Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

CISO's Corner: The Microsoft Exchange Server Attacks Should Change Your Security Mindset

This is the first installment of a new running blog series with David Bishop, Chief Information Security Officer, Trustwave.

Hundreds of thousands of organizations are reported to have been affected by the Microsoft Exchange Server attacks. HAFNIUM, an advanced threat actor group assessed to be state-sponsored, and numerous other threat actors across the globe have been attacking organizations by exploiting critical zero-day vulnerabilities in Microsoft Exchange Servers.

With a scope even more expansive than the recent SolarWinds attacks, the Microsoft Exchange Server attacks should give pause to organizations of all sizes to re-think their cybersecurity strategies moving forward.

We sat down with David Bishop, Chief Information Security Officer, Trustwave, to discuss how the Microsoft Exchange Server attacks should be processed and actioned by a CISO.

What is the big lesson from the Microsoft Exchange Server attacks that CISOs can take away?

I think the main takeaway here from an active operational security posture would be to make sure that you have layers of protection surrounding critical assets.

Never place too much reliance on an aggressive patch management program, your endpoint protection, your network access controls (ACLs), and so on. Those are all strong protections to have in place, but implementing layers as phases of protection is prudent as every single one of these protection measures can fail. Best practices are critical as well, but they are not the be-all-end-all either.

If we use an array of these protections collectively, it makes for a very hardened surface for attackers to penetrate and affords more focus on our weakest attack vector, our users. It's a simple concept that is sometimes forgotten in organizations, but you need to avoid having a single point of failure wherever possible and practical. 

How does the mindset of security need to change in the wake of the Microsoft Exchange Server attacks?

With sophisticated threat actors on the rise and the recent targeting of critical third-party systems, it has become clear that a new mindset of security is needed to defend adequately.

Organizations need to run cybersecurity like it was a business unit. This mindset hasn't been adopted in most organizations.  

We have to look at data security as a business component and invest in it to ensure its long-term success. After all, having weak and inadequate security can be more detrimental to an organization's bottom line or reputation than a poor go-to-market or marketing strategy.

Organizations should empower their CISOs to get the tools, talent, and resources they need to do security right for their organization from the start. A reactionary investment in cybersecurity is, in many cases, too little too late.

Why are aspects of ongoing, proactive security so important in today's cybersecurity environment?

Security today requires an ongoing, proactive and real-time response. Software solutions with algorithms and SOCs can be on deck to execute whack-a-mole, immediate response to indicators that arise – for example, behaviors that add up to things you might see in the MITRE series of indications of attack or compromise. This approach is reasonable but really just a baseline requirement for organizations to adequately respond to threats.

If indicators aren't previously known, if there's not some reference to an attack indicator or a compromise indicator, or the attackers get quiet because they've been caught doing something – there is a dire failure to compile actionable clues together.

Programs like Managed Detection and Response (MDR) combine technology and human expertise to focus on advanced threat detection and mitigation – on an ongoing basis – not just in reactionary situations. The addition of human intuition creates connections between events and discovers anomalies that haven't yet been considered within an algorithm. These connections serve to bolster security intelligence and apply new information to historical data, improving correlations and building a deeper understanding of an environment as a whole. This type of approach is critical with how advanced and rapidly moving the threats are today.

With the cybersecurity talent shortage, how can organizations stay ahead enough to defend against this influx of advanced threats?

Commodity tools like endpoint protection are going to be used day in and day out and will protect you against commodity threats. But the advanced adversary has a mission in mind, and they'll do whatever it takes to get in.

Unless you are a group of highly-skilled, full-time operators, there's no reasonable way to stay abreast of the attack techniques, the vectors, the tools, the motives, the targeted industry verticals, and the threat intelligence needed to protect and defend your organization without the help of third-party support.

It's immensely beneficial to leverage third-party security resources that have expertise and are already protecting numerous organizations day in and day out – because they are consistently informed on the bleeding edge of these attacks.

It also is a huge benefit if you enlist the support of a third-party resource that has teams that are interconnected and share information – across threat intelligence, incident response, consulting, etc. As a CISO, I can't overstate the value of having a network of resources that can pull together a global picture of threat suppression and detection so you can respond and action accordingly.

To learn more about how Trustwave has responded to the Microsoft Exchange Server attacks, visit our website:

Latest Trustwave Blogs

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow...

Read More