Microsoft Incident Response Retainer is generally available

The task of securing organizations is constantly changing and getting more complex. Many organizations don’t have the time, resources, or expertise to build an in-house incident response program. For customers that want help remediating an especially complex breach (or avoiding one altogether), Microsoft Incident Response offers an end-to-end portfolio of proactive and reactive incident response services. We operate in 190 countries and our incident responders are seasoned veterans with more than a combined 1,000 years of career experience resolving attacks from ransomware criminals to the most sophisticated nation-state threat actor groups.

Microsoft Security is expanding its incident response presence and we’re excited to announce the Microsoft Incident Response Retainer is now generally available.

Incident response retainers are increasingly valuable due to market dynamics

Customers face persistent attacks from a growing number of vectors that cost time and money and impact reputation. Companies that are unprepared to respond to an incident saw a global average breach cost USD4.3 million (USD9.44 million in the United States) in 2022. This compares to USD3.05 million (USD1.3 million or 30 percent less) for companies with incident response and AI automation.1 Companies that put these proactive measures in place also detected breaches 74 days faster than those without support (249 days compared to 323 days). Compounding these challenges, only 41 percent of chief executive officers (CEOs) believe they are prepared for cybersecurity crises.2 What this tells us is that customers need incident response help, and they need to engage this help proactively before a crisis happens—and Microsoft has taken note.

“My team lives and breathes incident response. I literally have to pull them away from work and make them take breaks—they love what they do, and it shows in the quality of their work,” said Dan Taylor, Head Coach of Microsoft Incident Response. “We are excited for the continued expansion of Microsoft Incident Response and the launch of our Incident Response Retainer, which improves the customer purchase experience and allows for deeper, more meaningful customer engagement.”

Overview of the Microsoft Incident Response Retainer service

The Incident Response Retainer provides pre-paid blocks of hours for highly specialized incident response and recovery services before, during, and after a cybersecurity crisis. It’s contracted on an annual basis and the retainer hours can be used in any combination of proactive and reactive services. If additional hours are needed, customers can easily uplift extra hours as requirements change.

This service provides our fastest response times and direct access to our global team of experts. It was designed to work with cyber insurance vendors and has flexible delivery options that meet the unique needs of each customer.


  • Assigned Security Delivery Manager (SDM)—A named SDM will work with you throughout the year to proactively schedule services and help you get the full value of your retainer contract.
  • Assigned Incident Manager—A Microsoft incident response expert to guide your engagement during an active security attack.
  • Intelligence-driven investigation—Threat investigation, digital forensics, log analysis, malware analysis support, and attacker containment.
  • Compromise recovery—Assistance in recovery and remediation of critical infrastructure, removing attacker control from an environment, regaining administrative control, and tactically hardening high-impact controls to prevent future breaches.
  • Proactive services—Compromise Assessments and Crisis Readiness Exercises will test your team’s defenses, increase your security posture, and improve resilience.
  • Quarterly threat briefings—Threat intelligence briefings with tailored guidance on emerging trends and threats, analysis, and validation of Indicators of Compromise and alerts, and premium delivery of Nation State Notifications (Plan 2 only).

Who Microsoft Incident Response helps

We hope you never have to experience a breach. But if you do, you can rest assured that we will do everything we can to help your organization get back to business as usual. In alignment with Microsoft’s mission to empower every person and every organization on the planet to achieve more, we help every organization we can, including:

  • New or existing Microsoft customers.
  • Customers that don’t use Microsoft Security products (this is a vendor-agnostic service).
  • Enterprise, government, education, and non-profit customers on the Microsoft commercial cloud.

Ecosystem partnership

One of our core principles at Microsoft Security is security for all. Meeting the needs of all kinds of organizations means offering choice—not only in the types of services customers buy but in who they buy them from. At the end of the day, we know that a single provider can’t meet the unique needs of every organization. That’s why Microsoft is fully committed to working with an ecosystem of partners and technologies that provide customers the flexibility to choose what fits their needs. 

Microsoft has an extensive security services partner ecosystem for customers across the globe to choose from. Our incident response and Microsoft-verified MXDR solution partners have world-class capabilities and domain expertise, each offering a broad portfolio of specialized solutions across the Microsoft security product portfolio. If you are looking for partner services, please go to the Microsoft Intelligent Security Association member directory to find a solution to meet your needs.

In alignment with the expansion of our Incident Response portfolio, we are also announcing a new partnership with incident response provider, Kivu. Microsoft and Kivu will jointly work together to utilize existing relationships with cyber insurance providers in responding to customers’ cyber incidents. Kivu will regard Microsoft as the premier option for post-breach remediation services when Kivu clients need them, and Microsoft will regard Kivu as a trusted partner to handle ransomware negotiations for customers seeking that service.

