CONTACT US
forrester wave report 2023

Close your ransomware case with Open NDR

SEE HOW

Download our free guide to find hidden attackers.

Find hidden attackers with Open NDR

SEE HOW

cloud-network

Corelight announces cloud enrichment for AWS, GCP, and Azure

READ MORE

corelight partner programe guide

Corelight's partner program

VIEW PROGRAM

glossary-icon

10 Considerations for Implementing an XDR Strategy

READ NOW

ad-images-nav_0006_Blog

Don't trust. Verify with evidence

READ BLOG

video

The Power of Open-Source Tools for Network Detection and Response

WATCH THE WEBCAST

ad-nav-ESG

The Evolving Role of NDR

DOWNLOAD THE REPORT

ad-images-nav_0006_Blog

Detecting 5 Current APTs without heavy lifting

READ BLOG

g2-medal-best-support-spring-2024

Network Detection and Response

SUPPORT OVERVIEW

 

Exchange exploitation and architecting for visibility

The new Microsoft Exchange vulnerabilities disclosed earlier this month highlight the importance of  architecting for security visibility on the network. 

At most organizations the communications between users and Exchange servers are  encrypted. The initial malicious payload and web shells planted upon successful exploitation of these vulnerabilities also run across those encrypted channels, which means organizations reliant on common points of network visibility such as IDSes or proxies can only look for transient and easily-changed indicators of compromise like known attacker IP addresses. 

Relying on purely endpoint-driven security to respond to major server-side compromises like these has its own set of drawbacks. Many organizations choose not to run security agents directly on critical servers for performance and stability reasons, and the list of exceptions recommended by Microsoft when running security software on Exchange servers is long enough that it can easily result in agents missing critical items. The web server logs that are being commonly used for detection of the current vulnerability are not only prone to being tampered with by sophisticated attackers, but also to bureaucratic problems between application and security teams that complicate proper response. Sophisticated teams will use the best of both endpoint and network-driven security technologies to balance out the issues each individual approach has.

Fortunately there’s a simple, well-proven architecture that can restore network security visibility for major production servers: terminating encryption on a load balancer or reverse proxy before reaching the Exchange server. This allows security or other monitoring systems to see all traffic in plaintext, while preserving privacy across the Internet. Unlike client-side man-in-the-middle decryption, which requires pushing trusted certificates throughout an organization and has problems with TLS 1.3, encryption termination has no client-side requirements and is unhampered by obfuscation of the certificate exchange process. This approach also has the benefit of reducing CPU load on application servers (by letting the devices in front of them do decryption) and improving service reliability for larger environments, so it’s a favorite of security, application, and network teams alike.

For those already running with the security visibility architecture described above, Suricata signature IDs 2847421 – 2847423, as well as 2847418 – 2847420, will detect compromise attempts against their Exchange servers; SIDs 2031812, 2009146, 2009147, 2009149, 2822303, 2017313, 2027393, and 2027341 will find some of the common web shells being dropped by successful attackers. 

Those with Zeek data can look for a host of additional indicators outlined by CISA, as well as applying some of the proactive hunting techniques outlined in our Threat Hunting Guide to search for other malicious payloads dropped on compromised servers.

 

Recent Posts