Cybersecurity Recovery & Remediation After a Security Breach

Recovery from a cyber security incident is a three-stage process, not a continuum. By responding to all cyber-threats and data breaches through the lens of Incident Response, Compromise Recovery and Strategic Recovery, our approach at Microsoft is to leave no stone unturned in your threat recovery gameplan.

Stage 1: Incident Response

The difference between incident response and compromise recovery is like the difference between paramedics and the emergency department following a severe injury.

In the incident response stage, you’re under attack and need rapid triage. Triage tells us what happened and how. Once we understand that, we can head to the emergency room to stabilize the patient. That stabilisation process is compromise recovery.

Stage 2: Compromise Recovery

Compromise recovery regains control of the environment, which requires consideration and prioritisation. We need to fix the root cause of the attack.

At Microsoft, we’ve found this separation between incident response and compromise recovery allows us to focus on very different things at each stage for a better overall result.

Activities at the compromise recovery stage

As a first step, the incident response team should create an incident response report that details the scope of the compromise. Next, a compromise recovery plan can be actioned. The recovery plan prioritises activities based on the scope of the compromise.

Those activities include:

• Tactical monitoring— because we can’t fight what we can’t see
• Active Directory analysis— so we can affect disposition (de-privileging users and hardening the computers in the environment)
• Eviction period— where we eradicate the attacker from the environment

Because the attacker is often active and changing things, stealth is important. We don’t want to alert the attacker that we’re about to cut them off.

The importance of the identity platform

The reason we focus so much on the identity platform at Microsoft is for a few reasons:

1. Attackers are attracted to the identity platform because technologies like Azure Active Directory are central places to exert control. That makes the identity platform the most likely place to find an attacker.
2. The little time we have for recovery makes removing the attacker from the identity platform a high-value action. After we remove the attacker, they can’t do what they came for or install backdoors to re-enter after remediation.

Challenges at the compromise recovery stage

We tend to find that challenges to compromise recovery are split between being technical and human — exacerbated by the chaotic atmosphere a security threat creates.

Technical challenges to compromise recovery after a security breach

Technical debt: We might have to patch domain controllers or install a higher version of Windows.

Business disruption: We want our work to have as little impact as possible after an already difficult time for the business.

Stealth: The attacker might attack or disappear if they know we’re working.

Human challenges to compromise recovery

Multiple vendors in action: The customer’s other vendors could be assisting, making communication multi-dimensional.

Maintaining focus: If technical staff return to regular tasks, it can be hard to pull off the return to a stable state with stretched resources.

Stage 3: Strategic cybersecurity recovery

We advise that the lead architect for the compromise recovery stage give guidance and recommendations divided into three horizons.

Short-term

These are typically focussed on the identity stack. For example:

1. Backing up the Active Directory
2. Removing remaining security vulnerabilities by securing the hypervisor platform and so on

Medium-term

The focus can be widened beyond the identity platform to the business services or the services that support the business, like databases.

Long-term

Looking to the future, recommendations can be made which might include a cloud adoption roadmap to harden the security footing with extra monitoring and backup capabilities. Workloads could even be moved into the cloud for extra resilience.

Lessons learned

We always find a lessons learned session is critical to gather feedback from technical and business stakeholders. What worked well? What didn’t? What could be improved in the areas of technology, people, and processes?

Critical thinking for critical incidents

The lessons from recovery and remediation exercises tell us that a considered approach to each stage is critical. Only by working systematically will you return to a stable environment with a plan to limit the chances of a repeat incident.