This is the first installment of a new running blog series with David Bishop, Chief Information Security Officer, Trustwave.
Hundreds of thousands of organizations are reported to have been affected by the Microsoft Exchange Server attacks. HAFNIUM, an advanced threat actor group assessed to be state-sponsored, and numerous other threat actors across the globe have been attacking organizations by exploiting critical zero-day vulnerabilities in Microsoft Exchange Servers.
With a scope even more expansive than the recent SolarWinds attacks, the Microsoft Exchange Server attacks should give pause to organizations of all sizes to re-think their cybersecurity strategies moving forward.
We sat down with David Bishop, Chief Information Security Officer, Trustwave, to discuss how the Microsoft Exchange Server attacks should be processed and actioned by a CISO.
What is the big lesson from the Microsoft Exchange Server attacks that CISOs can take away?
I think the main takeaway here from an active operational security posture would be to make sure that you have layers of protection surrounding critical assets.
Never place too much reliance on an aggressive patch management program, your endpoint protection, your network access controls (ACLs), and so on. Those are all strong protections to have in place, but implementing layers as phases of protection is prudent as every single one of these protection measures can fail. Best practices are critical as well, but they are not the be-all-end-all either.
If we use an array of these protections collectively, it makes for a very hardened surface for attackers to penetrate and affords more focus on our weakest attack vector, our users. It's a simple concept that is sometimes forgotten in organizations, but you need to avoid having a single point of failure wherever possible and practical.
How does the mindset of security need to change in the wake of the Microsoft Exchange Server attacks?
With sophisticated threat actors on the rise and the recent targeting of critical third-party systems, it has become clear that a new mindset of security is needed to defend adequately.
Organizations need to run cybersecurity like it was a business unit. This mindset hasn't been adopted in most organizations.
We have to look at data security as a business component and invest in it to ensure its long-term success. After all, having weak and inadequate security can be more detrimental to an organization's bottom line or reputation than a poor go-to-market or marketing strategy.
Organizations should empower their CISOs to get the tools, talent, and resources they need to do security right for their organization from the start. A reactionary investment in cybersecurity is, in many cases, too little too late.
Why are aspects of ongoing, proactive security so important in today's cybersecurity environment?
Security today requires an ongoing, proactive and real-time response. Software solutions with algorithms and SOCs can be on deck to execute whack-a-mole, immediate response to indicators that arise – for example, behaviors that add up to things you might see in the MITRE series of indications of attack or compromise. This approach is reasonable but really just a baseline requirement for organizations to adequately respond to threats.
If indicators aren't previously known, if there's not some reference to an attack indicator or a compromise indicator, or the attackers get quiet because they've been caught doing something – there is a dire failure to compile actionable clues together.
Programs like Managed Detection and Response (MDR) combine technology and human expertise to focus on advanced threat detection and mitigation – on an ongoing basis – not just in reactionary situations. The addition of human intuition creates connections between events and discovers anomalies that haven't yet been considered within an algorithm. These connections serve to bolster security intelligence and apply new information to historical data, improving correlations and building a deeper understanding of an environment as a whole. This type of approach is critical with how advanced and rapidly moving the threats are today.
With the cybersecurity talent shortage, how can organizations stay ahead enough to defend against this influx of advanced threats?
Commodity tools like endpoint protection are going to be used day in and day out and will protect you against commodity threats. But the advanced adversary has a mission in mind, and they'll do whatever it takes to get in.
Unless you are a group of highly-skilled, full-time operators, there's no reasonable way to stay abreast of the attack techniques, the vectors, the tools, the motives, the targeted industry verticals, and the threat intelligence needed to protect and defend your organization without the help of third-party support.
It's immensely beneficial to leverage third-party security resources that have expertise and are already protecting numerous organizations day in and day out – because they are consistently informed on the bleeding edge of these attacks.
It also is a huge benefit if you enlist the support of a third-party resource that has teams that are interconnected and share information – across threat intelligence, incident response, consulting, etc. As a CISO, I can't overstate the value of having a network of resources that can pull together a global picture of threat suppression and detection so you can respond and action accordingly.
To learn more about how Trustwave has responded to the Microsoft Exchange Server attacks, visit our website: https://www.trustwave.com/en-us/mitigate-microsoft-exchange-server-attacks/