Microsoft: An organization without a response plan will be hit harder by a security incident | CyberScoop<\/title> <meta name=\"description\" content=\"Security leaders shared advice gleaned from customer engagements, and reinforced the importance of planning and following fundamentals for defense.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/microsoft-threat-intel-response-tips\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Microsoft: An organization without a response plan will be hit harder by a security incident\"> <meta property=\"og:description\" content=\"Security leaders shared advice gleaned from customer engagements, and reinforced the importance of planning and following fundamentals for defense.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/microsoft-threat-intel-response-tips\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-08-08T16:06:51+00:00\"> <meta property=\"article:modified_time\" content=\"2025-08-08T16:06:53+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/microsoft-an-organization-without-a-response-plan-will-be-hit-harder-by-a-security-incident-2.jpg\"> <meta property=\"og:image:width\" content=\"1024\"> <meta property=\"og:image:height\" content=\"652\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1754500264g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1753141563g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1753281318g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/85502\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=85502\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fmicrosoft-threat-intel-response-tips%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fmicrosoft-threat-intel-response-tips%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-85502 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/microsoft-threat-intel-response-tips\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.965\">\n<div class=\"single-article__header-content\" readability=\"35.052631578947\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/microsoft-threat-intel-response-tips\/\"> <span>Cybersecurity<\/span> <\/a> <\/li>\n<\/ul>\n<p> Security leaders shared advice gleaned from customer engagements, and reinforced the importance of planning and following fundamentals for defense. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/85502\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"408\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/microsoft-an-organization-without-a-response-plan-will-be-hit-harder-by-a-security-incident.jpg?resize=640%2C408&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/microsoft-an-organization-without-a-response-plan-will-be-hit-harder-by-a-security-incident-2.jpg 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/microsoft-an-organization-without-a-response-plan-will-be-hit-harder-by-a-security-incident-2.jpg?resize=300,191 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/microsoft-an-organization-without-a-response-plan-will-be-hit-harder-by-a-security-incident-2.jpg?resize=768,489 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/microsoft-an-organization-without-a-response-plan-will-be-hit-harder-by-a-security-incident-2.jpg?resize=600,382 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/microsoft-an-organization-without-a-response-plan-will-be-hit-harder-by-a-security-incident-2.jpg?resize=264,168 264w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/microsoft-an-organization-without-a-response-plan-will-be-hit-harder-by-a-security-incident-2.jpg?resize=529,337 529w\" sizes=\"(max-width: 1024px) 100vw, 1024px\"><figcaption> A corporate logo for Microsoft hangs above the door to its office building on 8th Avenue on June 24, 2025, in New York City. (Photo by Gary Hershorn\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"48.197688418011\"><body readability=\"98\"><\/p>\n<p><strong>LAS VEGAS \u2014<\/strong> Businesses that don\u2019t treat security with the gravity it requires \u2014 exhibited by lackluster or nonexistent preparation, planning and exercise in the event of a cyberattack \u2014 typically suffer longer and unnecessarily, Microsoft threat intelligence, hunting and response leaders said Thursday at Black Hat. <\/p>\n<p>In the best- case scenarios in the wake of an attack, professionals across the impacted organization know their roles and responsibilities, said Aarti Borkar, corporate vice president of security customer success at Microsoft. \u201cThey know the moving parts. They know what their policies are. They know who to call in the middle of the night and wake them up, because incidents don\u2019t happen on a Wednesday afternoon,\u201d she said.<\/p>\n<p>Microsoft\u2019s incident response and recovery efforts are often measured in days, instead of months, when organizations have plans in place, and regularly assess and practice those procedures against challenges that might occur across the organization, Borkar said. <\/p>\n<p>Only 1 in 4 organizations have an incident response plan and have rehearsed it, said Andrew Rapp, senior director of security research at Microsoft. