Hack takes: A CISO and a hacker detail how they’d respond to the Exchange breach

The cyber world has entered a new era where attacks are becoming much more frequent and happening on a wider scale than ever before. Huge hacks affecting thousands of high-level American agencies and agencies have recently dominated the news. The main ones are the December SolarWinds / Fire breach and more recently the Microsoft Exchange server breach.

Everyone wants to know: What should you do if you are a victim of an exchange violation? To answer this question, and to compare security philosophies, we have outlined what we have done as well. One of us is a career attacker (David Wolpoff), and the other is a CISO with experience in healthcare and safety organizations (Aaron Fosdick).

A hacker will probably attack you with some transceiver attacks after you split your mail server. So rely on your backup, configuration, etc. Keep a backup of everything you can.

A hacker will probably attack you with some transceiver attacks after you split your mail server. So rely on your backup, configuration, etc. Keep a backup of everything you can.

But come back to an example before the violation. Design your backups with the idea that an attacker will try to delete them. Don’t use your usual administrator credentials to encrypt your backups, and make sure your administrator accounts can’t delete or modify backups once they’re created. Your backup goal should not be part of your domain.

Identify where you compromised. Examine your systems forensically to see if any systems are using your surface as a launch point and trying to get out of it permanently. Identify where you compromised. Examine your systems forensically to see if any systems are using your surface as a launch point and trying to get out of it permanently.

If your Exchange Server is truly compromised, you want it to shut down your network as soon as possible. Disable the external connection to the Internet so that they cannot consolidate any data or communicate with other systems on the network, thus introducing attackers.