Lessons Learned From the Microsoft Exchange Zero-Day Vulnerabilities
If you need immediate guidance related to these threats and steps to take, the Cybersecurity & Infrastructure Security Agency (CISA) and Microsoft have released several resources to aid organizations in addressing this critical issue:
- FBI-CISA Joint Advisory on Compromise of Microsoft Exchange Server
- Mitigate Microsoft Exchange On-Premises Product Vulnerabilities resource page
- CISA Emergency Directive 21-02
- Remediating Microsoft Exchange Vulnerabilities
- HAFNIUM Targeting Exchange Servers with 0-day exploits
Understanding and mitigating this issue likely will require support from internal or external IT expertise, as the remediation recommendations are extremely technical. However, regardless of your expertise, there are key takeaways that every organization should consider.
While this specific issue was related to a zero-day vulnerability — an identified vulnerability that you cannot fully prepare for or immediately address because a corrective fix does not yet exist — it still brings up a critical reminder. You may think you don’t have anything a hacker would want, but almost every organization has some form of data that is valuable to a bad actor. And bad actors are constantly looking for new ways to exploit existing systems.
So whether or not your organization was impacted by the Microsoft Exchange vulnerabilities, now is a good time to take a look at your organization’s control framework and ask:
Have our preventative, detective, and corrective controls evolved with current threats and risks?
The Microsoft Exchange vulnerabilities were exploited to exfiltrate data. While there are many ways for data to be stolen or exfiltrated, the bigger points organizations need to understand include:
- Where their data is
- Who has access to the data and why
- How data flows throughout the organization and to and from its partners, and the potential points of loss
Because of the continued trend of attacks resulting in data theft, enhanced data management and data loss controls may be needed. Consider your existing capabilities:
- Do you have the capabilities to restrict the inflow and outflow of data to and from your network?
- What about data that is hosted or transferred in cloud and file-sharing solutions?
- Do you have data that flows between you and a third-party service provider?
- How do you prevent data from being exfiltrated, stolen, or lost?
There are now many controls available that focus on data protection and loss prevention, and it may be time to enhance your existing controls and configure more restrictive settings to reduce the likelihood of data exfiltration and loss.
Detection needs to be coupled with prevention. If one control fails, another can provide a mitigating factor or help you quickly identify the failure or anomalous activity to minimize the impact. And many organizations may find the data loss controls mentioned above too restrictive, which further enhances the need for detective controls.
Assess whether your organization retains sufficient capabilities to identify suspicious activity. Do you know what would be considered anomalous within your network? Many organizations rely on manual monitoring or have limited tools to identify issues. However, this level of monitoring often proves insufficient and you may need to consider additional investments in this critical area. Such tools can allow for baseline activity to be established and enable automation that can aggregate and correlate activity from multiple systems to allow for more robust alerting, escalation, and issue evaluation.
The final step is response. Every organization is at risk of experiencing some form of cybersecurity incident or issue at some point. How does your incident response plan hold up? Does it account for incidents like zero-day vulnerabilities, where there may not be an immediate fix available and you have to make the difficult decision to take systems offline in the name of security but at the expense of your operations?
It may be time to have those discussions. Identify your organization’s critical systems, applications, and functions. What would happen if each were directly impacted like the Exchange servers were? Many people cannot fathom operating without email, but organizations were forced to decide between taking their email server offline or leaving their organization exposed.
Proactively identifying those items your organization can and cannot function without will make your response much more effective. Instead of having those discussions in the middle of an incident, making the decisions ahead of time and having a plan in place can allow you to quickly start addressing remediation or implementing mitigating factors to minimize the impact.
Incidents will continue to happen. Regardless of whether or not you were directly impacted by this one, it’s critical to use the experiences of real-life events to evolve and develop your controls. The incidents of others can be your lessons learned.
Allison Davis Ward
Allison Davis Ward is a Partner at CapinTech. Throughout her time as an information systems auditor and senior manager, Allison has provided information security assessment and consulting services primarily for nonprofit organizations, financial institutions, and health facilities. In addition to these services, she has provided clients with consulting services in risk assessment and policy development engagements.