Hafnium – Key Lessons and takeaways

Written By Adam Evans, CISSP
hafnium-exploits-sm.jpg

Hey everyone, Adam here! We’re going to get into some lessons and takeaways from the Hafnium vulnerabilities. If you’re not already familiar with this exploit and ramifications, please check out our blog for a quick rundown.

First off, this incident is particularly bad. At the least, bad guys accessed the confidential emails of thousands of organizations. At the worst – a mass ransomware outbreak is brewing. We can also theorize that incidents like this are going to become more commonplace as the bad guys evolve their methods.

This incident, as well as those that came before and that, will come share come common lessons and takeaways.

Lesson 1 – Secure your footprint

One of the core aspects of securing your environment is to reduce your exposure. In this case, Office 365 was not impacted by this incident. Using a Software As A Service provider shifts the risk to them. They’re responsible for securing the infrastructure and services. They handle the security patching, mitigation, etc. As threats evolve their security teams can laser focus on how to keep their platforms secure. At that point, your IT folks don’t have to worry about being expert threat hunters. They can focus on doing what they do best – making sure your technology aids the business.

 Lesson 2 – Patch all the things

Once this vulnerability was disclosed Microsoft has patches available for impacted systems. Organizations that were able to install this patch as fast as possible were able to mitigate the risk. Organizations must monitor their software solutions for security updates and keep them up to date. Doing this helps to further mitigate the risk. Data shows that the organizations that were able to install the Exchange patches quickly were in a far better place than those that did not.

Lesson 3 – Have an incident response plan

So, your organization already migrated as many services as possible to the cloud. You’ve got a clear patching process that accounts for out-of-band updates. Your security stack is impeccable. Unfortunately, you are not impervious to security incidents. Therefore, it’s important to have an incident response framework in place. You’ll want your IT folks, HR, legal, and other company stakeholders to be aware of this. You’ll also want to make sure you’re keeping your plan up to date as well. Lastly, having all the plans in the world doesn’t do anyone much good if those who will need them are not familiar with them.

Lesson 4 – Have the right tools for the job

Unfortunately, many organizations were not able to patch in time or were already compromised. However, those organizations that had proper security software (not just antivirus), modern firewall solutions, and robust logging were able to quickly assess the situation and take appropriate actions. When time is of the essence you cannot afford to have tools that aren’t up to the challenge – or worse not have the tools at all.

Lesson 5 – Have a robust backup and disaster recovery strategy

Whether it be security incidents, natural disasters, or just some old-fashioned human error your data is at risk. A robust backup and disaster recovery strategy helps mitigate that risk. It’s critical to ensure your data is backed up regularly, that data is isolated from the rest of your organization’s infrastructure, it’s replicated offsite, and that the backups are tested. There is a ton of tech on the market that can make that happen, however, it’s important to make sure your strategy aligns with your business’ goals. Discuss with your IT folks what level of downtime is acceptable, how long it takes to recover from backups, and what the plan is if the worst were to happen.

Conclusion

These Exchange vulnerabilities and the actions of Hafnium have made it abundantly clear that organizations are at risk. We can however look to reduce our risk and mitigate future risks.

If you’d like to chat about how we can help your organization reduce risk – let us know. If you’re part of a company’s IT staff and are interested in a partner to help you through the process, give us a call. We’re happy to help.

Links

https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

https://www.cisa.gov/ed2102

https://krebsonsecurity.com/2021/03/warning-the-world-of-a-ticking-time-bomb/

https://www.scmagazine.com/home/security-news/data-breach/as-hafnium-timeline-crystalizes-signs-of-new-microsoft-exchange-server-attacks-emerge

https://news.sophos.com/en-us/2021/03/05/hafnium-advice-about-the-new-nation-state-attack/

https://arstechnica.com/gadgets/2021/03/ransomware-gangs-hijack-7000-exchange-servers-first-hit-by-chinese-hackers/

 

Adam Evans, CISSP

About Adam Evans, CISSP

Adam is a seasoned cybersecurity professional with more than a decade of experience in the MSP industry. He started his career as a helpdesk engineer and worked his way up through various technical roles to specialize in cybersecurity – specifically GRC, security architecture, and defensive operations. 

Adam is passionate about sharing his expertise and insights with the next generation of security professionals. He believes that by working together and sharing knowledge, we can make the world a safer and more secure place for everyone.

Connect with Adam on LinkedIn: https://www.linkedin.com/in/grcadame/

Previous

How to install Windows 10 on your laptop
Next

Hafnium – Key Lessons and takeaways