Hack takes: A CISO and a hacker detail how they’d respond to the Exchange breach

The cyber world has entered a new era in which attacks are becoming more frequent and happening on a larger scale than ever before. Massive hacks affecting thousands of high-level American companies and agencies have dominated the news recently. Chief among these are the December SolarWinds/FireEye breach and the more recent Microsoft Exchange server breach. Everyone wants to know: If you’ve been hit with the Exchange breach, what should you do?

To answer this question, and compare security philosophies, we outlined what we’d do — side by side. One of us is a career attacker (David Wolpoff), and the other a CISO with experience securing companies in the healthcare and security spaces (Aaron Fosdick).

Don’t wait for your incident response team to take the brunt of a cyberattack on your organization.

CISO Aaron Fosdick

1. Back up your system.

A hacker’s likely going to throw some ransomware attacks at you after breaking into your mail server. So rely on your backups, configurations, etc. Back up everything you can. But back up to an instance before the breach. Design your backups with the assumption that an attacker will try to delete them. Don’t use your normal admin credentials to encrypt your backups, and make sure your admin accounts can’t delete or modify backups once they’ve been created. Your backup target should not be part of your domain.

2. Assume compromise and stop connectivity if necessary.

Identify if and where you have been compromised. Inspect your systems forensically to see if any systems are using your surface as a launch point and attempting to move laterally from there. If your Exchange server is indeed compromised, you want it off your network as soon as possible. Disable external connectivity to the internet to ensure they cannot exfiltrate any data or communicate with other systems in the network, which is how attackers move laterally.

3. Consider deploying default/deny.

You should just assume you’ve been compromised beyond Exchange, which means you’re going to want to limit what your other controls can do, who they can talk to, what they can see. For example, consider restricting your firewall’s outbound access from the Exchange server to only necessary servers — IMAP, Exchange protocol, 443.

4. Harden access to OWA and limit remote access.

If you use Microsoft Exchange and you were successfully hacked, considering disabling Outlook Web Access (OWA). Exchange can be hacked via OWA, so disable it on your network to reduce your attack surface immediately. Once you’ve done this, you can restrict outbound access to necessary services, rebuild your Exchange server from a patched state, and then migrate those accounts back.

5. Take an active defense.

Assuming you have an incident response plan in place to prepare your company and security program for the event of a breach, enact it now. Patch and reimage your affected systems and start over with clean systems. Now that you’ve put out the immediate fire, look to the future and redesign your security posture around a more proactive strategy. Implement least privilege on your network now to prevent the next attacker from using email as a vector to move laterally. Inspect outbound and lateral network traffic for indicators of compromise (IOCs).

Above all, don’t wait for your incident response team to take the brunt of a cyberattack on your organization. Look to proactively and preemptively reduce the size of your attack surface to alleviate risk, as well as implementing segmentation and least privilege to cut off lateral attack vectors.

Attacker David Wolpoff

1. Assume data exfil and unplug email.

In the case of the Exchange hack, the first thing I would have done would be to exfiltrate as much data as possible before getting caught. Shutting off email will completely disrupt business, but it’s probably worth it to stop me from exfiltrating all your emails and data (and stop the bleeding).

2. Get your incident response plan going ASAP, and don’t skimp on the forensics.

You’re going to want to know how far the damage goes — i.e., how many email inboxes did I access and exfiltrate. A good forensics team will be able to tell you how far I got, so you know what to reimage, and where else there might be damage, based on the content of the emails. This way you’re not wasting time (or money) reimaging stuff that wasn’t touched.

3. Restore to a backup — with caution.

Backups are extremely important, but be cautious of relying on a backup done after you found out about the breach. Don’t be lulled into thinking I can’t persist in your backups as well — because I can. This means practice constant vigilance in order to be rid of an attacker — always do your backups, and backup to an instance from before you were compromised.

4. Assume compromise extends well beyond your Exchange server.

I’m always looking to increase my privileges and spread to enough new boxes, so even if I am found and booted from one part of the system, I have established a toehold in another part. You may have shut down email, but you can’t assume I haven’t infiltrated other parts of your system. First thing, I’d try to get my hands on your domain controller — this is a total compromise of all business decisions. From the Exchange server, I’d check to see if it’s been patched. I’d monitor the Exchange server, looking for admins freaking out and logging in — so I can steal their passwords and own the domain.

5. Adopt zero trust and test resiliency.

If an attacker manages to get a hold of all your remote workers’ email credentials, but those credentials don’t have access to anything detrimental to the company, congratulations! You have successfully predicted the attacker’s path and implemented policy that did not allow them to advance.

The final piece of the puzzle: When attacks do happen, you need to be able to sort through the data after the fact. Since most attackers aren’t returning to the scene of the crime to share notes, this is where an effective third-party red team comes into play. Imagine if you could sit down and ask your cyberattacker anything you wanted about what went wrong and how to thwart them next time. That’s the visibility you need into your security program.