Skip to main content Why Microsoft Security AI-powered cybersecurity Cloud security Data security & governance Identity & network access Privacy & risk management Security for AI Unified SecOps Zero Trust Microsoft Defender Microsoft Entra Microsoft Intune Microsoft Priva Microsoft Purview Microsoft Sentinel Microsoft Security Copilot Microsoft Entra ID (Azure Active Directory) Microsoft Entra Agent ID Microsoft Entra External ID Microsoft Entra ID Governance Microsoft Entra ID Protection Microsoft Entra Internet Access Microsoft Entra Private Access Microsoft Entra Permissions Management Microsoft Entra Verified ID Microsoft Entra Workload ID Microsoft Entra Domain Services Azure Key Vault Microsoft Sentinel Microsoft Defender for Cloud Microsoft Defender XDR Microsoft Defender for Endpoint Microsoft Defender for Office 365 Microsoft Defender for Identity Microsoft Defender for Cloud Apps Microsoft Security Exposure Management Microsoft Defender Vulnerability Management Microsoft Defender Threat Intelligence Microsoft Defender Suite for Business Premium Microsoft Defender for Cloud Microsoft Defender Cloud Security Posture Mgmt Microsoft Defender External Attack Surface Management Azure Firewall Azure Web App Firewall Azure DDoS Protection GitHub Advanced Security Microsoft Defender for Endpoint Microsoft Defender XDR Microsoft Defender for Business Microsoft Intune core capabilities Microsoft Defender for IoT Microsoft Defender Vulnerability Management Microsoft Intune Advanced Analytics Microsoft Intune Endpoint Privilege Management Microsoft Intune Enterprise Application Management Microsoft Intune Remote Help Microsoft Cloud PKI Microsoft Purview Communication Compliance Microsoft Purview Compliance Manager Microsoft Purview Data Lifecycle Management Microsoft Purview eDiscovery Microsoft Purview Audit Microsoft Priva Risk Management Microsoft Priva Subject Rights Requests Microsoft Purview Data Governance Microsoft Purview Suite for Business Premium Microsoft Purview data security capabilities Pricing Services Partners Cybersecurity awareness Customer stories Security 101 Product trials How we protect Microsoft Industry recognition Microsoft Security Insider Microsoft Digital Defense Report Security Response Center Microsoft Security Blog Microsoft Security Events Microsoft Tech Community Documentation Technical Content Library Training & certifications Compliance Program for Microsoft Cloud Microsoft Trust Center Security Engineering Portal Service Trust Portal Microsoft Secure Future Initiative Business Solutions Hub Contact Sales Start free trial Microsoft Security Azure Dynamics 365 Microsoft 365 Microsoft Teams Windows 365 Microsoft AI Azure Space Mixed reality Microsoft HoloLens Microsoft Viva Quantum computing Sustainability Education Automotive Financial services Government Healthcare Manufacturing Retail Find a partner Become a partner Partner Network Microsoft Marketplace Marketplace Rewards Software development companies Blog Microsoft Advertising Developer Center Documentation Events Licensing Microsoft Learn Microsoft Research View Sitemap

Content types

Products and services

Topics

What changes after compromise recovery?

After a successful compromise recovery effort, you are back in control. Likely, you gave your team a round of applause and took a sigh of relief.

Now what? Is everything going back to as it was in the past? Absolutely not! A compromise recovery engagement is an accelerated way of doing numerous amounts of cybersecurity configuration and upgrades in a short amount of time. Just because the Domain Admins have basic protection it doesn’t mean that the full environment is secure yet.

After a compromise recovery engagement, Microsoft’s compromise recovery team follows up with what we call security strategic recovery. This is the plan for moving forward to get the environment up to date with security posture. The plan consists of different components like Securing Privileged Access and extended detection and response (XDR), depending on the organizational needs, but it all points in the same direction: moving ahead with Zero Trust strategy over traditional network-based security.

Privileged administration

After we have secured the most critical privileged servers (including Domain Controllers, called also “Tier 0” server for on-premises environment) and privileged accounts (Domain Admins), the next step is to mitigate unauthorized privilege escalation for the Data/Workload and Management plane (called also “Tier 1” for on-premises environment).

An encryption attack that gets local admin permissions on all member servers will still be devastating, so a proper delegation model must be implemented. Ransomware can utilize this account to encrypt application and database servers in the same way as using a Domain Admin account. Different tools like PIM/PAM and strategies can be used to strengthen the security of the Data/Workload administrators and services. Please refer to the enterprise access model for additional details.

Privileged Access Workstation

During a compromise recovery, we are implementing what we call a “Tactical” Privileged Access Workstation. While functional for the purpose of providing a secure workstation with a “clean keyboard” to operate in a compromised environment, it is not meant to be long-lasting and engineered for broader enterprise deployment.

