News

Microsoft Lifts Veil on Its Emergency Response Team

Microsoft has historically kept mum about its emergency security response team, which helps organizations deal with ransomware and other major post-breach software security incidents. That changed this week.

On Wednesday, the company publicly shared some details about its "Compromise Recovery Security Practice" (CRSP).

"Historically we [the CRSP team] have kept our existence quiet, and our activities were only published internally at Microsoft," Microsoft said in an announcement. "Given that we are seeing more and more cybersecurity incidents, we thought it was time to publicly let the world know where we fit into the Microsoft security story."

To hear Microsoft tell it, CRSP team members are reactive and typically travel a lot, working on projects over a period of weeks. They also respond in hours' time during a crisis, and they can fix things remotely. The job normally entails "working in high-pressure situations with high-profile issues."

CRSP Areas of Focus
CRSP team members principally act to secure and restore the highest-risk assets of an attacked organization, namely "Azure Active Directory, Exchange, and certificate authorities." Their work spans three functions, namely:

  • Compromise recovery: Giving customers back control of their environment after a compromise.
  • Rapid ransomware recovery: Restore business-critical applications and limit ransomware impact.
  • Advanced threat hunting: Proactively hunt for the presence of advanced threat actors within an environment.

The compromise recovery work entails removing attackers from a network, which takes place after the Microsoft DART team has conducted a forensic investigation.

The rapid ransomware recovery effort aims to bring back business-critical solutions, such as Azure Active Directory, in organizations. "These projects are usually very time-sensitive and require a great number of efforts to contain the attack," the announcement explained.

Advanced Threat hunting refers to finding advanced persistent threat actors tapping the network. The CRSP team also offers practical advice on the security enhancements that organizations should adopt.

Proactive Steps
The CRSP team aims to leave organizations with better security. The team recommends establishing secure privileged access within the IT department, such as controlling access to Active Directory.

Also, organizations should aim for "zero trust" principles. They should "turn off unused services, implement host-based firewalls, run network-level encryption, remove unused software, keep software up to date, remove unused accounts, check certificate stores, and remember to do the same for any hypervisors or storage networks," the announcement indicated. It also offered the advice that "patching cycles should be measured in hours and not weeks."

Organizations shouldn't just use logs to spot security incidents. They should use that information to also view their IT administration path exposure. The use of artificial intelligence solutions as a supplementary approach was also recommended.

Accessing Microsoft CRSP Help
For technical issues, Microsoft has its Unified Support services option for those organizations that opt to pay for the recurring subscription costs. However, post-breach help from the CRSP team seems to be less bound to having an advance subscription in place.

"Usually, our services are engaged through the regular customer services and support route or via your Microsoft account management team," the CRSP team explained.

The costs associated with CRSP services weren't described. The Microsoft Security Solutions landing page doesn't indicate that such help is available.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.