“Cybercrime will never stop. We have to partner, pool talent, combine intelligence and work together with our public sector colleagues to protect organizations from cyber threats. Our alliance with Microsoft Security combines our strengths to have more impact on almost any imaginable cybersecurity issue,” said Shane Sims, CEO, Kivu Consulting, Inc. 

“Our mission is to secure the world so our customers can thrive.  Security is a team sport, and incident response is one of the most important areas for industry leaders to come together in collaboration,” said Kelly Bissell, Corporate Vice President of Security Services, Microsoft. “We look forward to working with Kivu and other partners to help customers be safe and secure against all cyberattacks. Customers can be confident that their incident response needs will be addressed so their business can thrive.”

To learn more about Microsoft Incident Response and the Incident Response Retainer, please visit our website or read our blogs in the Microsoft Security Experts series.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

1Cost of a Data Breach Report 2022, IBM. 2022.

2C-Suite Outlook 2023, The Conference Board. 2023.

Bringing Shadow IoT Devices into the Light on Corporate Networks

Bringing Shadow IoT Devices into the Light on Corporate Networks

Illustration: © IoT For All

As employees purchase and connect millions of new IoT devices every year, they are increasingly bringing them to work and connecting them to corporate networks. This innocent act opens corporate networks to potential attack from competitors, hackers, and other adversaries.

Companies need to be aware of these shadow IoT devices and ensure they are protected against them, both through smart cybersecurity strategies, as well as by promoting a “security by design” approach with companies that manufacture these devices.

To help you learn more about shadow IoT, the experts from Kudelski Group have used their knowledge to answer our questions.

  1. What is shadow IoT and how does it typically creep into an organization?

It is often quite easy for individuals to add internet-connected devices or networks of devices to corporate networks without IT’s knowledge or approval. These devices range from personal fitness trackers or digital assistants to small networks of smart home devices connected wirelessly to each other. Typically users are adding these devices for personal convenience or to help them do their job, without understanding that they are potentially adding risk to the enterprise environment. And today, the vast majority of these devices are not secure by design.

  1. How much of a threat is Shadow IoT to organizations?

As part of our IoT division we have advanced evaluation Labs in Switzerland that review hundreds of products per year, breaking them down to the silicone to analyze potential vulnerabilities in both hardware design and the firmware that controls the device. From this experience, we have found that all of them have identifiable security flaws which increase the risk of compromise – weak device passwords or passwords stored in the clear, no data encryption, or unpatched software vulnerabilities.  Many of them even have built-in security measures in their components, but fail to implement them. Additionally, a long-term security strategy for these devices is often an after-thought. This is especially true for consumer-oriented IoT devices that are likely to be the bulk of shadow IoT devices on a network. Because these devices can often be easily compromised remotely and are already attached to corporate networks, they represent an easy attack vector to access more valuable corporate assets. Our IoT team regularly advises product manufacturers on a ‘security by design’ approach that not only helps define a secure product architecture but also to plan ahead for ongoing security lifecycle management for their devices and ecosystem.

  1. What threats take advantage of shadow IoT? Have there been any examples of shadow IoT causing security issues or other problems? If not, what problems could shadow IoT deployments create for organizations (i.e. unsecured infrastructure as well as unsecured data, extra costs, redundancies, etc.)?

Insecure IoT devices can provide a point of initial access to corporate networks. Often this is as simple as logging in to internet-facing management consoles on one of these devices using default credentials that have not be changed. From there attackers may be able to use the devices to conduct reconnaissance, move laterally or even launch certain attacks inside the organization.

For example, there is a North American casino where the facilities management people installed a connected fish aquarium without consulting their IT department. A creative hacker used a vulnerability (WiFi password stored in the clear) to penetrate the casino’s internal networks.

  1. Have any cyberattacks happened as a result of shadow IoT deployments?

Yes. There are well-publicized instances of large-scale attacks that exploited consumer-oriented IoT devices, namely the Mirai and RIFT botnets. Whether IoT devices are sanctioned or unsanctioned by IT, they represent a risk to organizations which should be identified, analyzed and mitigated.

  1. What steps can/should an organization take to prevent shadow IoT from becoming an issue? What can an organization do if it already is a problem? 

Visibility is the first step for either prevention or remediation of a shadow IoT problem. Organizations must understand what devices are connected to their networks before they can effectively address the challenge. Our philosophy is to build in security and effective management from the start, but there are a number of IoT-focused tools on the market that enable visibility and provide some context for how much risk is posed by a particular IoT device. With this knowledge, organizations can develop and apply a policy-based approach to isolate or block unknown IT and IoT devices which attempt to connect to corporate networks. As an example, many organizations allow these devices to connect but only to a network segment specifically for untrusted devices that has no access to corporate resources.

