{"id":127529,"date":"2021-03-10T17:25:20","date_gmt":"2021-03-11T01:25:20","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=127529"},"modified":"2021-03-10T17:24:46","modified_gmt":"2021-03-11T01:24:46","slug":"exchange-server-new-playbook","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2021\/03\/exchange-server-new-playbook\/","title":{"rendered":"Attackers Won't Stop With Exchange Server. You Need a New Playbook"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">When watershed SolarWinds attacks hit in December, <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2020\/12\/next-solarwinds-modernizing-cybersecurity\/\"><span style=\"font-weight: 400;\">I urged organizations<\/span><\/a><span style=\"font-weight: 400;\"> to redouble efforts to secure their networks. It was a wakeup call \u2013 <\/span><span style=\"font-weight: 400;\">SolarWinds exposed security weaknesses in organizations that would only be compounded now that we\u2019re all so reliant on technology.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Less than three months later, here we are again. Over the last week we\u2019ve learned how hackers spent at least two months breaking into servers running Microsoft\u2019s widely used Exchange Server email software before they were caught. As governments and security vendors urge Exchange Server users to patch their systems immediately, data from our <\/span><a href=\"https:\/\/expanse.co\/\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400;\">Palo Alto Networks Expanse platform<\/span><\/a><span style=\"font-weight: 400;\"> shows the scale of the potential damage: as of Monday <\/span><b>there were still more than 125,000 unpatched Exchange Servers<\/b><span style=\"font-weight: 400;\"> across the world \u2013 some 33,000 in the U.S. alone. While we\u2019re seeing encouraging data that suggests organizations are aggressively patching, that\u2019s only half the battle: even patched systems may have already been compromised during the days and months when hackers were quietly leveraging <\/span><a href=\"https:\/\/unit42.paloaltonetworks.com\/microsoft-exchange-server-vulnerabilities\/\"><span style=\"font-weight: 400;\">four powerful zero-day vulnerabilities<\/span><\/a><span style=\"font-weight: 400;\">.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Right now, organizations must act quickly and decisively to defuse these Exchange Server attacks. Our Unit 42 research team has developed a <\/span><a href=\"https:\/\/unit42.paloaltonetworks.com\/remediation-steps-for-the-Microsoft-Exchange-Server-vulnerabilities\"><span style=\"font-weight: 400;\">playbook<\/span><\/a><span style=\"font-weight: 400;\"> for doing so, which includes guidelines to patch and secure all Exchange Servers, find compromised servers and get help from an incident response team with experience cleaning up nation-state attacks. Our Crypsis incident response team is also <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/microsoft-exchange-server-incident-response#elite_incident_responders\"><span style=\"font-weight: 400;\">available to help<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">But for the long term \u2013 jumping from emergency to emergency like this is unworkable. The difficulty organizations are having in tracking down vulnerable servers and applying emergency patches is in stark contrast to the cloud-powered automation tools that adversaries are using to attack them. And as each business\u2019s reliance on technology grows, these cybersecurity threats are now existential, with boards of directors across the globe rightly seeking assurances that organizations are adequately prepared.\u00a0\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">So my message for today is, be vigilant in confronting this latest attack. Go through the rapid response drill, apply the patches, carefully follow all recommended remediation steps. This is critically important to securing your organization.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">But once this attack is out of the way, you need a new playbook.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">First, you need to be able to look at your organization through the eyes of an attacker to identify and mitigate vulnerabilities before your adversaries seek to exploit them. Attack surface management allows enterprises to monitor their external attack surface in today\u2019s work from home and cloud-centric environments.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Second, organizations need to integrate all their security data sources in order to run comprehensive behavioral analytics. This level of analytics and machine learning can analyze all the relevant data in your enterprise to warn you against unknown, unseen threats \u2013 not just known ones.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Last, all organizations need to ensure that their security teams are spending their precious time on the right threats by automating all repetitive workflows. Security orchestration and automation technology is a must-have for any security team looking to streamline their operations in the face of increasing attacks.\u00a0\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Don\u2019t put these measures off, only to do the same drill again in two to three months. Use the lessons of these attacks to prepare your infrastructure for the next one. The tools are there now. Deploy them.\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Adversaries aren\u2019t going away. As our reliance on technology grows, we must also invest in securing it and defend our digital way of life.<\/p>\n","protected":false},"author":663,"featured_media":127544,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6724],"tags":[7521,5097,7398,515],"coauthors":[7040],"class_list":["post-127529","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-points-of-view","tag-microsoft-exchange-server","tag-playbook","tag-solarwinds","tag-vulnerabilities","sec_ops_category-must-read-articles"],"jetpack_featured_media_url":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2021\/03\/Co-workers-at-Window.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/127529","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/663"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=127529"}],"version-history":[{"count":1,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/127529\/revisions"}],"predecessor-version":[{"id":127543,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/127529\/revisions\/127543"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/127544"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=127529"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=127529"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=127529"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=127529"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}