This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

BPry
Cyber Elite
Cyber Elite

‎03-13-2021 07:34 PM

Just some common things that I've seen the last week and a half:

  • Getting your Exchange systems patched should absolutely be front of mind, and likely has been a primary focus of any IT staff the past week and a half. Once you get those systems patched and can sigh a breath of release after checking Exchange for IOCs, take a look at the rest of your environment. If someone was able to gain access to your Exchange servers what other systems would they have access to, and are you seeing any abnormal activity from those systems?
  • Don't assume Exchange is the only target. If I'm doing an engagement on your network and establish a foothold the first thing I'm going to attempt to do is pivot to two other systems, so that in the end I have three systems under my control if possible (The initial breach endpoint, the heir, and the spare). You need to also be checking your other systems once you get Exchange under control. 
  • Double check to see how far back in your logs your actually looking. If your IIS logs on your Exchange systems only go back 12 hours, and your firewall logs only go back a couple days, you simply don't have the logs to do a proper IOC investigation. If your working in an environment which has limited log data, you need to act like these systems have been compromised and find some way to get more log storage allocated as a temporary measure at the very least. 
  • This is a great time to try and advance some of those security enhancements that you keep getting told aren't in the budget, or aren't a priority for your organization. If you don't have visibility into traffic, it's time to start talking about further segmenting your traffic out to gain visibility. If you don't have the logs to do any meaningful investigation, use this as a chance to bring up your limited log retention again and get additional retention secured. 

 

TL/DR: You need to be making sure you have the information available to actually analyze your organizations exposure to this breach, and if your lacking visibility into traffic now is a great time to remedy that. You also need to be checking systems your Exchange systems would be able to communicate with, and making sure those machines are healthy. Don't cleanup your Exchange systems without making sure you haven't left a backdoor open for further attacks because you didn't analyze your other systems during your incident response.  

(1)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks