Beyond Patching: Five Ways to Help Mitigate the Risk of Hafnium or Other Microsoft Exchange Server Zero-day Attacks

Zero-day attacks, like the recent one Microsoft disclosed was perpetuated by the Hafnium group, present a heightened level of cybersecurity risk. By their very nature, these attacks represent clear and present danger. Most experts will rightly say that implementing a rigorous patch process is essential to defending against them. But given that your organization is already exposed the moment a zero-day attack is discovered – and that cybercriminals may have been exploiting the newly identified vulnerability for weeks, months or even years – it begs the question: isn’t there more you should do? The answer is a definitive yes, and it lies with building a comprehensive cyber resilience strategy.

It is difficult to overstate the connectedness of how businesses work today and the way attack surfaces have expanded as a result. Depending on the motivations of the threat actor, credentials lead to software and systems that can lead to emails, collaboration tools, financial or other sensitive business information, intellectual property, confidential sales information, research and development, competitive analysis and more. Building resilience across your IT infrastructure not only mitigates risk, but it can also help you establish an early warning system for many types of cyberattacks. The following are five steps that can help put you on the road to doing so:

1. Harden your email perimeter – If attackers gain unauthorized access to your environment, the insider intelligence they can obtain makes you extremely vulnerable to follow-on email-based attacks. The threat actor can see who runs payroll, understand sign-off processes, mirror communications patterns and so on, giving them the ability to craft highly targeted, highly realistic follow on attacks based on their motivations. Strong email protections, like inbound and outbound scanning, data leak prevention and DMARC policies, are designed to prevent malicious actors from leveraging your legitimate domains, and can help you identify and thwart attacks that are difficult for even your most security aware employees to spot.
2. Archive to an independent environment that is separately secured – Maintaining a high volume of transactional data within your email messaging system makes your organization more vulnerable to attacks. Best practice is to maintain a lean amount of data. An attacker gaining unauthorized access to three months or less of your email data, for example, is less damaging than them getting a full or even multi-year history. Your attack surface can be reduced and your data protected by archiving to an independently secured environment.
3. Establish a continuity plan – Disruption of email flow is a reality that all organizations must face and plan for, and it can occur in a myriad of ways. Attackers can potentially disable your email system or your access to some or all of your files using ransomware.  In the face of an attack, you may need to take the system down yourself, either to apply an urgent patch during business hours, remediate a breach or even rebuild the system entirely using a clean infrastructure. The list of scenarios is daunting, and events like this occur every day. Because email is still the lifeblood of the vast majority of businesses, the ability to keep it functional during disruptive events is foundational to a cyber resilience strategy. A continuity solution can help ensure that when email is inaccessible, your business doesn’t go down with it.
4. Maintain an accurate and restorable repository of email communications – Data is a highly valuable commodity for cybercriminals; and when they have unauthorized access to your environment, they have many options depending on their motivations. They can destroy it, hold it for ransom or even modify it, inserting inaccurate, inappropriate or incriminating information. Maintaining an accurate record of your communications helps protect against mischaracterization of information, prevents data loss and allows for fast and easy restoration of data that was lost through malicious or unintentional actions.
5. Empower humans and technologies to work together – Given the rapidly accelerating sophistication of cyberattacks in recent years, the technologies we all use to protect ourselves are not infallible; nor are the employees we rely upon as a last line of defense for attacks that get through. That’s why the intersection of technology and humans has become an increasingly critical component of cyber resilience. Empowering employees with knowledge and awareness is essential to making them part of your early warning system, as is giving them tools like the ability to easily report suspicious activity. And as the number of technologies organizations use to harden their security postures continues to grow, the ability to make them work together and use the collective threat intelligence they provide holds the key to early detection, proactive response and rapid mitigation.

To combat zero-day attacks, Mimecast's Email Security 3.0 framework offers cloud-first protection against these malicious tactics through pervasive email security services that use multi-layered detection engines and threat intelligence to stop threats before they reach the network.

The Bottom Line

The recent zero-day attack was against Microsoft Exchange Server by Hafnium. Tomorrow, the next cyberattack could just as easily be targeted at Microsoft 365 or other parts of the IT infrastructure through another equally dangerous state-sponsored threat actor. And the reality is that zero-day attacks that don’t make the news cycle are discovered all the time.  Should you patch regularly? 1,000 times yes. But to mitigate zero-day risk, organizations must go beyond patching to implement a comprehensive cyber resilience strategy.