Security

Black Hat 2025: Microsoft Experts Talk Threat Intelligence and Incident Response

Attack and defense technologies are advancing, but many best practices come down to understanding cybercriminals and maintaining a strong foundation of basic cyber hygiene.

Rebecca Torchia

Twitter

Rebecca Torchia is a web editor for EdTech: Focus on K–12. Previously, she has produced podcasts and written for several publications in Maryland, Washington, D.C., and her hometown of Pittsburgh.

When a cyberattack occurs, Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, imagines threat hunters and incident responders answering the call to action on a red rotary phone and swooping in to save the day — maybe even rappelling from helicopters like heroes in an action movie.

To DeGrippo’s disappointment, panelists at Black Hat USA admitted Thursday that it’s nothing like that. The threat intelligence experts are “the nerds in the back,” said Simeon Kakpovi, senior threat intelligence analyst at Microsoft. “We get to put together a cheat sheet that we can hand over [to the incident response team], instead of them wasting time looking broadly.”

“I like to tell customers that it’s like playing a video game with the cheat codes turned on,” Andrew Rapp, senior director of security research at Microsoft, said of the incident response team’s approach. “We’re provided with a treasure map of what to look for first, and that’s speeding up the time to respond and contain and identify who the threat actor is. For us, it’s really all about business continuity.”

DeGrippo led a conversation with Kakpovi, Rapp and Aarti Borkar, corporate vice president of security customer success at Microsoft, that explored incident response, threat intelligence and what to focus on as part of a modern cybersecurity strategy.

Click the banner below to learn more about sophisticated incident response solutions.

bt-q325-blackhat-insider-static-cta-desktop

bt-q325-blackhat-insider-static-cta-mobile

Don’t Just Make an Incident Response Plan

One of the first things Borkar asks organizations is whether they have their IR plan printed out. Just asking that question makes people realize they should probably go back and take another look at their plan, she said.

There are two broad areas for organizations to focus on when it comes to reinforcing incident response:

Roles and Responsibilities

IT teams and other stakeholders need to understand what they’re going to do in various incident scenarios. Team members should know their roles, and they should know who to call in the event of an incident.

Practice

Rehearsing the plan is also key, Borkar emphasized. “Irrespective of how much they practice, the incident is never perfect or exactly what they practiced, but then you’re only worried about the 20% to 30% that deviates from your plan,” she said.

When this is all in place, recovery may take days. Without it, recovery can take months. “That’s months of business continuity issues, months of the company not innovating,” Borkar said.

WATCH NOW: Build your cyber resilience playbook.

Despite this, statistics paint a picture of organizations’ preparedness that shocked Thursday’s panelists. “There was a recent customer survey, and a jarring statistic came out of that: 26% of organizations have an incident response plan and have rehearsed it,” Rapp shared. “Not rehearsing it is like having a gym membership and never going to the gym.”

Giving the All Clear After a Cyber Incident

A common mistake that companies make when responding to a threat is assuming they’re safe once they have stopped the incident that’s underway.

“It’s very important to assume, once you’re in the heat of battle and trying to mitigate it, that the threat actor might have left some persistence mechanism behind,” Simeon said. “Don’t assume that, just because you’ve locked a couple of accounts or mitigated the accounts they got into initially, it means you’ve completely kicked them out of the environment entirely.” He explained that threat intelligence teams get to see the bigger picture and can warn organizations about techniques they’ve seen threat actors use in the past.

“How do you know the threat actor is gone? Just assume they’re there,” Borkar said.

IT teams should approach every incident like they’re playing the long game, presenters said. This is where working with experts can prove especially valuable. “Our approach to containment and recovery is all around business continuity,” Rapp said. “We’re able to keep the business online while then trying to evict the threat actor.”

The Cyberthreat Landscape Today

While attackers may be lingering on the tail end of an attack, dwell time, conversely, is getting shorter. Dwell time is the amount of time between a cybercriminal accessing your network and doing the encryption for the ransom, when they’re in your network making choices and looking around, said DeGrippo.

At the end of the day, if you don’t do the basics, that’s what threat actors tend to take advantage of.”

Simeon Kakpovi Senior Threat Intelligence Analyst, Microsoft

“We used to measure this in terms of months, years. Now, it’s 72 minutes,” Rapp said.

The primary reason for the reduction of that dwell time is that cybercriminals have access to the new technologies that increase not only the persistence but also the volume of the attacks, Borkar explained. Because of that, “our usual cat-and-mouse game is hard. If that’s the only pattern of operation, it’s an extremely hard pattern to sustain,” she added.

The best way to protect networks in today’s threat environment is to think like a hacker.

“Data is key,” Rapp said. He recommended that businesses have visibility and logging across their environments and that they properly configure all their security technologies. “Then you can start getting into the realm of high-speed security — AI, leveraging threat intelligence — and that will inform your decision-making as incidents arise,” he said.

“At the end of the day, if you don’t do the basics, that’s what threat actors tend to take advantage of,” Kakpovi said. “Do the routine hygiene checks: ‘What could threat actors take advantage of before they have to drop a zero day in my environment?’ Because usually you don’t have to worry about that.”

Keep this page bookmarked for articles from the event, and follow event highlights and behind-the-scenes moments on the social platform X @BizTechMagazine and @BlackHatEvents.