Sharing Microsoft learnings from major cybersecurity incidents

This post is authored by Mark Simos, Director of Business Development and Strategy, Enterprise Cybersecurity Group

Microsoft has assisted customers with investigation of, and recovery from cybersecurity attacks for well over a decade. This effort began informally when our IT department and product groups came to the aid of customers encountering attacks in their environment. Since those early days, the volume and complexity of incidents has required Microsoft to scale up its efforts to include full-time professional investigation and recovery teams. These teams are typically engaged on one or more major investigations on any given week throughout the year. If you are experiencing a targeted attack, you can rapidly engage our Global Incident Response and Recovery teams through Microsoft Premier Support.

Incident Response Reference Guide

Because the challenges that our customers face during incident response and recovery are both technical and non-technical, we recently embarked upon an effort with partner organizations, to provide our customers comprehensive incident management guidance.

The results of this effort have been compiled into an Incident Response Reference Guide. It is available for download, and we are distributing a printed version at the Microsoft booth during the RSA conference in San Francisco, this week.

This guidance describes the learnings and recommendations that our organizations have made along the technical, operations, legal, and communications dimensions. It is designed to help you prepare for and meet critical needs during a major cybersecurity incident, as well as to avoid common errors.

The recommendations in this guide can help organizations prepare for, and address many severities of security incidents, though it is primarily focused on major incidents where administrative access has been compromised.

This guidance is designed to enable you to:

  1. Prepare for a crisis by reducing risk to your organization
  2. Better manage a crisis, whether or not you have made prior preparations

The tips and guidance in this document are designed to provide insights to organizations facing their first incident, as well as seasoned professionals that manage persistent adversary operations regularly. It is based on our collective experiences across a wide range of Fortune 1000® companies and government agencies. We would love to hear your feedback on how this document helped you and how to improve it. You can reach us at CyberDocFeedback@microsoft.com.

Beyond the Guide

As our teams travel the globe helping customers and fighting cybercrime, the learnings from this work continuously influences Microsoft products, public guidance, and how we help future customers. Several key pieces of guidance we published have been informed by this experience including, Versions 1 and 2 of Mitigating Pass-the-Hash and Other Credential Theft, Best Practices for Securing Active Directory, and a new type of guidance that outlines a prioritized security strategy for these attacks, Securing Privileged Access (SPA) roadmap (online SPA training available here). Microsoft has also contributed to efforts like the NIST 800-184 Guide for Cybersecurity Event Recovery to share our lessons learned.

Additionally, many of our products and features have been directly influenced by our incident response and recovery experience. These include Windows Defender Advanced Threat Protection (ATP), Advanced Threat Analytics (ATA), Windows Server 2016 Shielded VMs, Virtualization Based Security (VBS) in Windows 10 that includes Credential Guard, Microsoft Identity Manager’s Privileged Access Management Capability (MIM-PAM), and many others.

The measure of what causes an incident to have a major impact to an organization varies, depending on the business or missions. However, we have found most major incidents involve the compromise of administrative access to most or all enterprise IT systems (as happens in targeted attacks frequently reported in the press). Based on the prevalence of credential theft techniques that lead to compromise of administrative rights, Microsoft has open sourced the build instructions for building privileged access workstations (PAWs) that our cybersecurity professional services personnel deliver. This architecture is based on learnings from attacks on our customers as well as experience deploying secure access workstations internally for administrators of our own IT systems.

Learn from over a decade of experience helping our customers recover from major incidents by downloading the Incident Response Reference Guide today.

About the Author