Practical Protection: Practical Guidance from the Microsoft Digital Defense Report

Our Favorite Holiday

One of my favorite October holidays isn’t a real holiday. No, I’m not talking about Columbus Day. I’m talking about the annual release of Microsoft’s Digital Defense Report (MDDR), which falls around this time. You can think of the MDDR as a snapshot of the security incidents and trends that Microsoft has encountered during the preceding fiscal year. Because Microsoft’s fiscal year begins July 1, this edition of the MDDR covers the period from July 2022 to June 2023—a period that has certainly had its share of interesting attacks.

Where the Data Comes From

Microsoft is in a fairly unique position. Many reports similar to the MDDR come from companies who specialize in security services or products, or who offer threat intelligence data to their customers. Microsoft does all that, but they also operate one of the largest sets of public cloud services. When you include Azure, Entra ID, Microsoft 365, Dynamics 365, Xbox, and their various other cloud services, they see a mind-boggling number of security-related signals across all their estate (65 trillion signals is the number they cite, which certainly seems plausible). The MDDR reflects data from all of these services, plus telemetry gathered from their Defender family of services, plus data they gather as part of investigating and remediating incidents for themselves and their customers, plus data they collect as part of investigating and fixing vulnerabilities in their software and services. That gives them a panoramic and high-resolution view of the security landscape.

A Few Highlights, By The Numbers

Microsoft highlighted a few numbers on the download page for the MDDR:

• They block more than 4,000 identity authentication threats per second
• They track more than 300 unique threat actors, including 160 nation-state actors
• Across Microsoft’s services, there are more than 135 million managed devices providing security telemetry for their consumption

While these are interesting, I picked out a few other numbers that I think are worth discussing.

1. Between 80 and 90% of successful ransomware attacks originate through unmanaged devices. I wouldn’t say that this percentage is a surprise, but it is a bit of a shock to see such a large percentage. This number is a direct indictment of how lax bring-your-own-device (BYOD) security policies are in far too many places, not to mention a clear sign that endpoint detection and response is lagging behind the threat level in lots of organizations.
2. 17% of successful intrusions involved the use of remote monitoring and management tools. This genuinely surprised me. If you’re using remote management or access tools, you may be opening yourself to avenues of attack that you haven’t planned to mitigate.
3. In three months (April-June 2023), Microsoft notified customers of 10,000 passwords entered into malicious sites. That is, they detected about 111 cases per day where a user was successfully phished and entered their M365 credentials into a malicious site. That raises the question of how many successful phishes Microsoft couldn’t catch because the credentials went to a site they had not yet flagged as malicious. I was a little surprised to see Microsoft’s data claiming that only about 11% of users who got phishing messages from Defender attack simulations reported them, but it’s heartening to see that 89% of the users in those simulations didn’t click links or open attachments.
4. The top-line number of 4,000 password attacks blocked per second is super interesting, but perhaps more interesting is the fact that password attacks increased by more than 10x year-over-year, from around 3 billion to more than 30 billion per month. They didn’t speculate about any specific reason for the increase, but it’s still a bit shocking.
5. Italy, South Africa, Romania, Ireland, and India are the only countries that have more than 20% of cybersecurity professionals who identify as female. Given the acute shortage of skilled cybersecurity people around the world, it would seem like a really good idea to increase training and recruiting opportunities to address that gap.

Leaving aside the numbers, the chapter on nation-state attackers is both fascinating and infuriating. The data on exactly who’s doing the attacking, and who the targets are, is not exactly surprising, but it starkly illustrates the importance of defensive cybersecurity for every organization—and it raises the question: if Microsoft is sharing this much data publicly, how much nonpublic data exists amongst the free world’s intelligence agencies showing specifics of attackers and targets, and how is that data being used to drive investment and policy decisions?

Four Things You Should Probably Be Doing

If you read the entire MDDR (and you should), you might feel the completely understandable urge to go live in the forest, far away from any digital devices or services. It’s probably more productive, though, to focus on specific things that you can do.

1. Microsoft says “adding to their cost via security hardening is key in disrupting the cybercriminal economy.” This may sound self-serving (after all, that hardening may require you to buy stuff from Microsoft), but it’s also true. Your takeaway: you should continually be evaluating the cost to increase your hardening against intrusion against the expected benefit (in the form of reduced recovery costs and potential downtime). When we finally learn the full truth about the MGM cyberattacks from earlier in summer 2023, I suspect we will find that MGM didn’t calculate the cost-benefit balance very well. Do better.
2. The section (starting on p41) titled “Return on Mitigation” highlights some things you can do that have a high-security value relative to their implementation cost. More interestingly, the tables in this section highlight the percentage of customers who didn’t have that specific mitigation in place when Microsoft showed up to help them with incident response. For example, 60% of the customers who engaged Microsoft had “insufficient protection for local accounts”—something that the free Windows LAPS toolset can help fix.  Other popular things to fix: enable context-based MFA, harden your on-premises Active Directory configuration, and do a better job with patch management and distribution. 
3. Make sure you’re using MFA on your VPN accounts, too. Nearly half of VPN-capable accounts in Microsoft’s data set weren’t configured to use MFA. This is simple to fix and will help immediately improve your network’s resistance to attack.
4. Scan through the MDDR and read, carefully, each list labeled “actionable insights.” Not every one of these actions will make sense for you—but some, such as the recommendation to remove or restrict PowerShell from systems that don’t need it, are excellent advice indeed.

Of course, the MDDR highlights the areas that Microsoft wants to focus on—including responsible AI and the importance of legislative and regulatory support for cybersecurity. You can quibble with some of the non-technical aspects of the report, and you can wonder why they chose to highlight the items they did. All those quibbles notwithstanding, though, the MDDR is extremely valuable as a source of information and insight, and as a playbook for things you should consider doing, and you would be wise to read it carefully and seek to apply what you learn from it in your own network.