John Pescatore – SANS Director of Emerging Security Trends
Don’t Just Put the Egg Salad Back in the Fridge, Make Sure It Hasn’t Spoiled...
This week’s Drilldown will focus on an item (included below) from NewsBites Issue 24, which noted that a high percentage of Microsoft Exchange servers have been patched for the high severity ProxyLogon flaw, but a disturbingly high percentage of those on-premises Exchange servers were compromised before they were patched.
The faster severe vulnerabilities get patched, the lower the probability becomes that they will be exploited later. But, of course, the risk that the compromise occurred before patching still exists!
The first step in the patching process needs to include a determination if the vulnerability was already exploited. While IT teams are usually in charge of the patching process, most IT teams are not experienced in doing what is essentially threat hunting.
Higher-maturity security programs have processes and playbooks that assure compromise detection is done whenever a new vulnerability becomes known. Simple vulnerability scanning does not address this. Network monitoring and log analysis can find simple indicators of compromise (IoCs) or more complex signs of tactics, tools, techniques, and procedures that threat actors employ. Jake Williams of SANS authored a recent whitepaper on this topic here.
A related issue: Most organizations use some form of web security gateway product or service to block users from connecting to dangerous URLs. The list of known bad URLs is continually updated, and every update should trigger a scan to find any internal PCs and/or servers that communicated with those URLS before the update.
Security processes that include these active steps can decrease time to detect and time to restore from days/weeks/months to minutes/hours as well as reduce business impact from damaging to minimal.
Exchange Server: 92% Patched (But Patching Is Not Sufficient)
Earlier this week, Microsoft reported that 92% of vulnerable on-premises Exchange servers have applied mitigations or been patched against the critical ProxyLogon flaws. Organizations should note that installing the patches does not eliminate the infection if the servers were compromised prior to patching. IT administrators should check systems for indicators of compromise (IOCs). Microsoft released fixes for the four vulnerabilities on March 2.
A 92% mitigation rate is indeed impressive, unless it is due to attackers mitigating the vulnerability to hold on to servers they compromised. Again: It is critical to investigate Exchange servers in detail while patching. A pre-patch compromise is very likely.
The DHS emergency directive (ED 21-02) requires forensically imaging and analyzing the system prior to patching to avoid this scenario. It is so easy to get caught up in the heat of the moment and forget to check for compromise before patching the vulnerability. If you skipped the check, run the tools from CISA or Microsoft to make sure you’re clean; then cross-check with your SIEM. Also verify that your endpoint protection is watching for exploitation in real time. Note that Windows Defender includes this capability if your current solution does not.
This has long been a leading indicator of security-based processes/security programs vs. compliance-based. After a vulnerability is discovered, do you check to see if it had been exploited before you detected and mitigated the vulnerability? Old example: Web security gateway is updated with more URLs of malicious and/or compromised web sites--did you check to see if any internal machines communicated with the newly discovered evil locations? Too many audits just check the box if vulnerability scanning and patching, URL updating, and blocking were performed, never looking for that “we found the door to the vault open *and* checked to see if any cash was missing” step.