![\"Visual](\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/Incident.png\")
<\/p>\nIn part three of this blog series on aligning security with business objectives and risk, we explored what it takes for security leaders to shift from looking at their mission as purely defending against technical attacks, to one that focuses on protecting valuable business assets, data, and applications.<\/p>\n
As businesses begin reimagining their future in a post-pandemic world, most are pivoting to a digital-first approach to take full advantage of technological innovation (much of which was adopted in haste). The pandemic has accelerated three existing trends and the tension between them: how to remain relevant against a backdrop of consumer and market demands, how to react and respond to evolving cyber threats, and how to do this reliably while reducing complexity and cost.<\/p>\n
Becoming a resilient organization requires collaboration between business and security leaders and a lifecycle approach to continuous improvement.<\/p>\n
<\/p>\n
Figure 1. The cyclical stages of an incident.<\/em><\/p>\n In this blog, we delve deeper into specific themes in recent cyberattack trends\u2014how and why they work so effectively\u2014and strategies to mitigate them.<\/p>\n As we\u2019ve seen from the progression of headline-grabbing attacks over the course of this blog series, today\u2019s attackers have choices. They can remain on-premises and have a better chance of lingering unseen in the complexity of multiple generations of legacy technology, or they can elevate privileges and move to the cloud, where there\u2019s a higher risk of detection. In the most recent nation-state attack, HAFNIUM took the path of least resistance<\/a> and targeted organizations through on-premises Microsoft Exchange Servers<\/a>, leveraging a zero-day exploit to gain backdoor access to data centers. After Microsoft released critical out-of-band updates, attackers were quick to seek out and compromise unpatched servers in a race to take advantage of the situation before those doors were closed.<\/p>\n The Exchange attack illustrates challenges faced by companies in managing a complex hybrid of on-premises and cloud that spans many generations of technology. For many organizations, it can be a costly operation to upgrade systems; so, security teams are often asked to protect both old and new technology at the same time. Organizations need to simplify the management of this complex mix because attackers are always looking for vulnerabilities. The good news is that cloud security is no longer just for cloud resources; it\u2019s extending to cover on-premises resources, up to and including the 50 to 100-year-old operational technology (OT) equipment that\u2019s controlled by computer technology retrofitted 30 to 50 years ago.<\/p>\n Your security team can reduce risk by prioritizing the cloud as the preferred source of security technology. This will simplify adoption, reduce maintenance overhead, ensure the latest innovations and capabilities, and provide unified visibility and control across multiple generations of technology. No longer are we just referring to cloud security, but rather security delivered from the cloud.<\/p>\n Criminal organizations are increasingly relying on cybercrime as a high-reward, low-risk (illicit) line of business. However, it\u2019s the evolution of human-operated ransomware<\/a> that\u2019s now driving the business need to address longstanding security hygiene and maintenance issues. Ransomware\u2019s evolution can be traced to WannaCry<\/a> and NotPetya malware<\/a>, which fused large-scale compromise techniques with an encryption payload that demanded ransom payments in exchange for a decryption key. Sometime around June 2019, the new generation of human-operated ransomware started infecting systems, expanding into an enterprise-scale operation that blends targeted attacks and extortion.<\/p>\n What makes human-operated ransomware so dangerous? Unlike most cyber threats, these are not preprogrammed attacks. Human attackers know the weaknesses in your networks and how to exploit them. Attacks are multistage and opportunistic\u2014they might gain access via remote desktop protocol (RDP) brute force or through banking trojans, then decide which networks are most profitable. Like nation-state attacks, these breaches can have dwell times lasting from minutes to months. Human operators may also deliver other malicious payloads, steal credentials, or exfiltrate data. Some known human-operated ransomware campaigns that Microsoft actively monitors include REvil, Samas, Bitpaymer, and Ryuk.<\/p>\n Figure 2: Human-operated ransomware\u2014attack paths.<\/em><\/p>\n Human-operated ransomware is an extortion model that can use any one of multiple attack vectors. These attacks are often highly damaging and disruptive to an organization because of the combination of:<\/p>\n By denying access to business-critical data and systems across the enterprise, the attackers are more likely to profit, and organizations are more likely to suffer significant or material impact.<\/p>\n In the same way COVID-19 has shifted industry perceptions regarding bring-your-own-device (BYOD) policies and remote work, human-operated ransomware is poised to trigger seismic shifts in cybersecurity. Organizations who fail to prepare for these evolving threats face the prospect of performing mass restores of systems and data or paying the ransom (not recommended).<\/p>\n This is particularly true if they have any of these commonly held (and dangerous) false beliefs:<\/p>\n If your organization is targeted, we strongly discourage paying any ransom, since this will incentivize future attacks. Also, there\u2019s no guarantee that payment will get you the promised decryption key, or even that the attackers won\u2019t sell your data on the dark web anyway. For a specific plan of how to address ransomware, see our downloadable Ransomware recommendations PowerPoint<\/a>.