After a successful compromise recovery effort, you are back in control. Likely, you gave your team a round of applause and took a sigh of relief.

Now what? Is everything going back to as it was in the past? Absolutely not! A compromise recovery engagement is an accelerated way of doing numerous amounts of cybersecurity configuration and upgrades in a short amount of time. Just because the Domain Admins have basic protection it doesn’t mean that the full environment is secure yet.

After a compromise recovery engagement, Microsoft’s compromise recovery team follows up with what we call security strategic recovery. This is the plan for moving forward to get the environment up to date with security posture. The plan consists of different components like Securing Privileged Access and extended detection and response (XDR), depending on the organizational needs, but it all points in the same direction: moving ahead with Zero Trust strategy over traditional network-based security.

Privileged administration

After we have secured the most critical privileged servers (including Domain Controllers, called also “Tier 0” server for on-premises environment) and privileged accounts (Domain Admins), the next step is to mitigate unauthorized privilege escalation for the Data/Workload and Management plane (called also “Tier 1” for on-premises environment).

An encryption attack that gets local admin permissions on all member servers will still be devastating, so a proper delegation model must be implemented. Ransomware can utilize this account to encrypt application and database servers in the same way as using a Domain Admin account. Different tools like PIM/PAM and strategies can be used to strengthen the security of the Data/Workload administrators and services. Please refer to the enterprise access model for additional details.

Privileged Access Workstation

During a compromise recovery, we are implementing what we call a “Tactical” Privileged Access Workstation. While functional for the purpose of providing a secure workstation with a “clean keyboard” to operate in a compromised environment, it is not meant to be long-lasting and engineered for broader enterprise deployment.

Implementing a proper Privileged Access Workstation together with a broader Privileged Access environment for all administrative tasks is necessary to reduce attack vectors and risk of re-compromise.

The Privileged Access Workstation configuration must include security controls and policies that restrict local administrative access and productivity tools to minimize the attack surface to only what is absolutely required for performing sensitive job tasks. Please refer to Why are privileged access devices important for additional details.

From tactical monitoring to XDR

While performing compromise recovery, we implement “tactical monitoring” to supplement the customer’s investigation, leveraging a targeted implementation of Microsoft Defender suite and Microsoft Sentinel on all critical systems.

This is key to obtain visibility on the environment and respond quickly and efficiently to abnormal or suspicious activities before it turns into another security incident.

As part of a strategic security roadmap, we strongly recommend completing the implementation of XDR with Microsoft Defender Threat Protection and leveraging automated investigation and remediation capabilities to save security operations teams’ time and effort.

Additional help to our customers to defend and manage their environment is now available from Microsoft through Microsoft Security Experts.

Zero Trust journey

The Strategic Recovery recommendation listed previously on using least privileged access for privileged administration and XDR for improving defenses are just initial steps into a broader Zero Trust journey (see Figure 1).

Figure 1 outlines the Microsoft Zero Trust Principles. The first principle is to verify explicitly, which means to always validate all available data points including user identity and location, device health, service or workload context, data classification, and anomalies. The second principle is to use least privileged access, meaning to help secure both data and productivity and limit user access using iust-in-time access (JIT), just-enough-access (JEA), risk-based adaptive policies, and data protection against out of band vectors. Finally, the third principle is assume breach, which is when you minimalize blast radius for breaches and prevent lateral movement by segmenting access by network, user, devices, and app awareness; encrypting all sessions end-to-end; and use analytics for threat detection and posture.

As observed during most of our compromise recovery engagements, the attackers usually came in through the abuse of user identity and then perform lateral movement and escalation to privileged access.

Most organizations have built security controls over the years based on network and perimeter protection and are still underestimating the “identity risk” in the current threat landscape.

With Strategic Recovery also comes the need for a mind shift from network and perimeter protection to identity-based protection, leveraging Zero Trust principles. Implementing a Zero Trust security strategy is a journey that needs both technology and training, but it is necessary moving forward.

Organizations may leverage the Microsoft Zero Trust Maturity Assessment Quiz to assess their current state of Zero Trust maturity and recommendations on the next steps. More details of how Microsoft can empower organizations in their Zero Trust journeys can be found in the Zero Trust Essentials eBook.

