growing global wave of policy initiatives and Microsoft documents the flurry of regulations coming out from Europe, Australia, the USA and other countries.

The need for consistency and simplicity

Microsoft coyly mentions that this regulatory hyperactivity can produce unintended consequences, including decreased security. To quote Michal Braverman-Blumenstyk, Corporate VP and CTO, Cloud and AI Security: "We are, however, concerned that inconsistent, bespoke, or complex requirements could have unintended effects, including decreasing security in some cases by diverting scarce security resources toward compliance with multiple duplicative certifications". Yes, compliance could turn into a checkbox exercise without adding security value, as so many times in the past.

In many cases, the range of [regulatory] activity across regions, sectors, technologies, and operational risk management areas is being pursued simultaneously, resulting in potential overlap or inconsistency in scope, requirements, and complexity for organizations seeking to leverage guidance or demonstrate compliance.

The path to cyber resilience

Finally, the question how to improve the state of cyber security, or how to improve cyber resiliency: over 80% of security incidents can be traced to a few missing elements that could be addressed through modern security approaches. This is also good news as it means there is some "low hanging fruit" or measures that can be quickly implemented and can drastically improve resiliency.

Again, the top issues impacting cyber resiliency are the similar ones plaguing ransomware victims and can be boiled down to:

1. Insecure Active Directory configuration

2. Legacy authentication protocols and weak identity hygiene (for ex. excessive admin credentials found or no privilege isolation)

3. No MFA or MFA not mandatory for user accounts

Learn more in the Microsoft Digital Defense Report 2022.