Adaptive Segmentationmicro-segmentation March 19, 2021

Microsoft Exchange, SolarWinds, Verkada Breaches: Why Security Hygiene is More Important Than Ever

Raghu Nandakumara, Field CTO

We are only a few months into 2021, and we’ve already had three headline cyber incidents: the SolarWinds Orion compromise, the attacks targeting zero-day vulnerabilities in Microsoft Exchange, and the Verkada hack (the impact of which we may not be able to fully comprehend for a while yet). These events remind us of the now well-worn security belief that a breach is inevitable. What ultimately matters is how much individuals and organisations can limit the impact of a breach and how important basic security hygiene is during a time of crisis.

Security hygiene is healthy security behaviours amplified through the implementation of supporting processes and technical controls. Thinking about the lifecycle of an attack – from recon through initial compromise and post-compromise activities – a target organisation’s continued investment in security hygiene makes it more challenging for an attacker to achieve their objectives by keeping them from target data and raising the chances of detection.

Looking at the three headline incidents mentioned in the context of security hygiene, we can identify areas that offer room for better care:

  • Verkada breach: Attackers were able to bypass privileged account management processes to acquire “super user” access to cameras across multiple customer sites. Further, customers that did not effectively segment cameras from the rest of their corporate network left open the opportunity for attackers to move laterally and compromise other assets.
    • Where good hygiene could have helped: improved overall account management that implemented role-based access control (RBAC) with least privilege across the board and leveraged MFA on highly privileged accounts, as well as lateral movement control and detection.
  • Exchange zero-day vulnerabilities: The existence of multiple unpatched vulnerabilities allowed for both the unauthenticated exfiltration of mailbox content and the upload of webshells to facilitate persistence and lateral movement.
    • Where good hygiene could have helped: blocking unnecessary traffic to/from Exchange servers, monitoring account creation and group management events, monitoring the outbound connection attempts to/from unknown destinations, and centralized collection of Windows events and IIS server logs.
  • SolarWinds Orion compromise: The compromise of a vendor’s packaging process allowed for the delivery of a software update containing a Trojan backdoor that granted attackers direct access to customers running Orion; attackers then leveraged privileged access (granted by the Orion Platform) to penetrate further into the target network.
    • Where good hygiene could have helped: blocking unnecessary traffic from SolarWinds Orion NPM servers to the Internet and monitoring accounts granted least privilege.

This list shows us that basic security hygiene can be beneficial even when nation-states are the presumed attackers. These straightforward practices serve to push the antagonists into the open, increasing the chance that alarm bells will ring and the incident can be contained.

Typically, some technology implementations to achieve cyber hygiene may be more complex and take longer than others. For example, full implementation of privileged access management technology at scale in a global network may take significantly longer than deploying host-based micro-segmentation, which does not require any network changes or re-architecture on the hosts and workloads. In this case, the micro-segmentation control, being quicker to deploy and also highly effective, is both an essential lateral movement prevention control and a compensating control while the privilege management deployment is ongoing.

Illumio’s micro-segmentation solution helps improve cyber hygiene by providing:

  • Significantly enhanced visibility into data centre traffic flows and further data to assist with detecting unauthorised lateral movement.
  • Micro-segmentation policies to limit the exposure into and out of your most critical assets. In the case of Exchange, this includes following Microsoft’s own best practice of locking down access to only necessary ports. See the Microsoft Security Blog for more information.

The bottom line is that organizations are often unaware of vulnerabilities that cause breaches. Focusing on what you can control – like good security hygiene – will result in a stronger organizational security posture. The recent headline-making cyberattacks further highlight the need to adopt Zero Trust principles to limit lateral movement and achieve better breach control.

To learn more about how micro-segmentation helps improve monitoring and protection of Exchange and other critical infrastructure, check out:

Adaptive Segmentationmicro-segmentation
Share this post: