2021 began with a cyberattack that made an impact across the country and around the world. In early January was when cybersecurity company Volexity discovered hackers exploiting vulnerabilities in Microsoft Exchange servers, though the full extent of the damage was unknown at the time
"Through its analysis of system memory, Volexity determined the attacker was exploiting a zero-day server-side request forgery (SSRF) vulnerability in Microsoft Exchange. The attacker was using the vulnerability to steal the full contents of several user mailboxes," Volexity researchers wrote in a blog post about the attack.
Any type of cyberattack is bad news for an organization, but when email servers are breached, cybercriminals have the keys to a company's digital kingdom.
Typically, having email access can allow for one or more "backdoors" to gain account access, according to Kevin Dunne, president at Pathlock. This can include:
Email password reset: request an email to reset password in an application.
Shared account credentials: find an email message with shared credentials.
Two-factor authentication: retrieve the two-factor authentication passcode to compete authentication.
Send email to admin: notify admin via hijacked email to request new password.
Data search: gather information from email messages to be able to answer secret questions required for password reset.
"Securing email accounts is critical to maintaining security within the application landscape," said Dunne.
Protecting core assets
The ability to bypass some security measures in an email hack gives threat actors a much easier foothold into the organization's network. Once inside, they shorten the distance to access the company's most-valued assets. To protect those assets, security leaders have to know what they are and where they are within a system.
"Core assets of any organization can include differentiated branding, customer service, people, and key digital assets as companies continue their digital transformations. Often we call these digital workloads," said John Morgan, CEO at Confluera, in an email interview.
Core digital assets cover web servers, databases and other applications. They can be customer-facing or backend services such as inventory management and billing.
Every part of the infrastructure and every endpoint that are needed for business operations are at risk if workloads are compromised or otherwise inaccessible.
However, too many organizations continue to approach cybersecurity at the perimeter of the networks or endpoints first, waiting to secure other parts of the environment.
"Organizations should focus their attention on securing the workload, ensuring any attacks that progress toward the workload can be identified and intercepted before they can cause harm or result in a breach," said Morgan.
Coming in through the backdoor
Core assets already have vulnerabilities that need security layers. An email hack creates an even bigger threat that needs to be mitigated.
Hackers can disguise themselves as trusted employees or third-party partners because they now have access to credentials. It also becomes easier to create a targeted phishing attack or load malware into applications. It all comes down to access.
That access extends to the internal supply chain. By allowing threat actors the access via the email hack, it opens up a backdoor to the company's entire IT architecture.
The challenge is to apply protections that will detect and stop such infiltration.
"In some cases, the protections are more straightforward — e.g., patch a known vulnerability to remove an entry point. In other cases, like with APIs, both the attacks and the protections need to be much more sophisticated, since compromising an API requires understanding its unique business logic," said Michelle McLean, VP of marketing at Salt Security, via email.
Limiting the damage of an attack
The best practices for limiting damage during an email attack call on companies to:
Educate users and offer resources to help users understand the risks of shadow IT, how to engage IT to enable security features in their applications, and how to spot and avoid phishing attacks, the most common vector for hijacking credentials.
For users with least privileged access, limit the scope of access to what is needed, and continually revisit permissions, removing those unused.
Monitor user activity for suspicious behavior. There are tools that will detect unusual behavior and provide a real-time response through alerts, deprovisioning, forcing two-factor authentication and/or other preventative methods.
Evaluate endpoint protection from antivirus software to endpoint detection and response but also have security solutions that focus on the servers, databases and applications.
Ensure the SOC team has the means to detect lateral movement found in modern multistage attacks.
"No matter how many preventative security solutions and processes are in place, you must assume you have already been attacked by insider threats, vulnerabilities and supply chain risks," said Morgan.
Organizations must be able to detect these stealthy lateral movements to be able to prevent breaches and compromises.