Cyber world Has entered a new era in which attacks are taking place on a much larger scale than ever before. Large-scale hacks that have affected thousands of high-net-worth American companies and agencies have recently come to dominate the news. Prominent among these are December SolarWinds / FireEye Breach and most recently Microsoft Exchange Server Breach. Everyone wants to know: If you have been affected by the breach of the exchange, what should you do?
To answer this question, and comparing security philosophy, we outlined what we will do – side by side. One of us is a career attacker (David Wolpoff), and the other is a CISO with experience in acquiring companies in healthcare and security locations (Aaron Fosdic).
Do not wait for your incident response team to bear the brunt of a cyber attack on your organization.
CISO Aaron Fosdick
1. Back up your system.
A hacker is likely to throw some ransomware attacks after breaking into your mail server. So rely on your backups, configurations etc. But back to an example before breech. Design your backups with the assumption that an attacker will try to delete them. Do not use your common administrator credentials to encrypt your backups, and make sure that your administrator accounts cannot delete or modify backups after they are created. Your backup target should not be part of your domain.
2. Assume compromise and turn off connectivity if necessary.
Identify if and where you have been compromised. Inspect your system to see if a system is using your surface as a launch point and is trying to move later from there. If your Exchange server is indeed compromised, you want to remove it from your network as soon as possible. Disable external connectivity to the Internet to ensure that they cannot exfiltrate any data or communicate with other systems in the network depending on how the attackers run afterwards.