Problem
On 2 March 2021, Microsoft's Threat Intelligence Center (MSTIC) published a report outlining exploitation of thousands of Exchange Servers worldwide by a threat actor group they have dubbed Hafnium. They also link Hafnium to the Chinese Government, outlining a complex and widespread campaign to target organizations with a zero-day exploit, utilizing this access to implant a web shell on compromised devices. Once they gained access to these devices, they then harvested millions of e-mail conversations from these organizations, and pivoted to other resources within the target environments.
On 2 March 2021, Microsoft's Security Response Center (MSRC) also published a critical patch addressing the unreported vulnerability which these Chinese threat actors leveraged. Upon publication, other threat actors then reverse-engineered the vulnerability, identifying ways to exploit this critical vulnerability. They then scanned for vulnerable Exchange Servers and compromised thousands of other organizations across the globe who had not applied the patch in an efficient, expedient manner.
The organizations which were compromised after release of the patch would have benefited from stronger, efficient, effective patch management program. The task is to identify other ways that organizations could have mitigated the threat of exploitation, in the absence of a comprehensive patch management program.
i. Define the concept of "Defense in Depth" and discuss how it can prevent threat actors from fully penetrating a network, even if they are able to compromise a public-facing device.
ii. Define what an IDS, an IPS, and an IDPS are, and how they could have helped organizations identify malicious activity associated with their Exchange Servers?
iii. Explain how a Zero Trust model could potentially have prevented these, and other, threat actors from pivoting to other resources within the networks of compromised organizations.