{"id":58137,"date":"2025-02-10T17:00:00","date_gmt":"2025-02-10T17:00:00","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/build-a-stronger-security-strategy-with-proactive-and-reactive-incident-response-cyberattack-series\/"},"modified":"2025-02-10T17:00:00","modified_gmt":"2025-02-10T17:00:00","slug":"build-a-stronger-security-strategy-with-proactive-and-reactive-incident-response-cyberattack-series","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/build-a-stronger-security-strategy-with-proactive-and-reactive-incident-response-cyberattack-series\/","title":{"rendered":"Build a stronger security strategy with proactive and reactive incident response: Cyberattack Series"},"content":{"rendered":"

There are countless statistics about cybercrime and one of the most impactful is that for threat actors. Their profits continue to increase year over year and are on track to rise from $9.22 trillion in 2024 to $13.82 trillion by 2028.1<\/sup> If the financial drain caused by threat actors were pooled it would be ranked as the third largest gross domestic product (GDP) by country, trailing behind the number two spot, which is China at $18.27 trillion.2<\/sup><\/p>\n

That statistic alone tells us a great deal about the importance of preparedness for a potential cyberattack, which includes a robust incident response plan. To create such a plan, it is critical to understand potential risks, and one of the best ways to do that is to conduct a proactive threat hunt and compromise assessment.<\/p>\n

Microsoft Incident Response<\/a> is made up of highly skilled investigators, researchers, engineers, and analysts who specialize in handling global security incidents. In addition to reactive response, they also conduct proactive compromise assessments to find threat actor activity. They\u2019ll provide recommendations and best practice guidance to strengthen an organization\u2019s security posture. <\/p>\n

\n
\n
\n
\"Security <\/div>\n
\n
\n

Microsoft Incident Response<\/h2>\n
\n

Your first call before, during, and after a cybersecurity incident.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n

Microsoft Incident Response compromise assessments utilizes the same methodology and resources as those used in an investigation but without the time pressure and crisis-driven decision making associated with a live cyberattack. Compromise assessments are often used by those who have had a prior incident and want to measure their security posture after the implementation of new security measures. Some customers use the service as an annual assessment prior to locking down change controls. Others may use it to assess the environment of an acquisition prior to joining infrastructures.<\/p>\n

What happens when a compromise assessment turns into a reactive incident response engagement? Let\u2019s dive into a recent situation<\/a> where our team encountered this very scenario.<\/p>\n

Why differentiate between proactive and reactive investigations?<\/h2>\n

It is important to understand the key differences between proactive and reactive investigations, as each has different goals and measures for success. Microsoft Incident Response\u2019s proactive compromise assessments are focused on detection and prevention, which includes identifying potential indicators of compromise (IOCs), bringing attention to potential vulnerabilities, and helping customers mitigate risks by implementing security hardening measures.<\/p>\n

Our reactive investigations are centered on incident management during and immediately after a compromise, including incident analysis, threat hunting, tactical containment, and Tier 0 recovery<\/a><\/ins>, all while under the pressure of an active cyberattack.<\/p>\n

Proactive and reactive incident response are essential capabilities for providing a more robust defense strategy. They enable an organization to address an active cyberattack during a period when time and knowing the next steps are critical. At the same time, it provides experts with the experience needed to help prevent future incidents. Not all organizations have the resources required to maintain an incident response team capable of proactive and reactive approaches and may want to consider using a third-party service.<\/p>\n

The importance of Microsoft\u2019s \u201cdouble duty\u201d incident response experts<\/h2>\n

When confronted by an active threat actor, two things are at the forefront of success and can\u2019t be lost\u2014time and knowledge.<\/p>\n

While conducting a proactive compromise assessment for a nonprofit organization in mid-2024, Microsoft Incident Response began their forensic investigation. Initially identifying small artifacts of interest, the assessment quickly changed as suspicious events began to unfold. At the time the threat actor was not known, but has since been tracked as Storm-2077<\/a><\/ins>, a Chinese state actor that has been active since at least January 2024. Storm-2077\u2019s techniques focus on email data theft, using valid credentials harvested from compromised systems. Storm-2077 was lurking in the shadows of the organization\u2019s environment. When they felt they had been detected, these threat actors put their fingers on keyboards and started making moves.<\/p>\n

Precious time to remediate was not lost. Microsoft Incident Response immediately switched from proactive to reactive mode. The threat actor created a global administrator account and began disabling legitimate organizational global administrator accounts to gain full control of the environment. The targeted organization\u2019s IT team was already synchronized with Microsoft Incident Response through the active compromise assessment that was taking place. The targeted customer took note of the event and came to Microsoft for deconfliction. Once the activity was determined to be malicious, the organization\u2019s IT team disabled the access, and the proactive incident response investigation converted to being reactive. The threat actor was contained and access was remediated quickly because of this collaboration.<\/p>\n

The threat actor had likely been present in the organization\u2019s environment for a few months or more. They had taken advantage of a stolen session token to conduct a token replay attack, and through this had gained access to multiple accounts.<\/p>\n

Proactive assessments that don\u2019t utilize reactive investigation teams for delivery may result in a delay in responding or even generate more challenges for the incoming investigation team.<\/p>\n

Thankfully, Microsoft Incident Response conducts proactive compromise assessments with the same resources that deliver reactive investigations. They can take immediate action to halt active cyberthreats before they do more harm.<\/p>\n

Read the report<\/a><\/strong> to go deeper into the details of the cyberattack, including Storm-2077 tactics, the response activity, and lessons that other organizations can learn from this case.<\/p>\n

What is the Cyberattack Series?<\/h2>\n

With our Cyberattack Series, customers will discover how Microsoft Incident Response investigates unique and notable attacks. For each cyberattack story, we will share:<\/p>\n