Merge pull request #276907 from Sarit1046/docs-editor/ransomware-detect-respond-1717193890

Updated DART to reflect re-branding and revised for clarity/styles and standards, based on heat map metrics

Author: v-dirichards

articles/security/fundamentals/ransomware-detect-respond.md

@@ -12,7 +12,7 @@ ms.date: 01/10/2022
 
 # Detect and respond to ransomware attacks
 
-There are several potential triggers that may indicate a ransomware incident.  Unlike many other types of malware, most will be higher-confidence triggers (where little additional investigation or analysis should be required prior to the declaration of an incident) rather than lower-confidence triggers (where more investigation or analysis would likely be required before an incident should be declared).  
+There are several potential triggers that might indicate a ransomware incident.  Unlike many other types of malware, most will be higher-confidence triggers (where little additional investigation or analysis should be required prior to the declaration of an incident) rather than lower-confidence triggers (where more investigation or analysis would likely be required before an incident should be declared).  
 
 In general, such infections obvious from basic system behavior, the absence of key system or user files and the demand for ransom.  In this case, the analyst should consider whether to immediately declare and escalate the incident, including taking any automated actions to mitigate the attack. 
 
@@ -25,23 +25,24 @@ Ensure rapid detection and remediation of common attacks on VMs, SQL Servers, We
 - **Prioritize Common Entry Points** – Ransomware (and other) operators favor Endpoint/Email/Identity + Remote Desktop Protocol (RDP)
   - **Integrated XDR** - Use integrated Extended Detection and Response (XDR) tools like Microsoft [Defender for Cloud](https://azure.microsoft.com/services/azure-defender/) to provide high quality alerts and minimize friction and manual steps during response
   - **Brute Force** - Monitor for brute-force attempts like [password spray](/defender-for-identity/compromised-credentials-alerts)
-- **Monitor for Adversary Disabling Security** – as this is often part of Human Operated Ransomware (HumOR) attack chain
-  - **Event Logs Clearing** – especially the Security Event log and PowerShell Operational logs
+- **Monitor for Adversary Disabling Security** – as this is often part of Human-Operated Ransomware (HumOR) attack chain
+
+- **Event Logs Clearing** – especially the Security Event log and PowerShell Operational logs
   - **Disabling of security tools/controls** (associated with some groups)
 - **Don't Ignore Commodity Malware** - Ransomware attackers regularly purchase access to target organizations from dark markets
-- **Integrate outside experts** – into processes to supplement expertise, such as the [Microsoft Detection and Response Team (DART)](https://aka.ms/dart).
-- **Rapidly isolate** compromised computers using [Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#isolate-devices-from-the-network) in on-premises deployment.
+- **Integrate outside experts** – into processes to supplement expertise, such as the [Microsoft Incident Response team (formerly DART/CRSP)](https://aka.ms/dart).
+- **Rapidly isolate** compromised devices using [Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#isolate-devices-from-the-network) in on-premises deployment.
 
 ## Responding to ransomware attacks
 
 ### Incident declaration
 
-Once a successful ransomware infection has been confirmed, the analyst should verify this represents a new incident or whether it may be related to an existing incident.  Look for currently-open tickets that indicate similar incidents.  If so, update the current incident ticket with new information in the ticketing system. If this is a new incident, an incident should be declared in the relevant ticketing system and escalated to the appropriate teams or providers to contain and mitigate the incident.  Be mindful that managing ransomware incidents may require actions taken by multiple IT and security teams.  Where possible, ensure that the ticket is clearly identified as a ransomware incident to guide workflow.
+Once a successful ransomware infection has been confirmed, the analyst should verify this represents a new incident or whether it might be related to an existing incident.  Look for currently open tickets that indicate similar incidents.  If so, update the current incident ticket with new information in the ticketing system. If this is a new incident, an incident should be declared in the relevant ticketing system and escalated to the appropriate teams or providers to contain and mitigate the incident.  Be mindful that managing ransomware incidents might require actions taken by multiple IT and security teams.  Where possible, ensure that the ticket is clearly identified as a ransomware incident to guide workflow.
 
 ### Containment/Mitigation
 
-In general, various server/endpoint antimalware, email antimalware and network protection solutions should be configured to automatically contain and mitigate known ransomware.  There may be cases, however, where the specific ransomware variant has been able to bypass such protections and successfully infect target systems.
- 
+In general, various server/endpoint antimalware, email antimalware and network protection solutions should be configured to automatically contain and mitigate known ransomware.  There might be cases, however, where the specific ransomware variant has been able to bypass such protections and successfully infect target systems.
+
 Microsoft provides extensive resources to help update your incident response processes on the [Top Azure Security Best Practices](/azure/cloud-adoption-framework/secure/security-top-10#4-process-update-incident-response-processes-for-cloud).
 
 The following are recommended actions to contain or mitigate a declared incident involving ransomware where automated actions taken by antimalware systems have been unsuccessful:
@@ -60,17 +61,17 @@ The following are recommended actions to contain or mitigate a declared incident
 
 The Microsoft Detection and Response Team will help protect you from attacks
 
-Understanding and fixing the fundamental security issues that led to the compromise in the first place should be a priority for ransomware victims.
+Understanding and fixing the fundamental security issues that led to the compromise in the first place should be a priority for ransomware targets.
 
-Integrate outside experts into processes to supplement expertise, such as the [Microsoft Detection and Response Team (DART)](https://aka.ms/dart). The DART engages with customers around the world, helping to protect and harden against attacks before they occur, as well as investigating and remediating when an attack has occurred.
+Integrate outside experts into processes to supplement expertise, such as [Microsoft Incident Response](https://aka.ms/dart). Microsoft Incident Response engages with customers around the world, helping to protect and harden against attacks before they occur, as well as investigating and remediating when an attack has occurred.
 
 Customers can engage our security experts directly from within the Microsoft Defender Portal for timely and accurate response. Experts provide insights needed to better understand the complex threats affecting your organization, from alert inquiries, potentially compromised devices, root cause of a suspicious network connection, to additional threat intelligence regarding ongoing advanced persistent threat campaigns.
 
 Microsoft is ready to assist your company in returning to safe operations.
 
 Microsoft performs hundreds of compromise recoveries and has a tried-and-true methodology. Not only will it get you to a more secure position, it affords you the opportunity to consider your long-term strategy rather than reacting to the situation. 
 
-Microsoft provides Rapid Ransomware Recovery services. Under this, assistance is provided in all areas such as restoration of identity services, remediation and hardening and with monitoring deployment to help victims of ransomware attacks to return to normal business in the shortest possible timeframe.
+Microsoft provides Rapid Ransomware Recovery services. Under this, assistance is provided in all areas such as restoration of identity services, remediation and hardening and with monitoring deployment to help targets of ransomware attacks to return to normal business in the shortest possible timeframe.
 
 Our Rapid Ransomware Recovery services are treated as "Confidential" for the duration of the engagement. Rapid Ransomware Recovery engagements are exclusively delivered by the Compromise Recovery Security Practice (CRSP) team, part of the Azure Cloud & AI Domain. For more information, you can contact CRSP at [Request contact about Azure security](https://azure.microsoft.com/overview/meet-with-an-azure-specialist/).