Ultimately, this problem will only be fully solved when consumer electronics companies and other device manufacturers start to take both initial security architecture as well as long-term security lifecycle management strategies more seriously. Often in the rush to innovate and beat their competitors, security is deprioritized and shortcuts are taken, leaving gaps that pass the problem down the line to corporate IT organizations. The security by design approach taken from the beginning not only prevents this but helps protect everyone across the entire value chain: manufacturer, consumer, and company networks.

France bans TikTok, all social media apps from government devices

The French government has banned TikTok and all other “recreational apps” from phones issued to its employees. The Minister of Transformation and the Public Service Stanislas Guerini, said in a statement that recreational applications do not have sufficient levels of cybersecurity and data protection to be deployed on government equipment. This prohibition applies immediately and uniformly, although exemptions may be granted on an exceptional basis for professional needs such as the institutional communication of an administration, the statement read.

The move follows the banning of TikTok on government/senior official devices in the US, UK, and other countries on the grounds that user data from the app (owned by Beijing-based company ByteDance) could end up in the hands of the Chinese government, posing national security risks. France’s banning of all social media apps goes further than other countries, whose bans currently forbid TikTok specifically.

France joins international partners by banning TikTok on data security grounds

“For several weeks, several of our European and international partners have adopted measures restricting or prohibiting the downloading and installation of the TikTok application by their administrations,” Guerini said. After an analysis of the issues, in particular security, the government has decided to ban the downloading and installation of recreational applications on professional telephones provided to public officials. “These applications can therefore constitute a risk to the protection of the data of these administrations and their public officials,” Guerini claimed.

The Interministerial Digital Department (DINUM) will ensure the implementation of this instruction, in close collaboration with the National Agency for Information Systems Security (ANSSI).

TikTok bans continue across the globe, CEO says app poses no national security risk

In the last two weeks, TikTok has been banned from both UK government and parliament devices/networks, with US federal and state government TikTok bans having been in place for several weeks. Meanwhile, TikTok CEO Shou Zi Chew has disputed that the app is an “agent of China” and argued that TikTok poses no risk to national security in a US Congress hearing. Over multiple days, Chew was pressed by deputies on the House Committee on Energy and Commerce on various topics such as TikTok’s content moderation practices and the company’s spying on journalists.

Chew argued that TikTok parent company ByteDance prioritizes the safety of its young users, highlighting the firm’s intention to protect US user data by storing information on servers maintained and owned by server giant Oracle. Several committee members reportedly found some of Chew’s answers evasive.

Latitude Financial Admits Breach Impacted Millions

Latitude Financial has revealed that a cyber-attack announced earlier this month resulted in the theft of over 14 million customer records, including sensitive personal information.

The Melbourne-headquartered consumer lender said in a statement today that hackers took 7.9 million Australian and New Zealand driver’s licence numbers, 40% of which were submitted to the firm in the past 10 years.

An additional 6.1 million records dating back to 2005 were also stolen, of which 94% were provided before 2013. However, many of these will still be valid, as they contain personal details such as name, address, telephone number and date of birth.

Some 53,000 passport numbers were also stolen, as were the financial statements related to “less than 100 customers.”

Originally, Latitude Financial claimed the breach had resulted in the loss of only around 100,000 identification documents and 225,000 customer records.

Read more on Australian data breaches: Aussie Data Breaches Surge 489% in Q4 2022.

Although it claimed no suspicious activity has been observed since March 16, the firm will likely face a significant fall-out from the incident.

Customers are likely to be bombarded with convincing phishing attacks using the stolen data to obtain financial details, while scammers could also buy the information online to attempt identity fraud.

Latitude Financial CEO, Ahmed Fahour, described today’s news as “hugely disappointing” and apologized to affected customers.

“We are committed to working closely with impacted customers and applicants to minimize the risk and disruption to them, including reimbursing the cost if they choose to replace their ID document. We are also committed to a full review of what has occurred,” he added.

“We urge all our customers to be vigilant and on the look-out for suspicious behavior relating to their accounts. We will never contact customers requesting their passwords.”

Attackers reportedly managed to obtain Latitude employee credentials to access the documents, although it’s not clear exactly how.

Latitude Financial is Australia’s largest non-bank lender and provides buy now, pay later (BNPL) services to a string of popular domestic retailers.

Microsoft assigns CVE to Snipping Tool bug, pushes patch to Store

Last week was aCropalypse week, where a bug in the Google Pixel image cropping app made headlines, and not just because it had a funky name.

(We formed the opinion that the name was a little bit OTT, but we admit that if we’d thought of it ourselves, we’d have wanted to use it for its word-play value alone, even though it turns out to be harder to say out loud than you might think.)

