Key Takeaways from the Microsoft Exchange Breach

The recent attack on Microsoft Exchange, which seems to have affected anywhere from 30,000 to 60,000 or more organizations, appears to be far more impactful than just email. In fact, it’s extremely alarming across the whole industry supply chain given the types of affected entities from central banks to government agencies. When you think about the potential risks of an attacker not only accessing vast numbers of emails, but also having control over the server or adjacent systems, the blast zone is very wide indeed. Attackers have access to more than just email data in this compromise and we’re likely to see multiple secondary attacks from it.

In this case, the stolen data may be extensive and highly sensitive, with attackers apparently having control for a few weeks – so the extent of abuse may not be immediately know, if ever. 

What kind of data can we assume was affected?

1. Unprotected data in emails – spreadsheets, documents, Intellectual property, contracts, bids, vulnerabilities, and most concerning – credentials for services, clouds, user accounts, or even highly sensitive documents shared encrypted in other emails. How often have you received an email with a password sent in the next email?
2. Encrypted content where control over the email account permits decryption from some encrypted email cloud providers without an additional password or factor – content that likely signals its interest to determined attackers who may now access it. An attacker also now has potential access to an encrypted email channel (outbound) to send ransomware to victims through what was a trusted channel that may evade perimeter security at recipient systems
3. Credentials to third party systems, and access to email based authentication systems or account recovery/password resets – how many people use corporate email for account recovery to other systems ?
4. Social engineering data for accurate and dangerous ransomware emails and phishing emails – for the organization any of their email correspondents – partners, customers, employees, and critical vendors.
5. Servers and networks connected to critical authentication platforms, like AD – according to CISA, the attack allows AD to be accessed and the database to be potentially downloaded, for example.
6. Supply chain partners with their customer data in emails – the huge, sprawling network of people, companies and their contacts across many dimensions – email, phone, instant messaging and so on.

Putting this in perspective, this is a forensic and data security chaos scenario. Another concern is the apparent exposure beyond the initial nation-state attack by other groups exploiting unpatched systems. The list goes on.

It’s also a very clear signal to businesses to revisit not only how they use email and secure infrastructure, but to go beyond and protect sensitive data in and out of their enterprise so that under attack circumstances, the impact and blast zone across the 6 areas of span is much smaller and manageable to a very limited scope, if any. Organizations who haven’t taken this leap may wish to start looking at data-centric approaches to avoid the next attack, as this wont be the last.

So what should organizations do?

First, patch and follow the guidance. No doubt about it, stop the bleeding and assume trust is breached. Conduct forensics. Consider email encryption from a system independent of Exchange for email specifically, and perhaps files. But for sensitive data that should never have been in emails, spreadsheets, databases, SaaS systems whose credentials may be at risk, cloud lakes and analytic platforms, consider tokenizing it – a modern way to ensure data isn’t the blast zone itself.

Tokenization replaces the sensitive data like banking account information, sensitive personal data – phone numbers, passport ID’s, Tax ID’s, health codes, date of birth, email address, and so on. Tokens replace this data with a random but functionally equivalent record or field in the database, data flow, data lake. In most cases, the token can actually be used without needing the live value, for instance in fraud detection analytics where a Tax ID or Bank account number has to behave like one, and be unique, but not specific to a particular person – until really needed. It’s like converting gold to coal, but instead for sensitive data that’s gold to attackers. Nobody wants to sell coal on the dark web or hold coal to ransom. It’s possible to do this at scale, and with more transparent integration strategies, to plug into complex data flows across traditional applications, through modern data engineering, and into data science platforms.

How would tokenization be useful in light of this breach?

Cybersecurity effectiveness comes from a defense in depth strategy. But a crack in the armor of traditional defenses eliminates the ability to control defense and enables attackers to control from the inside.

There is no way to stop or prevent an attack. All you can do is buy time and mitigate the extent of it. This is what the Accenture quote was about. Leading companies still get attacked, but the blast zone is confined and there are less damaging blasts.

When technologies like data-centric security and tokenization are used, the defense mechanisms that buy time, reduce blast zones and allow attacks to have limited impact are:

1. Data that is tokenized, without capacity to detokenize, is useless to attackers when strong industry standard tokenization is used
   • An attacker blindly accessing databases, files and lakes with tokenized data will essentially have stolen coal, not gold.
2. Centrally managed tokenization that operates across sensitive processes reduces the ability to detokenize to authorized systems.
   • Even if an authorized system is compromised, the tokenization back end will govern access to live data
   • This will also show monitoring changes for example, an attacker attempting a bulk data access process that is unexpected may appear in an alert in the Security Operations Center based on detokenisation events.
   • This can allow an enterprise to shut down detokenization and limited access to data even if the attacker is deep inside. With distributed encryption, that’s MUCH harder – lots of endpoints, lot of different controls. Some are designed to operate offline for resilience which is counterproductive in an attack and may even enable attackers to steal massive data sets undetected in time.
3. Also, forensically, after a breach, having a single system to see who and what, and where sensitive structure data was accessed provides speedy response and action versus looking across all apps and processes separately.
4. If the breach is found to have only tokenized data, the outcome is a notification of an incident, but a much more limited announcement.
5. Should the company face litigation, the defense of using state of the art protection will likely limit damages, if any, and limited compliance violations though of course this is not legal advice and you should seek your own counsel as always.
6. If a company has no controls over data, they will likely face significant claims risk due to not meeting industry or regulatory expectations, nor state of the art protections. This is a common situation with recent GDPR, CCPA/CPRA cases, and likely to be the same under POPIA, LGPD, NACHA, GLBA, HIPAA as well of course as the venerable PCI DSS regulation.

If you’d like to learn how this might apply to your organization, you can contact us here – or have chat with one of our experts. They might even be online right now to have a virtual coffee with you – safely right here.