Understanding Device and Infrastructure Attacks: Exploring the Microsoft Digital Defense Report 2022

The Microsoft Digital Defense Report explores the most pressing cyber threats as they relate to cybercrime, nation-state threats, devices and infrastructure, cyber-influence operations, and cyber resiliency. Based on intelligence from 43 trillion security signals daily, this report offers insight and guidance on how organizations can help strengthen their cyber defenses.

In this post, we will take a deeper look at section two of the report. Keep reading for our findings, and download the full Microsoft Digital Defense Report for even more insights.

Digital transformation can lead to increased attack surfaces—and greater risk

According to a survey conducted by Microsoft and Ponemon, 68% of CISOs believe that adopting IoT/OT is critical to their strategic digital transformation. And yet, 60% of those same respondents recognize that IoT/OT security is one of the least secured aspects of their infrastructure. This is a major threat given that rapidly increasing IoT creates an expanded entry point and attack surface for attackers.

Accelerating digital transformation has increased the cybersecurity risk to critical infrastructure and cyber-physical systems. As organizations harness advances in computing capability and entities digitize to thrive, the attack surface of the digital world is exponentially increasing. By 2025, the International Data Corporation (IDC) estimates there will be 41.6 billion connected IoT devices—a growth rate higher than traditional IT equipment. And although security of IT equipment has strengthened in recent years, IoT and OT device security has not kept pace.  Threat actors are exploiting these devices. Microsoft identified unpatched, high-severity vulnerabilities in 75% of the most common industrial controllers in customer OT networks.

The rapid adoption of IoT solutions has also increased the number of attack vectors and the exposure risk of organizations. This migration has outpaced most organizations’ ability to keep up as malware as a service has moved into large-scale operations against civil infrastructure and corporate networks. Seventy-two percent of the software exploits utilized by Incontroller—a novel set of state-sponsored, industrial control system (ICS) oriented cyberattack tools—are now available online.

So, what are organizations doing about it?

How organizations can respond

We have observed increased threats exploiting devices in every part of the organization, from traditional IT equipment to operational technology (OT) controllers or simple IoT sensors. We have seen attacks on power grids, ransomware attacks disrupting OT operations, and IoT routers being leveraged for increased persistence. At the same time, there has been increased targeting of vulnerabilities in firmware—software embedded in a device’s hardware or circuit board—to launch devastating attacks. Of the firmware images analyzed, 32% contained at least 10 known critical vulnerabilities.

To counter these and other threats, governments worldwide are developing and evolving policies to manage critical infrastructure cybersecurity risk. Many are also enacting policies to improve IoT and OT device security. The growing global wave of policy initiatives is creating enormous opportunity to enhance cybersecurity. However, it also poses challenges to stakeholders across the ecosystem.

As policy activity across regions, sectors, technologies, and operational risk management areas is pursued simultaneously, there is the potential for overlap and inconsistency in scope, requirements, and complexity of requirements. Public and private sector organizations need to seize the opportunity to enhance cybersecurity with additional engagement and efforts toward consistency. For example, IoT/OT-aware network detection and response (NDR) solutions and security information and event management (SIEM)/security orchestration and response (SOAR) solutions can provide deeper visibility into the IoT/OT devices on your network—enabling you to monitor devices for anomalous or unauthorized behaviors, such as communication with unfamiliar hosts.

There are also some overarching protections that organizations can implement. Security teams should ensure that all employee devices are robust by applying patches and changing default passwords and ports. We’d also recommend segmenting your networks to limit an attacker’s ability to move laterally and compromise assets after initial intrusion. Organizations can reduce their attack surface by eliminating unnecessary internet connections and open ports, restricting remote access by blocking ports, denying remote access, and using VPN services. Finally, assume your OT and IT are converged and build Zero Trust protocols into your attack surface.

Download the full Microsoft Digital Defense Report for a closer look at today’s cyber threat landscape and, for even more details, check out our recent webinar, “Build cyber resilience by leveraging Microsoft experts’ digital defense learnings.”

Explore more threat intelligence insights on Microsoft Security Insider.