More than 30,000 servers worldwide have been affected following last week's Microsoft Exchange Server zero-days and more are being affected each day. Over the last week, our SOC analysts have pulled together an extensive list of IOCs (Indicators of Compromise) from a number of sources and have used them to hunt for webshells and other signs of compromise both via RTR access and through use of our in-house tools to scan our clients’ environments.
Zero-day attacks are a huge technical challenge for everyone, and difficult to mitigate but they can be prepared for to a certain extent. The following advice can help any organisation be as prepared as possible the next time - and there will be a next time - a zero-day exploit is discovered.
-Comprehensive network security: as a minimum, full endpoint protection, preferably through managed security service who are experts in spotting anomalous activity at an early stage; active threat and vulnerability hunting, and full network visibility;
-Active patch management programme: an active patch management programme should be in place, paying attention to both regular (e.g. MS patch Tuesdays) and one-off patches to ensure that systems have as up-to-date as possible protection in place;
-A clear incident response plan: zero-days require immediate action and leave little time to think over key decisions and steps for proceeding with a response. So, it's important to have a clear, well-communicated and accessible incident response plan in-house and agreed with key service providers to outline critical steps to follow in the case of a security event. It should include a thorough understanding of the IT environment; identification of weak points in the environment; identification of key individuals involved in both the hands-on administration of the plan and the principle decision makers; clear scenario guidance and a plan to prepare for disaster recovery.
-An education programme for staff: a programme which provides staff with a basic understanding of how to respond to potential threats or anomalous activity, and provides regular reminders should be in place. Education should be a constant component of your security infrastructure.
InPhySec continues to actively train for and stand vigilant against such threats. Our technology and team allowed for the swift containment of a state level, multi zero-day attack on the teams we protect.
Author: Michelle Crowe, Technical Director - Network Analytics and Threat Intelligence @ InPhySec