{"id":8714,"date":"2023-12-05T01:00:23","date_gmt":"2023-12-05T09:00:23","guid":{"rendered":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?p=8714"},"modified":"2023-12-06T10:34:04","modified_gmt":"2023-12-06T18:34:04","slug":"why-microsoft-uses-a-playbook-to-guard-against-ransomware","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/insidetrack\/blog\/why-microsoft-uses-a-playbook-to-guard-against-ransomware\/","title":{"rendered":"Why Microsoft uses a playbook to guard against ransomware"},"content":{"rendered":"

\"MicrosoftWhen Microsoft\u2019s Digital Security and Resilience (DSR) division set out to defend the company against human-operated ransomware, it faced several formidable challenges. In this form of ransomware, highly organized and sophisticated attacks by cybercriminals put major businesses, healthcare organizations, universities, and governments in their crosshairs for their visibility and potential payout. Human operated ransomware\u2019s targeted strategy requires a holistic and comprehensive response, which comes in the form of the Ransomware Elimination Program (REP), our centralized and collaborative cross-company effort.<\/p>\n

Attackers are more focused and targeted, they\u2019re on a mission. It\u2019s not a phishing email that spreads out to a bunch of random addresses and hopes someone clicks. That only nets you random targets. Human-operated ransomware aims for an enterprise and tries for big returns.<\/p>\n

\u2014Henry Duncan, senior security program manager, Digital Security and Resilience<\/p>\n<\/blockquote>\n

As we discussed in our previous ransomware post<\/a>, REP was purpose-built atop the philosophy of the philosophy of Zero Trust<\/a> to give Microsoft a way to centralize defense, recovery, and resilience against ever changing cyberthreats. Core to the program is the ransomware playbook, our internal guide to ensure teams across the company take the right action to respond, recover, and remediate in the event of an attack. Adherence to the playbook limits the opportunity for attacks and minimizes the potential reward that criminals seek.<\/p>\n

\u201cAttackers are more focused and targeted, they\u2019re on a mission,\u201d says Henry Duncan, a senior security program manager on REP, part of DSR, the team responsible with protecting our enterprise so that we can deliver and operate secure products and services to our customers. \u201cIt\u2019s not a phishing email that spreads out to a bunch of random addresses and hopes someone clicks. That only nets you random targets. Human-operated ransomware aims for an enterprise and tries for big returns.\u201d<\/p>\n

The longer threat actors are active in an environment and can move around, the greater the risk to the target. Each passing moment presents an opportunity to acquire more access to data through compromised accounts, or tamper with security and backup systems\u2014and that means a higher likelihood of data being compromised and a larger ransom demand. Time is of the essence.<\/p>\n

[Read blog one in our ransomware series: Sharing how Microsoft protects against ransomware.<\/a> | Read blog three in our ransomware series: Building an anti-ransomware program at Microsoft focused on an Optimal Ransomware Resiliency State.<\/a> | <\/em>Learn more about human-operated ransomware.<\/em><\/a> | <\/em>Discover how Microsoft\u2019s Zero Trust effort keeps the company secure.<\/em><\/a>]<\/em><\/p>\n

Writing the<\/strong> book on ransomware<\/strong><\/h2>\n

When conceptualizing what it wanted the playbook to achieve, the REP team knew it needed to facilitate excellence in operational response readiness, have the flexibility and scope to address cyberattacks of any scale, and to align response processes across the company.<\/p>\n

\u201cWe needed the playbook to articulate and visualize what everyone\u2019s role in a process is,\u201d Duncan says. \u201cIt\u2019s not just a security thing; we have to get other teams involved, like legal, finance, and enterprise business continuity.\u201d<\/p>\n

Engaging with stakeholders from those organizations allowed the REP team to better understand the different methods used across the company to triage, contain, and escalate events. Such conversations and interviews were a vital learning opportunity, and when combined with industry and internal best practices, illuminated gaps and weaknesses and generated ideas to bridge them. Collaborative cross-team dialogue shaped the framework the team used to develop key processes, including what is used to recover critical services.<\/p>\n

With this information synthesized, the REP team began structuring the ransomware playbook around addressing these four key questions:<\/p>\n