BitDepth 1369

MARK LYNDERSAY

AT AN online security briefing on Wednesday, Jeremy Dallman, senior director at the Microsoft Threat Intelligence Center (MSTIC), elaborated on the cybersecurity threats that the company reports on in its released second edition of its Cyber Signals threat evaluation (https://aka.ms/CyberSignals-2).

MSTIC is not a product, though its findings help to inform Microsoft's responses to threats in its responses and products.

Intelligence gathering is done through its own networks and through industry collaboration, including its competitors.

"We may compete with our products," Dallman said, "but we are all dealing with the same threats."

The threat evaluation division engages in "hunting," the analysis of attack vectors and techniques to build profiles of the actors involved in these digital threats.

Microsoft is currently processing 24 trillion signals per day, gathered from multiple sources of intelligence.

To handle this brobdingnagian dataset, the company correlates it using big-data management techniques and machine-learning evaluation.

The company has automated the checking of links in suspect e-mails on its networks, after finding that 95 per cent of threats begin with an e-mail lure, and quarantining potential spam e-mails that target unsavvy users.

Knotweed, a new malware package deployed in Europe, is embedded in meme images and deploys when the file is loaded.

User inertia is also a factor. An analysis of 45 days of signals revealed that 20 million internet-connected devices were using the default password, "admin."

The end-goal driving most compromised systems and unauthorised access is ransomware, which Microsoft describes as having evolved an "extortion economics" model.

The Ransomware as a Service (RaaS) model offers tools provided by developers of malware to affiliates who then use these products to lock down compromised computer systems.

MSTIC estimates that some of these programs have more than 50 "affiliates" who use these RaaS kits with varying levels of skill and success.

MSTIC has found three distinct players involved in this new business of breaking computer security systems.

An access broker will use phishing techniques to gain access to a computer system. A RaaS affiliate will buy tools to exploit this access for a 30 per cent cut of the profit, paying a fee starting at US$250 to an access broker if they are not a part of the affiliate's business. Stolen username and password pairs sell for around US$150 for 400 million.

Compare the cost of these attacks with the business cost.

The FBI found in 2021 (PDF: https://bit.ly/3ckja2Q) that cybercrime cost the US a hefty $6.9 billion while the EU's cybersecurity agency (https://bit.ly/3PRFTAW) estimates that ten terabytes of data are stolen each month through ransomware. More than half of that stolen data includes employees' personally identifiable information.