Microsoft has published its latest Security Intelligence Report (SIR), which it does twice a year, covering security issues for the prior six months. This latest edition covers the second half of 2015, analyzing the threat landscape of exploits, vulnerabilities and malware using data from Internet services and over 600 million computers worldwide.
It is a massive effort, with dozens of Microsoft staff from different groups contributing. For the first time, they looked at not only PC malware but threats to its Azure cloud service as well, which the company says "reveals how we are leveraging an intelligent security graph to inform how we protect endpoints, better detect attacks and accelerate our response, to help protect our customers."
Every day, Microsoft’s machine learning systems process more than 10 terabytes of data, including information on over 13 billion logins from hundreds of millions of Microsoft Account users and Azure Active Directory accounts, according to the company.
"We’ve included new data in this report that provides insight into how the Microsoft cloud uses this massive data and machine learning to literally detect and prevent over a million attacks every day," the report said.
A large chunk of the 198-page report—35 pages—is dedicated to a Southeast Asian hacker group Microsoft has dubbed "PLATINUM." Microsoft said the group has been around since 2009 but has engaged in targeted attacks around Southeast Asia and is very good at covering its tracks. Its primary targets have been governments and related organizations in South Asia and Southeast Asia, using zero-day exploits and spearphishing attacks.
As for the cloud, Microsoft provided some impressive stats:
- 95 percent of all organizations and 90 percent of the world’s 2,000 largest organizations use Active Directory on premises.
- There were 8.24 million tenants in Azure Active Directory, comprising more than 550 million users.
- Most of these tenants were small businesses with fewer than 500 user accounts and were not synchronizing from an on-premises instantiation of Active Directory.
- A minority of these 8.24 million tenants had more than 500 user accounts, but because they are comparatively large, they accounted for 91 percent of all the identities in Azure Active Directory.
- At the time these statistics were collected, Azure Active Directory was averaging more than 1.3 billion authentications per day.
The company uses machine learning systems to help prevent cyber attacks or to mitigate potential damage should they succeed. Each day, Microsoft’s account protection systems automatically detect and prevent more than 10 million attacks from tens of thousands of locations, even when the attacker has valid credentials.
One thing Microsoft detailed was where the attacks come from:
- 49% in Asia
- 20% in South America
- 14% in Europe
- 13% in North America
- 4% in Africa
Other data from the report includes:
- The worldwide encounter rate increased to 20.8 percent at the end of 2015. The encounter rate in the U.S. was about 40 percent lower than the worldwide encounter rate in 2015, or approximately eight percentage points.
- The locations with the highest encounter rates were Pakistan, Indonesia, the Palestinian territories, Bangladesh and Nepal, which all had encounter rates above 50 percent.
- Exploit kits accounted for four of the 10 most commonly encountered exploits during the second half of 2015.
- Although ransomware had relatively low encounter rates, just 0.3 percent worldwide, its use in exploit kits is increasing.
- Sites that targeted financial institutions accounted for the largest number of active phishing attacks.
SIR volume 20 can be downloaded for free; PDF reader required.