Implementing a proper Privileged Access Workstation together with a broader Privileged Access environment for all administrative tasks is necessary to reduce attack vectors and risk of re-compromise.

The Privileged Access Workstation configuration must include security controls and policies that restrict local administrative access and productivity tools to minimize the attack surface to only what is absolutely required for performing sensitive job tasks. Please refer to Why are privileged access devices important for additional details.

From tactical monitoring to XDR

While performing compromise recovery, we implement “tactical monitoring” to supplement the customer’s investigation, leveraging a targeted implementation of Microsoft Defender suite and Microsoft Sentinel on all critical systems.

This is key to obtain visibility on the environment and respond quickly and efficiently to abnormal or suspicious activities before it turns into another security incident.

As part of a strategic security roadmap, we strongly recommend completing the implementation of XDR with Microsoft Defender Threat Protection and leveraging automated investigation and remediation capabilities to save security operations teams’ time and effort.

Additional help to our customers to defend and manage their environment is now available from Microsoft through Microsoft Security Experts.

Zero Trust journey

The Strategic Recovery recommendation listed previously on using least privileged access for privileged administration and XDR for improving defenses are just initial steps into a broader Zero Trust journey (see Figure 1).

Guidance for technical architecture relating to Microsoft Zero Trust Principles.

Figure 1 outlines the Microsoft Zero Trust Principles. The first principle is to verify explicitly, which means to always validate all available data points including user identity and location, device health, service or workload context, data classification, and anomalies. The second principle is to use least privileged access, meaning to help secure both data and productivity and limit user access using iust-in-time access (JIT), just-enough-access (JEA), risk-based adaptive policies, and data protection against out of band vectors. Finally, the third principle is assume breach, which is when you minimalize blast radius for breaches and prevent lateral movement by segmenting access by network, user, devices, and app awareness; encrypting all sessions end-to-end; and use analytics for threat detection and posture.

As observed during most of our compromise recovery engagements, the attackers usually came in through the abuse of user identity and then perform lateral movement and escalation to privileged access.

Most organizations have built security controls over the years based on network and perimeter protection and are still underestimating the “identity risk” in the current threat landscape.

With Strategic Recovery also comes the need for a mind shift from network and perimeter protection to identity-based protection, leveraging Zero Trust principles. Implementing a Zero Trust security strategy is a journey that needs both technology and training, but it is necessary moving forward.

Organizations may leverage the Microsoft Zero Trust Maturity Assessment Quiz to assess their current state of Zero Trust maturity and recommendations on the next steps. More details of how Microsoft can empower organizations in their Zero Trust journeys can be found in the Zero Trust Essentials eBook.

Who is CRSP?

The Microsoft Compromise Recovery Security Practice (CRSP) is a worldwide team of cybersecurity experts operating in most countries, across both public and private organizations, with deep expertise to secure an environment post-security breach and to help you prevent a breach in the first place. The CRSP is a specialist team within the wider Microsoft Security Experts. Microsoft Security Experts help customers through the entire cyberattack from investigation to successful containment and recovery related activities. The response and recovery services are offered via two highly integrated teams, the Detection and Response Team (DART) with a focus on the investigation and groundwork for recovery, and the Compromise Recovery Security Practice (CRSP), which focuses on the containment and recovery aspects.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Microsoft Defender Experts

See posts by this author
Jesper Kråkhede

Jesper Kråkhede

Architect, Security Service Line—Compromise Recovery Security Practice

See posts by this author

Massimo Agrelli

Architect Manager, Security Service Line—Compromise Recovery Security Practice

See posts by this author

Related posts

Get started with Microsoft Security

Protect your people, data, and infrastructure with AI-powered, end-to-end security from Microsoft.

Learn how

Connect with us on social

Surface Pro Surface Laptop Surface Laptop Studio 2 Copilot for organizations Copilot for personal use AI in Windows Explore Microsoft products Windows 11 apps Account profile Download Center Microsoft Store support Returns Order tracking Certified Refurbished Microsoft Store Promise Flexible Payments Microsoft in education Devices for education Microsoft Teams for Education Microsoft 365 Education How to buy for your school Educator training and development Deals for students and parents AI for education
Microsoft AI Microsoft Security Dynamics 365 Microsoft 365 Microsoft Power Platform Microsoft Teams Microsoft 365 Copilot Small Business Azure Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Marketplace Rewards Visual Studio Careers About Microsoft Company news Privacy at Microsoft Investors Diversity and inclusion Accessibility Sustainability
English (United States)
Your Privacy Choices Opt-Out Icon Your Privacy Choices
Consumer Health Privacy Sitemap Contact Microsoft Privacy Manage cookies Terms of use Trademarks Safety & eco Recycling About our ads