The bug was the kind of programming blunder that any coder could have made, but that many testers might have missed:

Image cropping tools are very handy when you’re on the road and you want to share an impulse photo, perhaps involving a cat, or an amusing screenshot, perhaps including a wacky posting on social media or a bizarre ad that popped up on a website.

But quickly-snapped pics or hastily-grabbed screenshots often end up including bits that you don’t want other people to see.

Sometimes, you want to crop an image because it simply looks better when you chop off any extraneous content, such as the graffiti-smeared bus stop on the left hand side.

Sometimes, however, you want to edit it out of decency, such as cutting out details that could hurt your own (or somone else’s) privacy by revealing your location or situation unnecessarily.

The same is true for screenshots, where the extraneous content might include the content of your next-door browser tab, or the private email directly below the amusing one, which you need to cut out in order to stay on the right side of privacy regulations.

Be aware before you share

Simply put, one of the primary reasons for cropping photos and screenshots before you send them out is to get rid of content that you don’t want to share.

So, like us, you probably assumed that if you chopped bits out of a photo or screenshot and hit [Save], then even if the app kept a record of your edits so you could revert them later and recover the exact original…

…those chopped-off bits would not be included in any copies of the edited file that you chose to post online, email to your chums, or send to a friend.

The Google Pixel Markup app, however, didn’t quite do that, leading to a bug denoted CVE-2023-20136.

When you saved a modified image over the old one, and then opened it back up to check your changes, the new image would appear in its cropped form, because the cropped data would be correctly written over the start of the previous version.

Anyone testing the app itself, or opening the image to verify it “looked right now” would see its new content, and nothing more.

But the data written at the start of the old file would be followed by a special internal marker to say, “You can stop now; ignore any data hereafter”, followed entirely incorrectly by all the data that used to appear thereafter in the old version of the file.

As long as the new file was smaller than the old one (and when you chop the edges off an image, you expect the new version to be smaller), at least some chunks of the old image would escape at the end of the new file.

Traditional, well-behaved image viewers, including the very tool you just used to crop the file, would ignore the extra data, but deliberately-coded data recovery or snooping apps might not.

Pixel problems repeated elsewhere

Google’s buggy Pixel phones were apparently patched in the March 2023 Android update, and although some Pixel devices received this month’s updates two weeks later than usual, all Pixels should now be up-to-date, or can be force-updated if you perform a manual update check.

But this class of bug, namely leaving data behind in an old file that you overwrite by mistake, instead of truncating its old content first, could in theory appear in almost any app with a [Save] feature, notably including other image-cropping and screenshot-trimming apps.

And it wasn’t long before both the Windows 11 Snipping Tool and the Windows 10 Snip & Sketch app were found to have the same flaw:

You could crop a file quickly and easily, but if you did a [Save] over the old file and not a [Save As] to a new file, where there would be no previous content to leave behind, a similar fate would await you.

The low-level causes of the bugs are different, not least because Google’s software is a Java-style app and uses Java libraries, while Microsoft’s apps are written in C++ and use Windows libraries, but the leaky side-effects are identical.

As our friend and colleague Chester Wisniewski quipped in last week’s podcast, “I suspect there may be a lot of talks in August in Las Vegas discussing this in other applications.” (August is the season of the Black Hat and DEF CON events.)

What to do?

The good news for Windows users is that Microsoft has now assigned the identifier CVE-2023-28303 to its own flavour of the aCropalypse bug, and has uploaded patched versions of the affected apps to the Microsoft Store.

In our own Windows 11 Enterprise Edition install, Windows Update showed nothing new or patched that we needed since last week, but manually updating the Snipping Tool app via the Microsoft Store updated us from 11.2302.4.0 to 11.2302.20.0.

We’re not sure what version number you’ll see if you open the buggy Windows 10 Snip & Sketch app, but after updating from the Microsoft Store, you should be looking for 10.2008.3001.0 or later.

Microsoft considers this a low-severity bug, on the grounds that “successful exploitation requires uncommon user interaction and several factors outside of an attacker’s control.”

We’re not sure we quite agree with that assessment, because the problem is not that an attacker might trick you into cropping an image in order to steal parts of it. (Surely they’d just talk you into sending them the whole file without the hassle of cropping it first?)

The problem is that you might follow exactly the workflow that Microsoft considers “uncommon” as a security precaution before sharing a photo or screenshot, only to find that you unintentionally leaked into a public space the very data you thought you had chopped out.

After all, the Microsoft Store’s own pitch for the Snipping Tool describes it as a quick way to “save, paste or share with other apps.”

In other words: Don’t delay, patch it today.

It only takes a moment.