Attackers Won't Stop With Exchange Server. You Need a New Playbook

Mar 10, 2021
3 minutes

When watershed SolarWinds attacks hit in December, I urged organizations to redouble efforts to secure their networks. It was a wakeup call – SolarWinds exposed security weaknesses in organizations that would only be compounded now that we’re all so reliant on technology. 

Less than three months later, here we are again. Over the last week we’ve learned how hackers spent at least two months breaking into servers running Microsoft’s widely used Exchange Server email software before they were caught. As governments and security vendors urge Exchange Server users to patch their systems immediately, data from our Palo Alto Networks Expanse platform shows the scale of the potential damage: as of Monday there were still more than 125,000 unpatched Exchange Servers across the world – some 33,000 in the U.S. alone. While we’re seeing encouraging data that suggests organizations are aggressively patching, that’s only half the battle: even patched systems may have already been compromised during the days and months when hackers were quietly leveraging four powerful zero-day vulnerabilities

Right now, organizations must act quickly and decisively to defuse these Exchange Server attacks. Our Unit 42 research team has developed a playbook for doing so, which includes guidelines to patch and secure all Exchange Servers, find compromised servers and get help from an incident response team with experience cleaning up nation-state attacks. Our Crypsis incident response team is also available to help.

But for the long term – jumping from emergency to emergency like this is unworkable. The difficulty organizations are having in tracking down vulnerable servers and applying emergency patches is in stark contrast to the cloud-powered automation tools that adversaries are using to attack them. And as each business’s reliance on technology grows, these cybersecurity threats are now existential, with boards of directors across the globe rightly seeking assurances that organizations are adequately prepared.  

So my message for today is, be vigilant in confronting this latest attack. Go through the rapid response drill, apply the patches, carefully follow all recommended remediation steps. This is critically important to securing your organization.

But once this attack is out of the way, you need a new playbook. 

First, you need to be able to look at your organization through the eyes of an attacker to identify and mitigate vulnerabilities before your adversaries seek to exploit them. Attack surface management allows enterprises to monitor their external attack surface in today’s work from home and cloud-centric environments.

Second, organizations need to integrate all their security data sources in order to run comprehensive behavioral analytics. This level of analytics and machine learning can analyze all the relevant data in your enterprise to warn you against unknown, unseen threats – not just known ones. 

Last, all organizations need to ensure that their security teams are spending their precious time on the right threats by automating all repetitive workflows. Security orchestration and automation technology is a must-have for any security team looking to streamline their operations in the face of increasing attacks.  

Don’t put these measures off, only to do the same drill again in two to three months. Use the lessons of these attacks to prepare your infrastructure for the next one. The tools are there now. Deploy them. 

Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.