Not a fan of sales team chasing an ambulance when defenders are doing their best to mitigate the latest threat vector but providing guidance is another story.
That said, the adversary has no guilt and in fact it’s prime time for them. They are not only causing the ambulance to be dispatched but they are also using it as air cover for other threat vectors the eyes are no longer focused on.
As companies continue to patch systems, we can use this time to explore the opportunity for defenders. There are lessons to be learned from current and past threats. In order for the adversary to be successful they needed a couple of things in their favor:
- Remotely accessible vulnerable system typically internet facing
- Weak or no endpoint protection, detection, and response
- No intrusion prevention
- No web application firewalls
All they need is a crack in our armor and that’s it. This gets worse if the adversary is already within the environment and now has an opportunity to expand their foothold and in many cases with limited restrictions.
Patching is the recommended method to remediate the risk but not always feasible in a timely manner.
The opportunity for defenders
- Implement remote access to SharePoint over a VPN or, even better, zero trust access (ZTA) — Zero trust access hides the FQDN of these systems from the internet. In fact, they are not even resolvable externally and leverages secure protocols like QUIC and MASQUE wrapped with risked-based multi-factor authentication (MFA) and robust posturing. Adversaries do not have direct access to these systems, closing this door.
- Enable signatures for intrusion prevention systems and web application firewalls — SNORT: SID 65092, SID 65183. Another door closes. Check out Talos Vulnerability Research for the latest.
- Leverage AMSI from Microsoft and take advantage of advanced endpoint protection platforms that add behavioral protection with access to scan AMSI buffers — Also, ClamAV detections: Asp.Webshell.SharpyShell-10056352-3. One more opportunity denied. Check out Talos Vulnerability Research for the latest.
Now, we all know protections fail, so that brings us back to patching whenever possible.
Most organizations are going to know which servers are running SharePoint, but we should be able to quickly identify these systems by CVE discovery (when it was log4j the discovery was not easy, but it should be). Once we identify these systems with CVEs, we quickly remove external access to these systems instantly based on exposure. We use the CVE to identify the systems and categorize these into “CVE-BAD,” where we deploy a workload/application policy directly within windows firewall (in this case), preventing / limiting its ability to communicate externally.
Further to that we can also limit the assets’ ability to be used to move laterally within the network if compromise does happen — fully restricted and limited to only services required to deliver said service and nothing more — this drives a zero-trust outcome in the workload/application environment. This is risk reduction at its finest that’s prescriptive and accurate.
Now, once the vulnerability is patched, these systems automatically have the restriction removed – no need for humans to manage the rule set after remediation takes place. The rule gets removed automatically no more care and feeding.
Couple this with campus based zero trust and ZTA to the application with workload/application segmentation and we have a recipe for success. These outcomes provide us with an ability to stay resilient at the worst of times and more importantly it gives your teams more time to address the issues without causing additional risk.
Don’t forget we still leverage all the existing defenses in our arsenal for a layered comprehensive approach to security.
Always assume breach as it provides the best possible outcomes. 2025-2026 is the year we all start to tackle workload/application segmentation across an ecosystem of controls.
Why? This is where the adversary will end up and it puts us at the greatest risk and at the same time it’s our greatest opportunity to change the equation.
We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.
Cisco Security Social Media
CONNECT WITH US