MDDR 2024 | My summary with 5 recommendations

Recently, we published the?Microsoft Digital Defense Report (MDDR) 2024. This marks the fifth year of the report, which aims to address the evolving cyber threat landscape and provide insights to enhance security. The MDDR offers an overview of key cybersecurity trends, informed by Microsoft’s extensive experience and vast data collection. It also includes actionable insights and recommendations to help organizations protect themselves against cyber threats.

The entire report spans over 100 pages and requires several hours to read. I understand that not everyone has the time to go through it in detail, so I have summarized the content for you. You find here five key recommendations for organizations and further below a summary of the whole report by chapter.

1. Executing basic cyber hygiene: “Keeping your house clean” by ensuring there are no unsecured / unpatched systems, no outdated configuration, no unused and weak protected accounts. Hygiene is an ongoing process that needs clear owners and responsibilities who execute the processes regularly.
2. Protecting the identities: Implementing strong identity protection measures is crucial. This includes using multi-factor authentication (MFA), ensuring that users have the least privilege necessary, continuously evaluating access. User awareness trainings have a big impact on securing identities.
3. Protecting the devices: Ensuring that all devices are secure by keeping them updated with the latest patches and configurations. This also involves managing and monitoring devices to detect and respond to threats promptly.
4. Knowing the critical assets and protecting them: Identifying critical assets within the organization and implementing robust protection measures for these assets. This includes understanding the potential attack paths and managing them.
5. Being prepared for a cyber incident: Developing and maintaining incident response plans, conducting regular tabletop exercises, and ensuring that the organization is prepared to respond to cyber incidents.

The report is organized into three chapters. The first chapter provides an overview of the global cyber threat landscape, the second one outlines how organizations can enhance their security measures, and the third chapter is focusing on the impact of AI on cybersecurity. Below you will find my summary of these chapters.

Chapter 1 - How the cyber landscape is evolving

• Nation state threats: Russia, China, North Korea, Iran. Most of the globally seen cyberthreats have their roots in nation state threat actors (e.g. techniques being reused by cybercriminals)
• Most targeted sectors: IT, Education & Research, Government
• OT Security: Operational technology systems are at risk as they are often poorly secured, internet-exposed and control critical processes. Balancing between availability and security is difficult.
• Geopolitical cyber influence: Elections interference is seen in multiple countries (e.g. US)
• Ransomware: Remains one of the most serious cybersecurity concerns. Number of ransomware-linked attacks increases but percentage of ransomed organization decreases. Most common entry strategy is social engineering and 92% of successful attacks performed on unmanaged devices. These facts support the recommendation to allow access to enterprise resources only from managed devices and applications.
• Fraud: Incidents of fraud are increasing globally in both volume and sophistication. Ranging from financial fraud, phishing (e.g. QR code phishing), business email compromise (e.g. inbox rule manipulation), impersonation (e.g. deep fakes)
• Identities and social engineering: Identities are crucial for accessing resources and therefore a well-known target for cyber criminals. 99% of the identity attacks are today still password attacks, which can be prevented with MFA (e.g. phishing resistant MFA with Passkey). A proper and continuous governance of the existing identities (e.g. current inventory of active/unactive accounts or accounts with elevated rights) is recommended. User awareness and trainings are important factors to protect identities.
• Distributed denial of service (DDoS) attacks: A rise in DDoS attacks (on networks and applications) are observed to disrupt or disable websites and online services by overwhelming it with traffic from multiple sources. Prevention measures are to minimize exposure of applications to the public internet and putting DDoS protection in place.

Chapter 2 - How organizations can improve their security

• Technical debts: Most organizations have security-relevant gaps such as unpatched systems, outdated configurations, or over-permissioned?accounts. These are popular and easy targets for attackers. Resolving and cleaning up these factors improves the security posture.
• Microsoft Secure Future Initiative: Microsoft’s multiyear initiative to evolve the way we design, build, test, operate our products and services to achieve the highest possible standards for security. Other organizations can benefit from the experience and knowhow that is publicly shared.
• Data security: Requires inventorying data stores, identifying sensitive data, labelling, and protecting them. Preparing for secure and compliant Gen AI use cases.
• Attacker mindset: Approaching the threat with the mindset of the attacker (thinking in graphs instead of lists) helps to protect and interfere at the right place. Knowing the critical assets (“crown jewels”) to protect, the ways attackers can get there (attack paths management) and improve the overall view with a single pane of glass (XDR and SIEM)
• Security culture: Making clear that security is everyone’s role in the organization. Focusing the governance efforts on accountability, teamwork, and shared responsibility. Leaders should support mechanisms that incorporate and include security into business decisions and ensure security education for all employees and roles.
• Incident response: Being prepared for a cyber incident like for a fire emergency. Preparation, communication, and execution are key and need to be prepared upfront. Established playbooks give clear guidance what, who, when to do in case of a cyber emergency. Training in form of tabletop exercises is important to be more efficient in the real case.
• Cyber resilience: An organization’s resilience maturity can be determined based on four pillars (Operational, Tactical, Readiness, Strategic). The more advanced an organization is, the easier a recovery from a cyber incident will be.
• Partnerships: To allow the “Digital transformation of defence” and strengthen the overall cyber security posture, we need deeper partnerships between industry and governments (e.g. RAISE)

Chapter 3 - How AI is impacting cybersecurity

• Impact of AI on cybersecurity: Cybersecurity being an infinite game that has no winner and no end. AI will be used by both sides, by attackers and by defenders.
• AI used by attackers: With adoption of AI the scale and sophistication of attacks are changing rapidly, and AI will be used as a force-multiplier (e.g. automated fraud, deep fake impersonation, no mistakes in messages, faster/easier passive reconnaissance)
• AI used by defenders: AI-driven threat analysis will help defenders understand their threat landscape and security incident faster and with less resources. AI can help to optimize and scale the resources, easier detection of cyber-attacks and automatic response (e.g. automatic attack disruption), upskill and speed up SOC teams (e.g. Security Copilot)
• Gen AI systems: Difference between predictive AI (good in analysing large fields of data, classifying, predicting, and recommending) and generative AI (good at summarizing or analysing natural language data and role-playing characters). Gen AI can be understood as a different technology, one where general-purpose models are shared with millions of users and have no special data access. Future generative AI systems are likely to add capabilities like memory / learning, more autonomy, reaction to events and user inputs.
• Government approaches to AI security: Governments worldwide have recognized that AI offers both benefits and risks for society. They pursue AI regulatory approaches to balance those benefits and risks. Initiatives are ongoing on national and regional level (US, Europe) and work on international standards for AI security in ongoing (e.g. NIST Risk Management Framework, ISO/IEC 27090).

If you are interested in knowing more, you find the full report here: Microsoft Digital Defense Report 2024, including good visualizations and helpful links for further information.