Microsoft has published its latest biannual Security Intelligence Report (SIR), covering the second half of 2015. The SIR "analyzes the threat landscape of exploits, vulnerabilities, and malware using data from Internet services and over 600 million computers worldwide."
This report, its twentieth in the last ten years, includes security data from the Microsoft cloud for the first time, which the company says "reveals how we are leveraging an intelligent security graph to inform how we protect endpoints, better detect attacks and accelerate our response, to help protect our customers."
The security graph is compiled from "trillions of signals from billions of sources", with inputs from endpoints, consumer and commercial services, and on-premises technologies. This helps Microsoft to combine security and threat intelligence data, to inform its real-time analysis and insights, and predictive intelligence, in an effort to improve overall protection for all of its customers.
Microsoft highlighted some examples of the insights provided in its latest SIR:
- From a sensor network made up of hundreds of millions of systems running Microsoft anti-malware software, the data shows us that:
- The number of systems that encountered malware in 2015 increased in the second half of the year. The worldwide encounter rate increased to 20.5% by the end of 2015, an increase of 5.5% from six months earlier.
- The locations with the highest encounter rates were Pakistan, Indonesia, the Palestinian territories, Bangladesh, and Nepal which all had encounter rates above 50%.
- Exploit kits accounted for four of the 10 most commonly encountered exploits during the second half of 2015. The Angler exploit kit was the most commonly encountered exploit kit family.
- Although ransomware had relatively low encounter rates (worldwide ER for ransomware in the first quarter of 2015 was 0.35 percent and 0.16 percent in the second quarter), its use in ransomware-as-a-service kits and targeted attacks is increasing.
- SmartScreen Filter is a feature in Internet Explorer and Microsoft Edge that offers users protection against phishing sites and sites that host malware. Based on phishing data from the SmartScreen:
- Phishing sites that targeted online services received the largest share of impressions during the period, and accounted for the largest number of active phishing URLs
- Sites that targeted financial institutions accounted for the largest number of active phishing attacks during the period
As part of the new cloud security data published in the new SIR, it said that "the massive scale of Microsoft's cloud enables us to gather an enormous amount of intelligence on malicious behavior". It notes that:
- At the end of 2015, Azure Active Directory was being used by 8.24 million tenants with over 550 million users.
- Azure Active Directory averaged over 1.3 billion requests per day.
- Every day, Microsoft processed over 13 billion logins from hundreds of millions of Microsoft Account users.
The company uses machine learning systems to help prevent cyber-attacks, or to actively limit the potential damage caused by those that succeed. A key factor in doing so is understanding where these attacks come from:
- Compromised login attempts were blocked from unfamiliar locations nearly three quarters of the time.
- Attackers were located in different parts of the world:
- 49% in Asia
- 20% in South America
- 14% in Europe
- 13% in North America
- 4% in Africa
With this knowledge, data collection and intelligent analysis, Microsoft says that every day, its account protection systems "automatically detect and prevent more than 10 million attacks, from tens of thousands of locations, including millions of attacks where the attacker has valid credentials." That adds up to more than four billion attacks prevented last year.
Microsoft's full Security Intelligence Report is 198 pages long, with far too much detail to consider here, including key sections on a major network of targeted attacks in south and southeast Asia, which Microsoft has codenamed 'PLATINUM'; and an in-depth focus entitled 'Protecting Identities in the Cloud: Mitigating Password Attacks'.
The full Security Intelligence Report is available to download free from Microsoft's site.