MS Exchange Attack - Who's Got Your Back?

Chris Sachse
Chris Sachse on Mar 12, 2021 5:40:56 PM

cyberbreach_solarwinds

The Microsoft Exchange Server hack is pervasive, and the critical vulnerabilities has the potential to be exceptionally impactful on organizations ranging from small to global enterprise. While many companies assume their Microsoft Exchange Servers were properly updated, thousands of servers remain unpatched and at risk.

We have broken down the threat, potential scenarios to consider, as well as short-term and long-term solutions, so that you can make sure your organization is protected and know the steps you can take to avoid these types of attacks in the future.

Case Scenarios - What Happened and How is your Organization at Risk?

Unpatched on-premise Microsoft Exchange Servers have exposed companies to critical vulnerabilities, which allow unauthorized attacks targeting corporate emails:

  1. The patch was never applied to the server because the organization didn’t have robust patching processes in place.
  2. The patch was downloaded and installed but never applied because a reboot didn’t take place.
  3. The patch was applied to one, but not all the Exchange servers in the environment.
  4. The patch was incorrectly applied or not applied because the maintenance on the server was so out of date.
  5. The attackers got in before the patch was applied, they set up camp, and the organization didn’t know they were there.
What Should You Do Short-Term to Address Our Vulnerability?

In the short-term, there are several steps you can take to access your vulnerability and begin putting appropriate protections in place:

  1. Ask your IT team or partner if the patch was applied, when it was completed and if they can prove that it was done so correctly by providing a patching report or screenshot.
  2. Ask your team to review your SIEM (or other security systems) for any abnormal behavior that could signify an attacker got in.
  3. Make sure you have a strong, modern EDR platform, which can successfully stop most attacks before they can gain foothold in your network.
  4. Leverage threat intelligence published by Microsoft including the Indicators of Compromise (IOC) scripts which provides detailed information related to what the footprints of the attackers could look like and the publicly-available scripts to run if you determine you are under attack
What Can I Learn From This to Build a Long-Term Strategy?

A long-term strategy is critical to ensuring your organization and customers are protected:

  1. Patching and maintenance is the single best way to prevent most security threats. Build a robust patching process that ensures all devices in your network (including vendor equipment) is kept current. Make sure this process includes reporting and vulnerability scanning to check and audit the process.
    1. Side note: Internal IT teams, especially lean ones, often struggle with this process because they must balance projects and issues. Those items usually take priority over patching. OR they rely on an automated system with no checks and balances, and assume patching is working. This is a great, economical item to outsource, as partners who provide these services already have the process and tools to make this work efficiently and effectively.
  2. Make sure you have 24x7 SIEM and other security monitoring in place, with eyes on glass, not just a system. Cyber threats are rising daily. The only way to identify, prevent or mitigate is to watch behavior constantly. Attacks are often smarter than the system, which is why you need a person watching the system, hunting threats and investigating abnormal behavior. This is a requirement to protect you and your customer.
  3. Leveraging cloud platforms is a great way to mitigate attacks, reducing the footprint of servers or services that you are supporting.
  4. Build an incident response plan that addresses how your organization handles these zero-day events. Define how you are working with your internal team, partners, and vendors, and communicating, every time a security alert is released. And practice. Often the greatest impact of a breach is not the technology response, but the impact it has on your business, customer and reputation. Practice these circumstances through tabletop exercises and make sure your team includes all those necessary.

Cybersecurity breaches are not going away. Your organization needs to be prepared with constantly evolving mitigation, protection and incident response plans.  A strong security vendor provides a co-management approach, leveraging the knowledge and context of an internal team with the vendor partner’s expertise. It takes a collective effort, having a team who is experienced with responding to security events, maintaining systems, and designing secure networks.

 


 

TS - Transform Protect logo(mini)WE TRANSFORM & PROTECT

We Transform & Protect by putting People Before Technology. We are a Managed Service Provider focused on cybersecurity and cloud solutions that support digital transformations.  We believe that the technology your business relies on should be used to drive  transformation and lead to a seamless user experience.  In uncertain times it’s important to partner with people and companies you can trust.   Think|Stack was built to handle the unpredictable, to help those who weren’t. 

If you’re unsure what to do next or if you have questions about your technology, our team is here to help, contact us anytime.

 

Topics: cybersecurity, cyberthreats, backup and recovery

Subscribe to our Blog!