Now even stronger with AI
In the world of cybersecurity, progress can often feel elusive and frustrating for those who have been observing it for years. Our field requires constant vigilance, and the satisfaction of a job well done can be hard to come by amidst the prevalence of bad news and doom-and-gloom reports. Yet, amidst these challenges, success stories in cybersecurity emerge daily.
Every day, dedicated defenders quietly exchange information. They continuously raise the costs for attackers and their sprawling criminal networks. With their exceptional skills and expertise, they consistently improve their ability to identify and expel criminals swiftly.
The effectiveness of threat intelligence (TI) is evident as median adversary dwell times continue to decrease. Today's 20-day average represents a significant improvement from the past, where attackers could operate undetected for months.
This progress owes much to enhanced intelligence, better tools, and improved resources. When we combine these elements—specifically, threat intelligence, large-scale data, and artificial intelligence (AI)—the impact of defenders is both accelerated and amplified.
Data
Data forms the lens through which defenders perceive threats, and our clarity has never been sharper. Intense competition in the cloud market has significantly reduced the cost of storing and analyzing data, facilitating substantial advancements in innovation. These cost reductions have enabled the deployment of more precise sensors across digital infrastructures. The emergence of XDR+SIEM has further broadened data collection and signal detection from endpoints and applications to identities and the cloud.
Increased data signals expand the scope for threat intelligence (TI), which in turn fuels artificial intelligence (AI). TI serves as the foundational labels and training data for AI models to anticipate future attacks.
Where TI identifies threats, AI excels in scaling response capabilities.
The intuition and expertise behind successful threat intelligence operations can now be replicated digitally, leveraging millions of parameters against a backdrop of 65 trillion signals.
Threat Intelligence
At Microsoft, our approach to threat intelligence is centered around understanding adversaries. We actively monitor over 300 distinct threat actors, which includes more than 160 groups associated with nation-states and over 50 ransomware gangs.
This work requires creativity, innovation, and collaboration across diverse disciplines. Effective threat intelligence brings together cybersecurity experts, applied scientists, geopolitical analysts, and disinformation specialists to comprehensively assess adversaries. This holistic approach enables us to not only discern the nature of ongoing attacks but also anticipate the motives and potential targets of future threats.
Security Insider Report
Artificial Intelligence
Artificial intelligence (AI) accelerates defensive capabilities to match the speed of attacks. AI enables early disruption of human-operated ransomware attacks by transforming low-confidence signals into effective early warning systems.
Human investigators typically piece together individual clues to recognize ongoing attacks, a process that can be time-consuming. However, in scenarios where time is of the essence, AI can swiftly analyze data to identify malicious intent. AI's ability to contextualize information allows for comprehensive threat linkage.
Similar to how human investigators analyze information across multiple levels, we integrate three types of AI-informed inputs to detect ransomware attacks at the onset of escalation.
At the organizational level, AI employs a time series and statistical analysis of anomalies
At the network level, it constructs a graph view to identify malicious activity across devices
At the device level, it uses monitoring across behavior and TI to identify high-confidence activity
Ransomware
Spotlight on ransomware: A conversation with Jessica Payne
The encouraging aspect of ransomware is its largely preventable nature. Much reporting tends to emphasize the diversity of ransomware payloads, suggesting a multitude of attackers scaling endlessly. In reality, ransomware stems from a subset of attackers who leverage common techniques and switch between available ransomware-as-a-service payloads.
By shifting focus from the payloads to the actors behind the attacks, we highlight that most ransomware deployers do not rely on unique skills or bespoke zero-day exploits; rather, they exploit common security vulnerabilities.
Since many attackers employ similar tactics, it becomes feasible to identify overlapping threats and implement mitigations accordingly. Nearly every ransomware attack involves attackers acquiring access through highly privileged credentials, such as domain admin or software deployment accounts—issues addressable with built-in tools like Group Policies, Event Logs, and Attack Surface Reduction (ASR) Rules.
Organizations leveraging ASR rules have reported up to a 70% decrease in incidents, reducing strain on Security Operations Centers (SOCs) and minimizing opportunities for initial attacker access that can compromise defenses over time. Successful defense against ransomware hinges on such rigorous hardening measures.
The mantra remains clear: prevention is paramount. I often emphasize that prevention and detection are not equals; prevention serves as detection's guardian by reducing network noise and allowing focused attention to critical threats.
Ultimately, effective threat intelligence plays a pivotal role in either thwarting attacks outright or automatically interrupting them.
Learn more about protecting your organization from ransomware, and read the full report.