News

Microsoft Lifts Veil on Its Emergency Response Team

• By Kurt Mackie
• June 10, 2021

Microsoft has historically kept mum about its emergency security response team, which helps organizations deal with ransomware and other major post-breach software security incidents. That changed this week.

On Wednesday, the company publicly shared some details about its "Compromise Recovery Security Practice" (CRSP).

"Historically we [the CRSP team] have kept our existence quiet, and our activities were only published internally at Microsoft," Microsoft said in an announcement. "Given that we are seeing more and more cybersecurity incidents, we thought it was time to publicly let the world know where we fit into the Microsoft security story."

To hear Microsoft tell it, CRSP team members are reactive and typically travel a lot, working on projects over a period of weeks. They also respond in hours' time during a crisis, and they can fix things remotely. The job normally entails "working in high-pressure situations with high-profile issues."

CRSP Areas of Focus
CRSP team members principally act to secure and restore the highest-risk assets of an attacked organization, namely "Azure Active Directory, Exchange, and certificate authorities." Their work spans three functions, namely:

• Compromise recovery: Giving customers back control of their environment after a compromise.
• Rapid ransomware recovery: Restore business-critical applications and limit ransomware impact.
• Advanced threat hunting: Proactively hunt for the presence of advanced threat actors within an environment.

The compromise recovery work entails removing attackers from a network, which takes place after the Microsoft DART team has conducted a forensic investigation.

The rapid ransomware recovery effort aims to bring back business-critical solutions, such as Azure Active Directory, in organizations. "These projects are usually very time-sensitive and require a great number of efforts to contain the attack," the announcement explained.

Advanced Threat hunting refers to finding advanced persistent threat actors tapping the network. The CRSP team also offers practical advice on the security enhancements that organizations should adopt.

Proactive Steps
The CRSP team aims to leave organizations with better security. The team recommends establishing secure privileged access within the IT department, such as controlling access to Active Directory.

Also, organizations should aim for "zero trust" principles. They should "turn off unused services, implement host-based firewalls, run network-level encryption, remove unused software, keep software up to date, remove unused accounts, check certificate stores, and remember to do the same for any hypervisors or storage networks," the announcement indicated. It also offered the advice that "patching cycles should be measured in hours and not weeks."

Organizations shouldn't just use logs to spot security incidents. They should use that information to also view their IT administration path exposure. The use of artificial intelligence solutions as a supplementary approach was also recommended.

Accessing Microsoft CRSP Help
For technical issues, Microsoft has its Unified Support services option for those organizations that opt to pay for the recurring subscription costs. However, post-breach help from the CRSP team seems to be less bound to having an advance subscription in place.

"Usually, our services are engaged through the regular customer services and support route or via your Microsoft account management team," the CRSP team explained.

The costs associated with CRSP services weren't described. The Microsoft Security Solutions landing page doesn't indicate that such help is available.