Incident Response Managing Security at Microsoft Published: April 2004

Solution OverviewSituation Benefits Solution Security threats to computer networks often come from attackers who take advantage of security flaws, such as well- known configuration errors and published product vulnerabilities. Just like any enterprise, Microsoft is the target of computer attacks. Security threats to computer networks often come from attackers who take advantage of security flaws, such as well- known configuration errors and published product vulnerabilities. Just like any enterprise, Microsoft is the target of computer attacks. Microsoft IT developed a consistent process for responding to incidents and recovering from disasters that do occur. The primary objectives of this process are to establish a clear command and control center, to rapidly mitigate exposure, to maximize cooperation, and to efficiently coordinate response activities. Microsoft IT developed a consistent process for responding to incidents and recovering from disasters that do occur. The primary objectives of this process are to establish a clear command and control center, to rapidly mitigate exposure, to maximize cooperation, and to efficiently coordinate response activities. Microsoft IT’s detailed, well-rehearsed and flexible incident response plan ensures that any exploit that occurs can be handled in an orderly, effective manner that minimizes the impact to systems. Microsoft IT’s detailed, well-rehearsed and flexible incident response plan ensures that any exploit that occurs can be handled in an orderly, effective manner that minimizes the impact to systems.

Microsoft IT Security Methodology People Process Technology Dedicated staff Dedicated staff Training Training Security – a mindset and a priority Security – a mindset and a priority Employee education Employee education Planning for security Planning for security Prevention Prevention Detection Detection Reaction Reaction Baseline technology Baseline technology Standards, encryption, protection Standards, encryption, protection Product security features Product security features Security tools and products Security tools and products

Risk Assessment LowHigh Risk Asset Value Property Tangible/Replaceable Information Clients/Corporate Network People Employees High

Preventing Incidents ● Scanning ● Auditing ● Detecting Intrusions ● Establishing Defense In Depth ● Securing Clients for Remote Users

Incident Response Team Structure Incident Lead Core Incident Response Team All incidents Examples of Extended Technical Response Team Engaged as needed Security, Services & Architecture Lead Investigations Lead Communications Lead Other Group Leads (as needed) Network Operations IT Helpdesk Virus Alert Command Team (VACT)

Virus Attack Command Team VACT Lead Information Security Messaging Server Operations Network Operations Desktop Services IT Helpdesk

Incident Response Team Chairs ● Incident Command Chair ● Manage central logistics ● Coordinate response strategies ● Ensure staffing of the Operations Center ● Maintain a comprehensive record of events ● Communications Chair ● Draft and submit all proposed communication ● Coordinate with Corporate Public Relations ● Monitor media for press related to the incident ● Investigations Chair ● Pursue investigative leads ● Perform a forensics examination of computer and information systems ● Coordinate with law enforcement officials

Incident Response Plan Trigger Phase Security Scan/Audit Response Phase Ongoing evaluation and response revisions Response Team Assembled Operations External Web Site Internal Web Site User Support Information on incident received Decision to begin Incident Response Plan Evaluate Situation Establish First Course of Action Isolate and Contain Analyze and Respond Alert Others as Required Begin Remediation De-escalation: Return to Normal Operations Post-Incident Review Revise/Improve Response Process Quick guide to determining the significance of incident Severity of the event Severity of the event Overall business impact Overall business impact Criticality of vulnerable/attacked assets Criticality of vulnerable/attacked assets Public availability of information Public availability of information Scope of exposure Scope of exposure Public relations impacts Public relations impacts Extent of use of groups outside of security Extent of use of groups outside of security

Trigger Phase And Team Assembly ● Trigger Phase ● Evaluate the situation ● Establish the first course of action ● Team Assembly

Response Phase ● Isolate and Contain ● Analyze and Respond ● Alert Others As Required ● Begin Remediation

De-escalation And Post- Incident Review ● De-escalation ● Return to normal business operations ● No reporting of new information by the parties involved ● Post-incident Review ● Debrief of the key organizations ● Discussion of the successes and shortcomings of the incident response

Defending Against Malware: Trojan Horse And Worm ● The Trojan horse does something more than the user expects ● The backdoor Trojan horse compromises computer security while appearing to do something useful ● Worm viruses copy from one disk drive to another and use a variety of means to replicate themselves

Defending Against Malware: Virus ● Ways to significantly reduce downtime caused by an attack ● Educate users about the importance of complying with security policies ● Follow general guidelines for protection against viruses ● In the event of a major attack, the incident response plan takes effect, tailored to a virus attack

Defending Against DDoS Attacks ● In the event of a DDoS attack against the Microsoft network or other domain properties, the incident response plan takes effect ● The response is tailored to the DDoS type of attack ● When symptoms such as high CPU usage indicate a DDoS attack, remember that there may be other causes of the symptoms, such as new content on a Web server or newly released products

Defending Against Internet- Facing Server Attacks ● Systems in the perimeter network are usually the first to be attacked ● In the event of an Internet-facing server attack against the Microsoft network or other domain properties, the incident response plan takes effect ● The response is tailored to an attack on an Internet-facing server

Defending Against Unauthorized Network Intrusions ● An attacker may try to attack the infrastructure – routers, Exchange-based servers, domain controllers, and attacks on the Active Directory directory service ● In the event of a network intrusion at Microsoft, the incident response plan takes effect, tailored to a network intrusion attack ● Attackers sometimes use a “smoke screen” – an attack to divert attention from a more stealthy network intrusion

Closing Vulnerabilities In Products ● Product vulnerabilities become apparent only when the software is run on a particular computer, under a particular operating system, or in a specific configuration ● If a major vulnerability is discovered in a Microsoft product, the response is tailored to the situation; therefore, the specific steps involved are somewhat different from the steps required to handle an attack

Lessons Learned ● Poor password management ● Weak account management processes ● Unsecured and unmanaged remote computers ● Poorly configured and unpatched systems ● Weak auditing and monitoring processes ● Inadequately restricted access to critical information

First Layer Of Defense: Secure The Network Perimeter ● Use secure wireless access ● Use a perimeter messaging firewall on the network ● Use an effective network intrusion detection system ● Secure remote user connections ● Deny viruses at the perimeter

Second Layer of Defense: Secure The Network Interior ● Control programs available to users ● Eliminate weak passwords ● Eliminate shared domain service accounts ● Use secure domain controllers ● Enforce application of antivirus software and software patches ● Use secure, robust operating systems for clients and servers

Conclusion ● Prevention is less costly than reacting to incidents ● Enterprises should develop a system of security audits, system scans, and remediation steps and educate users about protecting their systems ● Impact to systems is reduced by having a detailed, well-rehearsed, and flexible incident response plan

For More Information ● Additional content on Microsoft IT deployments and best practices can be found on ● Microsoft TechNet ● Microsoft Case Study Resources ● IT Showcase

This document is provided for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Microsoft Press, Visual Studio, Visual SourceSafe, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.