Microsoft CRSP shares the ways human behavior affects compromise recovery

The Microsoft Compromise Recover Security Practice (CRSP) is a worldwide team of cybersecurity experts operating in most countries, across all organizations (public and private), with deep expertise to secure an environment post-security breach and to help you prevent a breach in the first place. As a specialist team within the wider Microsoft cybersecurity functions, we predominantly focus on reactive security projects for our customers. The main types of projects we undertake are:

  • Compromise recovery: Giving customers back control of their environment after a compromise.
  • Rapid ransomware recovery: Restore business-critical applications and limit ransomware impact.
  • Advanced threat hunting: Proactively hunt for the presence of advanced threat actors within an environment.

Many articles around compromise recovery rightly focus on the technical aspects of what steps to take in the event of the control being lost in an environment. However, these are but one aspect of regaining control. As the CRSP, we would like to share the importance of assessing and supporting the human aspect of recovery based on our experiences in recovering organizations that are often in a very precarious, demanding, and stressful situations.

User behaviors during compromise

We constantly have the opportunity to see how cyberattacks affect people, and we notice a whole range of emotions—from fear to panic, anxiety, rejection, lack of responsibility, sometimes even denial of relevant facts—that inevitably leads to a failed recovery process.

It is also entirely common that the users don’t even realize that a compromise has occurred and that it is currently being remediated. Often users expecting standard IT service can put a strain on even the most hardworking IT team.

We tend to deal with these behaviors by:

  • Appreciating that everyone has a job to do, and prioritizing (where we can) the ability for people to do their jobs and therefore do what the organization is there to do.
  • Asking for a small cadre of customer staff to work on the remediation while their colleagues keep the business running.
  • Often there are other people in the organization who can help (for instance, helpdesks or IT champions), and asking these people to take on temporary extra responsibilities can reduce the load on the rest of the teams.

Guiding and educating stakeholders

Unfortunately, many of our customers still believe that cyberattacks happen to someone else. Some customers don’t understand the importance of their own ICT (Information & Communication Technology) resources, or the possibility of misuse of infrastructure for illegal purposes by third parties, and therefore don’t pay attention to security aspects.

Given the complexities within any environment and the amount of spend on preventative information and communications technologies (ICTs), there is sometimes the denial that a situation is as bad as it is. Gently guiding and educating stakeholders is important and providing clear yet sensible planning steps helps stakeholders understand the risks and mitigations.

We notice these emotions not only with our clients themselves but also within subcontracted specialized companies that have taken over the responsibility of administration and management of the respective infrastructure. A cybersecurity incident is an emotional situation for all those involved and where possible we work with all stakeholders.

The mission of the compromise recovery team is to establish a friendly and collaborative environment to jointly prioritize all necessary activities to mitigate the consequences of hacker attacks. Together we mitigate risks—not only financial but also operational and reputational. This mission is usually sufficient to bring together all stakeholders to a consolidated plan of what needs doing.

Team cooperation and communication

We cannot generalize about everyone and everything. We are all just people with different thoughts, levels of responsibility, reactions, and emotions. It is natural to sometimes feel lost and bewildered when experiencing a cyberattack.

We always try to approach the problem logically and understand the facts without ever blaming anyone, but we appreciate that when faced with these challenges, stress levels are often very high.

Adding to this stress, it is often a customer’s own team that has hands-on work to do to clean an environment. This is often a substantial amount of work to complete in a relatively short timeframe.

No one is perfect, and no one can deal with high stress and high emotions for prolonged periods of time. We work hard to share work among people who can do it, not overload individuals, find the time to celebrate successes (even if small), and, most importantly, have downtime planned for everyone.

A group of people interfacing over a virtual meeting.

Of course, the ultimate goals are to expel the attacker, regain control of the systems, and secure the environment after the breach. To achieve this, the cooperation of everyone involved in the process is needed—not only technical resources, but also the strong support of leadership teams, both by the client and by CRSP.

Even though we work hard to not blame people for cyberattacks, it can be difficult for those who have a responsibility for maintaining those systems to sometimes work with us on a collaborative process. We understand that people are sometimes afraid of their career prospects in such cases. They tend to blame others, they don’t want to take responsibility, they constantly reject well-meaning suggestions and recommendations, and we have to deal with such situations appropriately. Therefore, we pay special attention to:

  • Active listening.
  • Understanding the circumstances.
  • Understanding the facts.
  • Understanding the time sequences.
  • Empathy for and understanding of cultural differences.
  • Respect for each person involved in the process.
  • Transparent and open communication.
  • Clear and unambiguous counseling and definition of recovery tasks.
  • Taking responsibility for appropriate actions.
  • Availability of all relevant members of the compromise recovery team so that we can answer any doubts and questions as soon as possible.

The ability to create greater damage through uncontrolled and unstructured actions by inexperienced people can be high, usually due to stress, panic, and the need to be seen doing something. It’s comparable to an emergency scenario like a fire: people sometimes feel paralyzed and unable to determine what they should do next to ensure their own safety.

Understand the human aspect of compromise

If you are among those who are compromised or there is a suspicion of compromise, call the experts who have the experience and knowledge to assist you. Leave emotions aside, don’t place blame, and approach the problem in a reasonable, logical, and structured way. Never act without first analyzing the impact on your environment, critical business systems, and communication systems. If you are not 100 percent sure if your actions are the correct ones, hire experts.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

READ MORE HERE