Who is CRSP?

The Microsoft Compromise Recovery Security Practice (CRSP) is a worldwide team of cybersecurity experts operating in most countries, across both public and private organizations, with deep expertise to secure an environment post-security breach and to help you prevent a breach in the first place. The CRSP is a specialist team within the wider Microsoft Security Experts. Microsoft Security Experts help customers through the entire cyberattack from investigation to successful containment and recovery related activities. The response and recovery services are offered via two highly integrated teams, the Detection and Response Team (DART) with a focus on the investigation and groundwork for recovery, and the Compromise Recovery Security Practice (CRSP), which focuses on the containment and recovery aspects.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Implementing a Zero Trust strategy after compromise recovery appeared first on Microsoft Security Blog.

The Microsoft Compromise Recovery Security Practice (CRSP) is a worldwide team of cybersecurity experts operating in most countries, across both public and private organizations, with deep expertise to secure an environment post-security breach and to help you prevent a breach in the first place. As a specialist team within the wider Microsoft cybersecurity functions, we predominantly focus on reactive security projects for our customers. The main types of projects we undertake are:

• Compromise recovery: Giving customers back control of their environment after a compromise.
• Rapid ransomware recovery: Restore business-critical applications and limit ransomware impact.
• Advanced threat hunting: Proactively hunt for the presence of advanced threat actors within an environment.

How to update your security processes

Friday afternoon. It is always a Friday afternoon. The phone rings and yet another organization has suffered a total breakdown of IT with everything from data loss to ransomware. The CRSP team does contracting and off we go to start working. Sometimes we work magic, sometimes we are lucky, and sometimes it is just very hard work, and in the end, we get to a stable and secured environment. But what happens with the organization afterward?

A compromise recovery, in general, means that we force a number of security changes that should have been implemented during the last years, in normally six weeks. It is intense, and it changes how administrators work and how systems break. The main goals are to take back control, keep that control, and add this mindset to the customer.

We have seen many cases of inattentive operational procedures just because they are easy, they work due to dependencies on a legacy app, and they are cheap, but all of them inevitably open up for an attacker to exploit the systems. In a rather recent case, the lowest bidder got the management of an IT environment and gave all their support engineers Domain Admin access that they used for signing in everywhere. So when an employee accidentally clicked on an email attachment, the attacker got instant Domain Admin access and the takeover was quickly executed. A few hours after the click, the environment was encrypted.

Even if we make many technical changes, the important ones are new processes and procedures when administrating the environment. The tier model, privilege access workstations, and similar tools are part of the delivery, but also strict procedures on how new machines are deployed, how administrator accounts are to be used, and how it all should be monitored.

Monitoring is a big game-changer for many customers. Yes, they might have a security information and event management (SIEM) system today, and they might have a security operations center (SOC) that collects information from the environment but, alas, without the proper procedures, configuration, and speed, they are struggling to keep up with an active attacker. When we deploy our tools, we are also pushing monitoring on top of them, and we start to train our customers on how to properly use monitoring, AI, and machine learning, as well as what to look for and how they can start to automate the responses. 

When we close off the project, our customers have not only gotten an upgraded administrative environment, but also a set of new processes to follow that might feel challenging in the beginning. It is seldom, however, that the staff that has to follow those processes complain. Part of the delivery is education on what the attackers did to take over the environment, and with this training comes the insight that everything that is cumbersome and challenging for an administrator with the right tools is close to impossible for a hacker; things like privilege access workstations, multifactor authentication, and monitoring identities all have their place.

Following Microsoft Security processes that have been tested over and over, we achieve a successful recovery together with our customers and have helped them to embark on a new journey towards a more secure environment.

Learn more

Other blogs from the CRSP:

• CRSP: The emergency team fighting cyber attacks beside customers
• 7 ways to harden your environment against compromise
• Detect active network reconnaissance with Microsoft Defender for Endpoint
• Microsoft CRSP shares the ways human behavior affects compromise recovery

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft security experts outline next steps after compromise recovery appeared first on Microsoft Security Blog.