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>When Microsoft\u2019s incident response team engages with a customer that has rehearsed an incident response plan, held table-top exercises and conducted proactive compromise assessment, the operation functions like a well-oiled machine, he said. \u201cIt\u2019s sort of like sharing a central nervous system with a customer during that bad day.\u201d<\/p>\n<p>Attackers are moving faster than ever before \u2014 achieving shortened dwell times \u2014 and this accentuates the need for incident responders and organizations to prepare, said Sherrod DeGrippo, director of threat intelligence strategy at Microsoft. <\/p>\n<p>\u201cAttackers and threat actors think in graphs. They see the pathways that they can take to pivot around inside of a network, and all of us as defenders think in lists,\u201d she said.<\/p>\n<p>This creates an imbalance that defenders can overcome by embracing an attacker mindset, Microsoft\u2019s security specialists said on stage. <\/p>\n<p>\u201cData is key,\u201d Rapp said. \u201cHaving visibility across your network, ensuring that you\u2019re logging everything, that you have properly configured all of the protections, and you\u2019re using all of the features and capabilities that are in your products is table stakes.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>This advice carries weight regardless of attackers\u2019 objectives. While Simeon Kakpovi, senior threat intelligence analyst at Microsoft, spends a lot of time studying advanced threat groups and their tradecraft, basic security control failings are what every threat actor tends to take advantage of, he said.<\/p>\n<p>\u201cThey\u2019ll do social engineering. If you\u2019re not patching servers, they\u2019ll take advantage of that,\u201d Kakpovi said. \u201cThey\u2019ll do the basics before they spend their effort doing the more advanced things.\u201d<\/p>\n<p>Organizations should consider the weaknesses attackers can target, and study and apply insights from threat intelligence on their specific industry, he added. \u201cUsually you have to worry about a certain set of threat actors more than others, so that can give you a head start thinking about what you should worry about first.\u201d<\/p>\n<p>DeGrippo underscored the significance of security fundamentals, such as keeping software up to date and configuring it properly. \u201cIf you do experience a breach, missing logs really contribute to a nightmare scenario for both intel and incident responders,\u201d she said. <\/p>\n<p>\u201cEvery action leaves a trace, unless logging is turned off,\u201d DeGrippo added. \u201cEven though you\u2019re suffering, maybe the pain isn\u2019t as much as it could have been.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.8390928725702\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/microsoft-an-organization-without-a-response-plan-will-be-hit-harder-by-a-security-incident-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/microsoft-threat-intel-response-tips\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft: An organization without a response plan will be hit<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[730,282,78,1156,625,256,1173,49,288],"tags":[734,286,86,1168,630,262,1177,57,294],"class_list":["post-7879","post","type-post","status-publish","format-standard","hentry","category-black-hat","category-cybercrime","category-cybersecurity","category-incident-response","category-microsoft","category-research","category-threat-hunting","category-threat-intelligence","category-threats","tag-black-hat","tag-cybercrime","tag-cybersecurity","tag-incident-response","tag-microsoft","tag-research","tag-threat-hunting","tag-threat-intelligence","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/black-hat\/\" rel=\"category tag\">Black Hat<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/incident-response\/\" rel=\"category tag\">incident response<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/microsoft\/\" rel=\"category tag\">Microsoft<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threat-hunting\/\" rel=\"category tag\">Threat hunting<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threat-intelligence\/\" rel=\"category tag\">Threat Intelligence<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7879","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7879"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7879\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7879"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7879"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7879"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7879,"date":"2025-08-08T11:06:51","date_gmt":"2025-08-08T16:06:51","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=85502"},"modified":"2025-08-08T11:06:51","modified_gmt":"2025-08-08T16:06:51","slug":"microsoft-an-organization-without-a-response-plan-will-be-hit-harder-by-a-security-incident","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/08\/08\/microsoft-an-organization-without-a-response-plan-will-be-hit-harder-by-a-security-incident\/","title":{"rendered":"Microsoft: An organization without a response plan will be hit harder by a security incident"},"content":{"rendered":"