<\/strong><\/p>\n On the upside, having a business continuity and disaster recovery<\/a> (BCDR) solution can provide a crucial safety net. Datto\u2019s Global Ransomware Report 2020<\/a> indicates that three-out-of-four managed service providers (MSPs) report that clients with BCDR solutions recovered from a ransomware attack within 24 hours. However, just having a BCDR plan is not enough; you need an immutable backup that cannot be corrupted or deleted as attackers try to corrupt these backups.<\/p>\n This control needs to be implemented effectively across all generations of technology, including on-premises and in the cloud. Information protection<\/a> and file encryption can also make data unreadable, even if exfiltrated.<\/p>\n Many data leaks can be attributed to accidents by insiders, but the risk posed by deliberate internal threats is on the rise as well\u201468 percent of organizations<\/a> feel \u201cmoderately to extremely vulnerable\u201d to all kinds of insider attacks. The same percentage confirms that insider attacks are becoming more frequent. Anyone who has access to an organization\u2019s confidential data, IT, or network resources is a potential risk, whether they intend to do harm or not. This could include employees, consultants, vendors, former employees, business partners, or even a board member.<\/p>\n Recent examples include a former Amazon finance manager<\/a> charged in a $1.4 million insider trading scheme, a Shopify data breach<\/a> carried out by two employees, and an insider attack at Stradis Healthcare<\/a> carried out by the former vice president of finance that \u201cdisrupted the delivery of personal protective equipment in the middle of a global pandemic.\u201d Deliberate insider threats straddle both the physical and digital workspace, but organizations can protect themselves by looking for signs, including:<\/p>\n Digital warning signs<\/strong><\/p>\n Behavioral warning signs<\/strong><\/p>\n The key to preventing insider threats is to detect a violation before it happens. This means being empathetic to your organization\u2019s changing environment and managing potential stressors that could lead to aberrant behavior. Being cognizant of employee wellbeing is not only in the best interests of your staff, it also drastically reduces the occurrence of insider threats for your organization. Microsoft invests in mitigating both accidental and deliberate insider threats with insider risk management<\/a>, policy tips<\/a>, and more.<\/p>\n As the dust settles after the double-impact of the Nobelium<\/a> and Hafnium attacks, we\u2019re returning to a \u201cnormal baseline\u201d of steadily increasing impact, volume, and sophistication of attacks. This lack of relief hits security professionals hardest, particularly analysts in security operations responding to these incidents.<\/p>\n The talented security professionals who silently bear the burden of attackers\u2019 profit models often experience a high likelihood of burnout. According to PsyberResilience<\/a>, the list of reasons for burnout among security professionals is long: fear of letting the organization down by missing that one threat amongst thousands every day; exhausting work schedules; fatigue from trying to keep up with new threats and technologies; the emotional toll of facing down criminals and witnessing their lack of morality.<\/p>\n Security teams need real help, and they need to feel supported and connected to the mission. Here are a few tips that can go a long way:<\/p>\n Using machine learning and automation has proven to be an incredible tool for defenders to detect and respond to threats faster. However, attackers also have access to similar technology and are leveraging this to their advantage. In another example of the cyber and physical worlds coming together, cybercriminals were able to create a near-perfect impersonation of a chief executive\u2019s voice using deepfake technology<\/a>\u2014tricking the company into transferring $243,000<\/a> to their bank account. Attackers combined machine learning and AI with social engineering to convince people to move the money.<\/p>\n While still rare, AI and machine learning attacks like this are becoming more common<\/a>. Attackers can make deepfake using public recordings of their target from earnings calls, interviews, and speeches, mimicking their mannerisms and using the technology as a kind of mask. Despite the advanced technology required for one of these attacks, the defense may be refreshingly straightforward and non-technical\u2014if in doubt, call the person back. Using a secondary authentication for high-value transactions can also provide an additional secure step in the approval process, making it difficult for attackers to anticipate and fake out all of the channels at once.<\/p>\n With the use of AI and machine learning becoming more prolific in the defender\u2019s kit bag, cybercriminals have also taken to attacking and poisoning the algorithms that are used to detect anomalies; often flooding the algorithm with data to skew results or generate false positives. In short, the human intelligence layer remains critical to providing contextual awareness and understanding of new cyber threats, helping to decipher the evolving tactics and techniques designed to evade detection.<\/p>\n The next post in this series will focus on how your organization can pull all these concepts together into a security strategy that integrates with your business priorities, risk frameworks, and processes.<\/p>\n If you want to read ahead, you can check out the secure methodology<\/a> in the cloud adoption framework.<\/p>\n Read the previous blogs in this series:<\/p>\n To learn more about Microsoft Security solutions, visit our website<\/a>. Bookmark the Security blog<\/a> to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity<\/a> for the latest news and updates on cybersecurity.<\/p>\nOn-premises vs. cloud security<\/h2>\n
Ransomware<\/h2>\n
![\"Attack](\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/attack-paths.png\")
<\/p>\n\n
\n
Insider threats<\/h2>\n
\n
\n
Overcoming analyst fatigue<\/h2>\n
\n
Augmented intelligence and deepfakes<\/h2>\n
Stay tuned<\/h2>\n
Learn more<\/h2>\n