Woman wearing glasses working on the laptop showing Proxyshell vulnerability and cyber risk

Minimizing Cyber Risk: Lessons Learned From Proxyshell

If you work in cybersecurity and feel as though your head hasn’t stopped spinning this year, you’re not alone.

The Treasury Department released a report last month revealing that the total value of ransomware reports in the first six months of 2021 was $590 million, compared to $416 million for the entirety of 2020.

The stakes are higher than ever for cybersecurity professionals to outpace their adversaries. As the world continues to lean into digitization, signing up to be a hacker for a living is becoming an increasingly popular move that pays exceptionally well when the right target is compromised.

Another challenge that’s plaguing cybersecurity professionals is the string of recent cyberattacks that has impacted some of the biggest names in the business, such as Microsoft. Cybercriminals are carrying out their deeds, hiding behind the names of vendors that people in cybersecurity tend to trust.

It makes it that much easier for them to walk right into your environments.

Case in point? ProxyShell.

What is ProxyShell?

To fully grasp the ProxyShell vulnerability, we have to go back a little further in time to talk about its predecessor: ProxyLogon.

Back in March 2021, cybercriminal group HAFNIUM used a series of zero-day exploits that impacted on-premises Microsoft Exchange servers. These exploits armed HAFNIUM with remote code execution abilities—a particularly dangerous attack that allows unauthorized individuals to run commands and control a computer without physical access. In other words, these threat actors gained the ability to bypass authentication safeguards, gain administrator access and execute any malicious code they wanted.

In the following months, a series of patches came along to remedy the ProxyLogon vulnerability. In cybersecurity, patches are all but a formal invitation for threat actors to get back to work to outsmart the latest fix.

Then, in August 2021, threat actors did just that with the ProxyShell vulnerability.

In short, bad actors discovered that on-premises servers that hadn’t been patched since July were still vulnerable. Attackers actively scanned for vulnerable Microsoft Exchange servers—and in this case, those vulnerable servers were those that hadn’t been patched since July.

Unfortunately, this led to some confusion among those in the cybersecurity community. Once news of ProxyShell got around, many in the industry read a line or two about unpatched on-prem Exchange servers and assumed the patches they applied back in April and May would protect their environments.

That wasn’t the case. In reality, the latest and most protective patch wasn’t released until July, causing a good amount of confusion in the community.

Why was it substantial?

There are a few important takeaways from the ProxyShell scenario that call to light some important issues that we can chalk up as lessons learned.

The first takeaway is by far the most obvious one: don’t automatically assume you’re safe because you patched at some point. Anyone in cybersecurity can cite the importance of patching, but the real importance is making sure the patches you’ve applied are the ones that remedy the latest vulnerabilities.

The second takeaway shines light on an unfortunate reality.

No vendor—not even Microsoft—is infallible.

As cybersecurity professionals, we have to hold ourselves accountable to do what we can to secure our environments. We should be verifying and then trusting.

We have to move toward a place of cyber resilience—being able to quickly adapt to the challenges of tomorrow and the attacks of today. Because the moves of threat actors become more difficult to predict every day, we have to pivot our stance and be able to adapt to and recover from the unknown. This is only possible through adaptability, continuous learning and trial and error.

Finally, for us to be successful as an industry, we have to operate with transparency. This is the first step to building trust both among our vendors and among one another. Operating openly helps to foster the sense of community that the cybersecurity industry needs for us all to be set up for success.

Minimizing future risk

Of course, the best way to deal with a vulnerability is doing what you can to prevent them from happening in the first place. Oftentimes, this can be done even through simple and basic security hygiene practices.

For example, run frequent checks to make sure that you don’t have open remote desktop protocol (RDP) ports or easy access points. Threat actors love easy wins, and ports that are wide open for their perusal are one of the easiest ways that attackers often sneak into environments. Identifying and securing these ports and points introduces one more challenging barrier to attackers just waiting for their chance to break into your network.

Another way to minimize future risk is to approach cybersecurity from multiple angles. The NIST Cybersecurity Framework gives a great overview of the five most important angles: identify, protect, detect, respond and recover. It can be tempting for cybersecurity professionals to fall into the trap of focusing on only one or two of these buckets, but the reality is that the best environments take all five of these factors into consideration.

If you’re a cybersecurity professional who works with end users, you’ve probably dealt with individuals who want to focus solely on prevention. This is the best way to set your environments up for failure.

Trying to prevent a cyberattack in 2021 is like trying to prevent a hurricane in Florida or a snowstorm in Massachusetts. Cyberattacks—just like hurricanes and snowstorms—are going to happen. It’s a matter of when, not if, and while prevention is certainly an important part of the puzzle, it can’t be the puzzle in its entirety. You should also be prepared for when a cyberattack does happen.

That’s where an incident response plan comes into play.

Much like individuals who work in public relations have a crisis communication plan in place to use when a PR storm brews in the media, cybersecurity professionals should have an incident response plan to turn to whenever they find themselves in the middle of a cyberattack. This plan should detail who is responsible for which actions both to secure all data and to get the environment back up and running as quickly as possible. This plan should be tested regularly to ensure no changes need to be made. Luckily, there are lots of tabletop exercises on the web for cybersecurity teams should they need to test out their plan.

Stay vigilant

Though the buzz around the ProxyShell incident has died down, this incident serves as a sobering reminder that all vendors are at risk—even those with big names such as Microsoft.

We can’t afford to let our guard down against cybercriminals. There’s no room in the cybersecurity field for assumptions, and we have to get better at verifying and then trusting.

Threat actors aren’t going to stop working toward perfecting their craft—and we can’t afford to, either.