Security leaders shared advice gleaned from customer engagements, and reinforced the importance of planning and following fundamentals for defense.
Listen to this article
0:00
Learn more.
This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
LAS VEGAS — Businesses that don’t treat security with the gravity it requires — exhibited by lackluster or nonexistent preparation, planning and exercise in the event of a cyberattack — typically suffer longer and unnecessarily, Microsoft threat intelligence, hunting and response leaders said Thursday at Black Hat.
In the best- case scenarios in the wake of an attack, professionals across the impacted organization know their roles and responsibilities, said Aarti Borkar, corporate vice president of security customer success at Microsoft. “They know the moving parts. They know what their policies are. They know who to call in the middle of the night and wake them up, because incidents don’t happen on a Wednesday afternoon,” she said.
Microsoft’s incident response and recovery efforts are often measured in days, instead of months, when organizations have plans in place, and regularly assess and practice those procedures against challenges that might occur across the organization, Borkar said.
Only 1 in 4 organizations have an incident response plan and have rehearsed it, said Andrew Rapp, senior director of security research at Microsoft.
When Microsoft’s incident response team engages with a customer that has rehearsed an incident response plan, held table-top exercises and conducted proactive compromise assessment, the operation functions like a well-oiled machine, he said. “It’s sort of like sharing a central nervous system with a customer during that bad day.”
Attackers are moving faster than ever before — achieving shortened dwell times — and this accentuates the need for incident responders and organizations to prepare, said Sherrod DeGrippo, director of threat intelligence strategy at Microsoft.
“Attackers and threat actors think in graphs. They see the pathways that they can take to pivot around inside of a network, and all of us as defenders think in lists,” she said.
This creates an imbalance that defenders can overcome by embracing an attacker mindset, Microsoft’s security specialists said on stage.
“Data is key,” Rapp said. “Having visibility across your network, ensuring that you’re logging everything, that you have properly configured all of the protections, and you’re using all of the features and capabilities that are in your products is table stakes.”
This advice carries weight regardless of attackers’ objectives. While Simeon Kakpovi, senior threat intelligence analyst at Microsoft, spends a lot of time studying advanced threat groups and their tradecraft, basic security control failings are what every threat actor tends to take advantage of, he said.
“They’ll do social engineering. If you’re not patching servers, they’ll take advantage of that,” Kakpovi said. “They’ll do the basics before they spend their effort doing the more advanced things.”
Organizations should consider the weaknesses attackers can target, and study and apply insights from threat intelligence on their specific industry, he added. “Usually you have to worry about a certain set of threat actors more than others, so that can give you a head start thinking about what you should worry about first.”
DeGrippo underscored the significance of security fundamentals, such as keeping software up to date and configuring it properly. “If you do experience a breach, missing logs really contribute to a nightmare scenario for both intel and incident responders,” she said.
“Every action leaves a trace, unless logging is turned off,” DeGrippo added. “Even though you’re suffering, maybe the pain isn’t as much as it could have been.”
