If you spent 270 days away from home, not on vacation, you’d want it to be for a good reason. When boarding a plane, sometimes having been pulled out of bed to leave family for weeks on end, I know it’s because one of our customers is in need. It means there is a security compromise and they may be dealing with a live cyberattack.
As the Microsoft Detection and Response Team (DART), our job is to respond to compromises and help our customers become cyber-resilient. This is also our team mission. One we take very seriously. And it’s why we are passionate about what we do for our customers.
Our unique focus within the Microsoft Cybersecurity Solutions Group allows DART to provide onsite reactive incident response and remote proactive investigations. DART leverages Microsoft’s strategic partnerships with security organizations around the world and with internal Microsoft product groups to provide the most complete and thorough investigation possible. Our response expertise has been leveraged by government and commercial entities around the world to help secure their most sensitive, critical environments.
How DART works with Microsoft customers
Our team works with customers globally to identify risks and provide reactive incident response and proactive security investigation services to help our customers manage their cyber-risk, especially in today’s dynamic threat environment.
In one recent example, our experts were called in to help several financial services organizations deal with attacks launched by an advanced threat actor group that had gained administrative access and executed fraudulent transactions, transferring large sums of cash into foreign bank accounts.
When the attackers realized they had been detected, they rapidly deployed destructive malware that crippled the customers’ operations for three weeks. Our team was on site within hours, working around the clock, side-by-side with the customers’ security teams to restore normal business operations.
Incidents like these are a reminder that trust remains one of the most valuable assets in cybersecurity and the role of technology is to empower defenders to stay a step ahead of well-funded and well-organized adversaries.
Overlooking a single security threat can create a serious event that could severely erode community and consumer confidence, can tarnish reputation and brand, negatively impact corporate valuations, provide competitors with an advantage, and create unwanted scrutiny.
That’s why our DART team also offers The Security Crisis and Response Exercise. This is a hands-on two-day custom, interactive experience on understanding security crisis situations and how to respond in the event of a cybersecurity incident. We examine our customers’ security posture and implement proactive readiness training with the objective of helping customers prepare for incident response through practice exercises.
The simulation is based on real-life scenarios from recent cybersecurity incident response engagements. The exercise focuses on topics such as Ransomware, Office 365 compromises, and compromises via industry-specific malware with complex backdoor software. Each scenario focuses on the key areas of cybersecurity: Identify, Protect, Detect, Respond, and Recover and covers a broad eco-system including supply chain vulnerabilities such as software vendors, IT service vendors, and hardware vendors.
DART basic recommendations
To help you become more cyber-resilient, below are a few recommendations from our team based on our experiences of what customers can be doing now to help harden their security posture.
Standardize—The cost of security increases as the complexity of the environment increases. To reduce the total cost of ownership (TCO), standardization is key. It also reduces the number of secure configurations the organization must maintain.
- Domain controllers should be nearly identical to each other in both the operating system (OS) level and the apps running on them.
- Member server groups should be standardized based on other similar or same functions.
- File servers on the same OS with the same apps.
- SQL servers on the same OS with the same apps.
- Exchange servers on the same OS with the same apps.
- Reduce the number of disjoined security products.
- It is not possible to manage the security of an enterprise from 15 different security consoles that are not integrated.
- Find a partner that covers multiple layers of security with integrated products.
Modernize—Consider this analogy: In WWII, the battleship was a fearsome ship bristling with guns, big and small, and built to take a hit. Today, a single missile cruiser could sink an entire fleet of WWII battleships. Technology evolves quickly. If you put off modernizing your environment, you could be missing critical technologies that protect your organization.
- Accelerate adoption plans for Server 2016 and Windows 10.
- Start with Domain Controllers and workstations of admins/VIPs.
- Follow on with line of business (LOB) member servers and easy win upgrades like file servers.
- Finalize with all other member servers and workstations.
- Accelerate cloud adoption plans, while understanding the shared-risk model between customers’ cloud vendors and their retained risk you must continue to manage.
- Evaluate security tools based on their ability to succeed in the modern threat landscape. Cloud-enabled security solutions need to base capability on four key pillars:
- Endpoint telemetry—Windows, Android, iOS, Linux, etc. are the initial points from which data is collected.
- Compute—Datacenter power. This is the compute power needed to organize all the endpoint telemetry.
- Machine learning and artificial intelligence (AI)—Once we have all this endpoint telemetry organized, we use machine learning and AI to make sense of it.
- Threat intelligence—Generated from the combination of the three previously mentioned pillars, the human interaction/feedback loop (the DART team) is used to make this data actionable and can help product groups course correct the machine learning and AI algorithms when needed.
Develop a comprehensive patching strategy
- Update both Microsoft and all third-party apps.
- Employ a software inventory solution like System Center Configuration Manager (SCCM).
- Reboot after patching.
- Avoid policy exceptions for business units to avoid patching where possible.
- Short term: Enforce vulnerable machine/application isolation.
- Long term: Adjust the acquisitions process to include a new vendor for the needed functionality.
Develop a comprehensive backup strategy
- Always have a backup policy in place.
- Test to ensure backups work.
- Check to see if successful backups are online. If so, ensure they are not vulnerable to online threats.
- Most modern attacks are identity based.
- Read the Pass-the-Hash white papers that explains the exposure of privileged credentials on lower trusted tier systems.
- Run through a Security Development Lifecycle (SDL) on internally developed apps to look for vulnerabilities and/or hard coded credentials.
- Look for privileged accounts that are being used as service accounts.
- At the very least, change them manually on a regular basis.
- If you upgrade to 2012R2 or higher, you can use managed service accounts (MSA) where supported.
As the DART team, we have engaged with the most well-run IT environments in the world. Yet, even these networks get penetrated from time to time. The challenge of cybersecurity is one we must face together. While we hope you never have to call on our DART team, we are a trusted partner ready to help. For me, as a new father, I will spend less time on the road because I have a great team that not only supports our customers, but also each other to ensure a healthy work-life balance while making the world a better place for all.
To learn more about DART, our engagements, and how they are delivered by experienced cybersecurity professionals who devote 100 percent of their time to providing cybersecurity solutions to customers worldwide, please contact your account executive. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.