Last year I wrote an article discussing recommendations from the Mandiant/FireEye M-Trend’s 2016 report. I thought it only prudent to discuss the 2017 report as well; however, this year’s look will focus on one key area of the report, “email”.
Email has long plagued IT professionals. In the early 2000’s we began to see the beginning of the SPAM explosion back in a day when open relay servers were a normality. A decade later email became a major component of corporate litigation as IT organizations then had to scramble to find solutions to perform litigation hold and eDiscovery for email. Today email is a favorite target for bad guys. There are many reasons for this; sometimes the email content itself is a valuable target for attackers, but often email is the primary vehicle used to perform the initial compromise that allows the attacker to then establish a foothold within the environment. Mandiant’s report notes that “...the volume of email stolen through the years is likely greater than all other forms of electronic data theft combined”.
There are several steps that need to be taken to protect email systems against the various types of attacks that exist. This article will focus on steps to consider to protect the Microsoft email platform. There are several different possible hosting scenarios for Microsoft’s Exchange email platform (cloud, on-premise, hybrid). Below are different approaches depending on environment, but there can be many nuances from deployment to deployment.
1. Web and Outlook Client Authentication:
Outlook Web Access (OWA) can be integrated with a strong authentication solution like SecureAuth going all the way back to Exchange 2010; however additional steps are needed to secure the Outlook client. Whether using On-premise or Office 365, ensure you are using clients that support modern authentication paired with an adaptive multi-factor solution. Outlook 2013 and 2016 both support modern authentication; however, organizations with on-premises installations will need to be on Exchange 2016 to support modern authentication.
Multi-factor authentication is not possible with the legacy WS-TRUST protocol and there has been an upward trend in attacks against WS-TRUST for this very reason. In the short-term organizations, should implement threat services for WS-TRUST such as those available in SecureAuth IdP*. Enabling threat rules that block WS-TRUST authentication attempts from malicious networks will not only greatly reduce the chances of stolen credentials being used within the environment but it also reduces the chance of these attacks leading to a performance impacting event. Long-term, organizations should work towards disabling the legacy active login (WS-TRUST) endpoints once all clients have been moved to a configuration that supports modern authentication across all client types.
2. Securing ActiveSync:
In Office 365 and Exchange 2016 environments, the Mobile Outlook client will prompt for MFA when integrating with a product like SecureAuth; however, the native mail clients for Android and iOS currently use the legacy ActiveSync web application that doesn’t support modern authentication. This leaves organizations with a few options to protect this directory from being accessed with stolen credentials:
- Option 1: Disable remote access to the ActiveSync directory remotely and require users to use the Outlook Mobile app for Android and iOS.
- Option 2: Make ActiveSync URLS available only when using per-app level VPN provided by Mobile Device Management (MDM) providers. In this scenario, it’s important to ensure the MDM registration page is not only MFA-protected but that the authentication product can detect threating traffic using capabilities like those found in SecureAuth IdP.
3. Securing Exchange Web Services (EWS):
There are two main instances where remote access to the EWS directory is required. One is when running in Exchange/Office 365 Hybrid mode, the other is when allowing federation between two organizations (to share free/busy information, etc). In both scenarios, access to the EWS directory should only be allowed for specific IP addresses required for this integration. In the case of Office 365 Hybrid mode the IP list does change frequently and keeping it up to date is likely something that will need to be scripted, this alone should be good motivation not to stay in Hybrid mode for too long.
2FA Is Not Enough to Secure Your Email Environment
The Office 365 and Exchange on-premise use cases are a great example of how simple two-factor authentication is not enough. It’s important to utilize an authentication solution that is able to evaluate and take action on authentication attempts based on a set of adaptive risk rules tailored to meet each organization’s needs.
*Enhanced protection for Office 365 that includes threat protection for WS-TRUST is available in SecureAuth IdP version 9.1, available in July 2017.