The Microsoft Incident Response team takes swift action to help contain a ransomware attack and regain positive administrative control of the customer environment.
What is CRSP?
Microsoft Global Compromise Recovery Security Practice.
Who is CRSP?
We are a worldwide team of cybersecurity experts operating in most countries, across all organizations (public and private), with deep expertise to secure an environment post-security breach and to help you prevent a breach in the first place.
As a specialist team within the wider Microsoft cybersecurity functions, we predominantly focus on reactive security projects for our customers. The main types of projects we undertake are:
- Compromise recovery: Giving customers back control of their environment after a compromise.
- Rapid ransomware recovery: Restore business-critical applications and limit ransomware impact.
- Advanced threat hunting: Proactively hunt for the presence of advanced threat actors within an environment.
In addition to our reactive work due to our technical expertise and experience, we are sometimes engaged to work proactively with high-profile customers to help keep them safe no matter who or what the adversary.
Compromise recovery is the process by which we remove the nefarious attacker control from an environment and tactically increase security posture within a set period of time. Compromise recovery takes place post-security breach. This remedial activity often follows an investigation from our Microsoft DART colleagues or other third-party forensic incident response experts. We incorporate these findings into the recovery efforts and work to make your environment as secure as we can, with the aim for you to take back control.
Rapid ransomware recovery is where an organization has been targeted by advanced ransomware, which is usually human-operated and targeted to specific organizations. We assist in bringing back operation-critical business systems, such as Azure Active Directory, and work hard to limit exposure of ransomware across an environment. These projects are usually very time-sensitive and require a great number of efforts to contain the attack.
With advanced threat hunting, we bring expertise in Microsoft security tooling into an environment to actively hunt for advanced threat actors—advanced persistent threats (APTs) and determined human adversaries. We can work within a customer’s existing security processes to help improve internal security capabilities and trust. As part of this, we deliver our findings and provide practical and real advice on how to further enhance your security, as well as suggest if additional tactical steps may be required.
Historically we have kept our existence quiet, and our activities were only published internally at Microsoft. Given that we are seeing more and more cybersecurity incidents, we thought it was time to publicly let the world know where we fit into the Microsoft security story.
We are flexible in our approach to helping customers. Traveling and being away from home for extended periods and working in high-pressure situations with high-profile issues is normal and frequent for a CRSP cybersecurity professional. We are also practiced and efficient at delivering these engagements entirely remotely.
CRSP is the team that takes back control.
How do we help customers?
At Microsoft, we advocate that everyone maintain an “assume breach” mindset. Unfortunately for the customers we work with, we know there has been a breach and often see the worst that attackers can do.
In the last year, we have dealt with issues from crypto-malware making an entire environment unavailable to a nation-state attacker maintaining covert administrative persistence in an environment. We help customers take back control. At all times, we work with customers to restore legitimate control and secure trust in their computing environment by removing, mitigating, and reducing the risks.
Our scope is often to secure the assets which matter the most to organizations, such as Azure Active Directory, Exchange, and certificate authorities, whose loss leads to the highest impacts and therefore have the highest risks.
Part of our work is to deeply analyze your existing environment and identity where activity is required. This investigation is helpful as it helps you understand your assets in a way you may have never had the opportunity to do so previously.
Bringing back control of these high-value assets is our aim. By taking a tactical approach we implement secure and sustainable changes that minimize exposure, thereby reducing the risk of any follow-up attacks and thoroughly removing any illegitimate control and hardening systems. We do this within a specific timeframe in mind which is usually measured in weeks. For a more urgent crisis, we have operated in hours.
We see sustainability in maintaining control as a key part of our role. This control not only removes the attacker but reduces the risk of follow-up attacks, so therefore it must be possible to maintain. We provide deep technical expertise to make your environment more secure. An additional benefit of working with CRSP is that we often leave our customers with a true security administration mindset.
Based on helping so many customers, we understand what works well to secure an environment and what doesn’t. Some things may be important but not strictly necessary for you to take back control. That isn’t to say that these things are not important in improving security, because they often are, but when it comes to tactical and swift actions, they may not be vital. As part of medium and longer-term planning, we help you identify these options correctly and build a plan to enable you to further continue your security journey.
Although we bring with us a team who are experts in their own specialties, we never work alone. We work with our wider Microsoft colleagues and sometimes our partners and third parties to identify additional vulnerabilities and security incidents. We assist you and your security team in making sure they can help maintain your security once we leave.
Usually, our services are engaged through the regular customer services and support route or via your Microsoft account management team.
We hope you should never need our services. But if you do, know you are in safe hands.
Secure admin path
We have documented many times that most adversaries will go after your Azure Active Directory and your administrators because they know these will give them the best opportunity for having full control. Securing your administrative path will make it much harder for adversaries to take over.
Administrative workstations, credential hygiene, and implementing the tier model will help a great deal. Additionally, having security and administrative functions working together is something we encourage our customers to do.
Turn off unused services, implement host-based firewalls, run network-level encryption, remove unused software, keep software up to date, remove unused accounts, check certificate stores, and remember to do the same for any hypervisors or storage networks. You should reduce interdependent control and adopt in-depth defense with Zero Trust.
Patching cycles should be measured in hours and not weeks. Your business-critical applications should not be running on obsolete software, hardware, or firmware. Exploits and zero-days are bought in “the wild” within hours—sometimes even minutes, so it is essential to do the patching as quickly as possible. With this approach, you are limiting the attack surface significantly.
Insights and monitoring
Understand what is normal in your environment and what isn’t. You can only do this with good monitoring and comprehensive baselines.
Know that monitoring isn’t just looking at traditional security incidents but looking at spotting exposure to your admin path. Monitor the performance of your systems and make sure they are logging correctly. Make sure that people who are looking at this data understand the difference between normal and not normal. These processes may not always be in your security operations, so it is key that you add this. Using AI can greatly improve your visibility in what should be normal user behavior, by creating alerts around these behaviors (with automatic mitigations) you can have a head start in protecting your infrastructure and related components.
React quickly and efficiently to anything that is not normal or suspected bad.
In the end, cybersecurity is mostly about the mindset that needs to be adopted, embraced, and supported by everyone in an organization. You can lock all the doors, install an alarm, and put CCTV in place, but unless everyone remembers to lock the door and turn the alarm on you won’t be very secure.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.