Fifteen years ago, if you accidentally exposed a device on the Internet, it might go unnoticed by attackers for months or even years. Things are different today \u2013 attackers scrutinize your attack surface daily. With open source software anyone can download, an attacker can communicate with every public-facing IP address in IPv4 space in hours. Any unpatched system, misconfiguration or accidental exposure is likely to be discovered very quickly. The internet is tiny.<\/p>\n
This is why it\u2019s crucial to apply patches promptly \u2013 new attacks such as the DearCry ransomware<\/a> that began circulating around March 9 seek to take advantage of newly disclosed vulnerabilities in Microsoft Exchange Mail Servers to turn a quick profit before organizations have a chance to respond to them.<\/p>\n Expanse continuously gathers information on all Internet accessible devices, and we used our platform to find the total volume of publicly accessible Microsoft Exchange Servers and the subset of servers that were vulnerable. Comparing information gathered three days apart \u2013\u00a0March 8, and then again on March 11 \u2013 allowed us to see not only how many Microsoft Exchange Servers were vulnerable but also to glean some data about the pace at which organizations applied patches.<\/p>\n Our results show that patch rates are lightning fast \u2013 36% in just three days. From FireEye data on the time between disclosure, patch release and exploitation<\/a>, we know that in the past the average time to patch was nine days. But patching does not mean you\u2019re safe \u2013\u00a0assume exploitation as a result of this attack, as threat actors were observed widely launching zero-day attacks against very high numbers of Exchange Servers across the internet before a patch was released. (For information about how to handle various scenarios and determine impact on your organization, see Unit 42\u2019s \u201cRemediation Steps for the Microsoft Exchange Server Vulnerabilities<\/a>.\u201d)<\/p>\n It\u2019s important to understand your attack surface from the attacker's perspective. The statistics above represent all<\/em> publicly facing unpatched Exchange Mail Servers \u2013 but this does not<\/em> mean the affected customers know about them. Acquisitions, foreign subsidiaries, and forgotten or rogue IT often mean enterprises miss outstanding assets, including email servers. With so many attack vectors and limited resources to defend them, it\u2019s crucial that organizations understand where the critical entry points are and how they can prioritize attack surface area reduction in a smart, data-driven way.<\/p>\n The attack surface area of an organization has never been more distributed than it is today. Organizations have to identify, track and manage more asset types across different locations than ever before. It won\u2019t work to jump from emergency to emergency \u2013\u00a0you need a new playbook<\/a>.<\/p>\n The first step? Understand your attack surface. A discovery and mapping program should start with the basics:<\/p>\n<\/a>How Quickly are Organizations Patching Microsoft Exchange Servers?<\/h2>\n
![\"Expanse,](\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2021\/03\/Expanse-Networks-Map-Infographic-Dark.png\")
<\/span><\/div><\/p>\n<\/a>How to Understand Your Attack Surface<\/h2>\n
\n