MFA and passwordless solutions can go a long way in preventing a variety of threats
February 24, 2022, Hong Kong – As more organizations shift to the cloud, identity is becoming a new battleground which must be prioritized when implementing proactive security protections. While 83 million attacks have been recorded between 26 November and 31 December 2021, only 22% of customers using Microsoft Azure Active Directory (Azure AD) have implemented strong identity authentication protection, according to Cyber Signals, a quarterly cyberthreat intelligence brief informed by Microsoft’s latest threat data and research.
Cybercrime groups are weaponizing credentials and digital identities to infiltrate systems for espionage or profit. The evolving state of cybercrime makes Microsoft’s observation and recent work in this space even more pertinent. In 2021, Microsoft Defender for Endpoint blocked more than 9.6 billion malware threats targeting enterprise and consumer customer devices, while Azure AD intercepted more than 25.6 billion brute force authentication attacks and Microsoft Defender for Office 365 tackled 35.7 billion phishing emails. Microsoft recognized that every cybersecurity initiative delayed works in attackers’ favor, so it is crucial to stay on top of the ever-changing cybersecurity landscape to provide the community with a regular, high-level snapshot of the threats that customers are facing today.
Dangerous mismatch in scale of identity-focused attacks vs. preparedness
Digital identity takes many forms, and it can be simply an email address or different passwords people use to access apps and services online. This is the currency cybercriminals use to penetrate networks, steal credentials, and impersonate employees and consumers in the digital world.
Cyberattacks by threat actors are on the rise. Despite their vast resources, cybercriminals often rely on simple tactics to steal easily guessed passwords and gain fast and easy access to customer accounts. In the case of enterprise attacks, penetrating an organization’s network allows attackers to gain a foothold they can use to move either vertically, across similar users and resources, or horizontally, gaining access to more valuable credentials and resources. Spear-phishing, social engineering attacks, and large-scale password sprays are basic cybercrime tactics used to obtain passwords.
Microsoft has gained insight into attackers’ craft and successes by observing the tactics and techniques they invest in and find success with. If user credentials are poorly managed or left vulnerable without crucial safeguards like multi-factor authentication (MFA) and passwordless features, threat actors will keep using the same basic methods. The need to enforce MFA adoption or go passwordless cannot be overstated, because the simplicity and low cost of identity-focused attacks make them convenient and effective for actors. MFA is not the only identity and access management tool organizations should use, but it can provide a powerful deterrent to attacks.
Organizations need to focus on reviewing, hardening, and monitoring all user accounts and prioritizing executive, administrator and other privileged roles frequently. If hijacked, those breaches will become a powerful weapon that attackers can use to gain greater access to networks and resources. Security teams are also advised to apply the principle of least privilege granted to reduce the risk of being jeopardized.
Threat actors seen working collectively in cybercrime economy
The dominant narrative seems to be that there are massive numbers of novel ransomware threats outstripping defenders’ capabilities and certain ransomware groups are a single monolith. However, Microsoft analysis shows this is incorrect. What exists is a cybercriminal economy where different players in commoditized attack chains make deliberate choices. They are driven by an economic model to maximize profit based on how they each exploit the information they have access to.
Microsoft encourages organizations to strengthen weak security configurations and empower security teams to understand that ransomware thrives on default or compromised credentials and identify how to pot telltale anomalies in time to act. Organizations should also prepare a ransomware response plan and conduct recovery exercises to visualize what full restoration looks like. Protecting and defending customers’ identity is central to Microsoft’s mission. With more than 8,500 Microsoft security experts from across 77 countries, dedicated red and blue teams, 24/7 security operations centres, and thousands of partners across the industry, Microsoft continues to learn and evolve against the constantly changing global threat landscape.
Vasu Jakkal, Corporate Vice President, Security, Compliance and Identity said, “with increasing numbers of people working remotely and accessing their business apps and data from multiple locations including home offices, coworking spaces, and other remote locations, individuals are realizing the importance of secure authentication. And it’s not just about securing enterprises, it’s our personal data, devices, identities, platforms, and clouds that are also targets. At Microsoft, we believe that security is a team sport and that when we share what we’re learning, we can all make the world a safer place.”
###
About Cyber Signals
Cyber Signals is a cyberthreat intelligence brief informed by the latest Microsoft threat data and research. This content, which will be released quarterly, offers an expert perspective into the current threat landscape, discussing trending tactics, techniques, and strategies used by the world’s most prolific threat actors.
About Microsoft
Microsoft (Nasdaq “MSFT” @microsoft) enables digital transformation for the era of an intelligent cloud and an intelligent edge. Its mission is to empower every person and every organization on the planet to achieve more.
