Name: Analysis of the Hafnium / MS Exchange Cyberattack
Start: 2021-03-16T17:50:00Z
End: 2021-03-16T17:50:25.000Z
Location: BrightTALK

Virsec is the industry leader of application-aware server workload protection. Learn how to improve and optimize your security posture, ensure real-time protection from today's most dangerous cyber threats and attacks, including memory corruption, fileless and zero-day attacks. Hear valuable insights from cybersecurity leaders, experts and influencers, vulnerability analysis and more.

The battleground for advanced attacks has moved into application workloads and is being fought in runtime.

Most people think of Zero Trust in relation to access controls for users, devices, and networks. But Zero Trust at runtime goes deep into the application workloads, where the attack surface has moved. Effective Zero Trust at runtime must be application-aware, but it must also be automated, continuous, and easy to manage.

For any given application, there are a lot of moving parts – hundreds of files, thousands of processes, and millions of memory calls that define the correct execution and control flow of application code. Managing this manually is almost impossible, and it’s challenging to try to whitelist all the acceptable files.

Chasing every possible threat is an infinite problem and it’s a battle that we are losing. Instead, if we ensure that critical applications only do the right thing, and we prevent them from going off the rails during runtime, then we can fundamentally change the security equation. 

Virsec has developed a unique technology that is fully automated and enforced continuously as application code executes. Any deviations from acceptable execution are detected in milliseconds, and protection rules are automatically triggered to stop attacks at the earliest stage – before any damage is done.

Achieving Zero Trust During Runtime

As organizations continue to dig out from the devastating SolarWinds supply chain attack, one question remains: how do we protect ourselves from the next one? Most organizations that were hit had exemplary security measures in place, such as perimeter tools, EPP/EDR and threat hunting solutions. 

But these tools are powerless to identify and stop an evasive remote code execution (RCE) attack like that which infiltrated the SolarWinds supply chain. RCEs execute at runtime – a dangerous blind spot for most organizations. They can proliferate at the memory level and go undetected for days, months, or even years. 

Runtime attacks are the new normal and organizations are not prepared. We need new weapons to fight a new war. Unlike other security tools, Virsec stops evasive attacks at multiple points in the kill chain without prior knowledge. Learn how to protect application workloads against runtime attacks in any environment and defend against the next SolarWinds-type attack.

Protecting Against the Next SolarWinds Attack

As more organizations migrate to the cloud, protecting containerized workloads is both a challenge and a risk to the business. Containers are not inherently secure and provider-based security is not enough to ensure adequate protection for workloads spanning across multiple clouds. And in production, conventional security tools merely focus on providing activity visibility, policy enforcement, reporting, and encryption. 

True container protection requires granular application control, system integrity assurance, and advanced memory protection at runtime. Virsec is the only solution to provide application-aware visibility, trusted execution, and attack prevention to protect vulnerable containerized workloads. And Gartner recognizes Virsec in a select group of Cloud Workload Protection vendors that provide advanced memory and process integrity protection.

Learn more about the unique application-aware workload protection technology that detects and defeats any attack – known or unknown – in runtime with no signatures, no patching, no noise, and no tuning. Virsec is platform-agnostic and works seamlessly with clouds, containers, distributed and hybrid systems.

Container Workload Protection

Between the SolarWinds attack, MS Exchange server hack, and recent ransomware attack on Colonial Pipeline, countless organizations across nearly every industry have been laid bare, and it’s open season for ransomware threat actors. Though most companies had an enhanced cybersecurity infrastructure in place to safeguard information integrity and business continuity, the stone-cold truth is that conventional security tools did not protect organizations against either of those attacks, nor will they be able to protect against future sophisticated and evasive remote code execution exploits. 

And now that so many back doors are open, get ready for the next wave of ransomware attacks. Malicious code that executes undetected during runtime can bring the entire system down … all it takes is one click. 

The Virsec security solution detects and stops ransomware attacks at the first step in the kill chain. Learn best practices to defend your environment from ransomware attacks, as well as actionable steps you can employ today.

Keeping Ransomware out of Critical Infrastructure: Colonial Pipeline Attack

Advanced attacks like SolarWinds and Hafnium are easily bypassing conventional security tools and targeting a blind spot – application runtime. Even organizations with exemplary cybersecurity infrastructure in place missed the evasive remote code execution exploits taking place within their networks. While most tools try to guess at threats at the perimeter, or look for clues after the fact, they view application workloads as a “black box.” 

Dave Furneaux, CEO of Virsec, discusses the urgent need to gain visibility and control over critical workloads as code executes. We must assume the attackers are already present in the environment. So rather than trying to stop everything ‘bad’ (which is an infinite problem), a runtime protection model focuses on making sure that code and applications only perform as they should at the web, host, and memory layers – effectively stopping the kill chain at the first step.

Stop the Kill Chain at the First Step: Effective Runtime Protection

The SolarWinds attack exposed almost 20,000 of their customers. Attacks on Microsoft Exchange servers hit more than 30,000 businesses. In both cases, advanced attackers used remote code execution to open persistent back doors that will likely be exploited for years to come. We must assume that the precursors to the next data breach have bypassed perimeter defenses and are already inside our networks. 
 
It’s time to flip the security script and protect critical applications, workloads, and data in vulnerable environments. This requires applying a zero trust model during runtime to prevent applications from being hijacked or derailed, even when under attack.
 
Join experts from Virsec for a discussion and demonstration of application-aware runtime protection, to proactively stop the next SolarWinds from becoming a data breach disaster.

Assume the Attackers Are Already Inside – Now What?

Over 37 billion records were exposed in breach events in 2020 - by far the most records exposed in a single year, according to a recent report by Risk Based Security. How has remote working impacted your organization's security posture? What lessons can security professionals learn from the recent wave of breaches and what steps can enterprises take to strengthen security in 2021?

This keynote panel of security experts and industry leaders will explore the best practices for breach prevention, as well as share real-life lessons from the frontlines on what works and doesn't work.

Viewers will learn more about:
- The reality of data breaches
- Why data breach severity is rising
- Ransomware attacks on the rise (doubling from 2019 to 2020) and the threat to businesses
- Technologies that help with breach prevention, detection and response
- Why security awareness matters and best practices for educating employees to be cyber secure

Moderated by:
Michelle Drolet, CEO, Towerwall
Nico Fischbach, Global CTO, Forcepoint
Micheal Meyer, Chief Risk and Innovation Officer, MRSBPO 
Andy Thompson, Research Evangelist, CyberArk
Satya Gupta, CTO & Founder, Virsec

Preventing the Big One: Staying Ahead of the Breach

Runtime memory is the foundation of most computing, yet few security technologies have any visibility or control over critical systems as they execute in memory. A few vendors talk about memory protection, but they typically look for behavioral anomalies after execution, or operate at the O/S level with no application awareness.
 
Join leading memory security expert Danny Kim, Ph.D., for a primer on how memory protection should operate, and the critical need for application awareness as code executes. With over 48 patents, Virsec has unrivaled expertise in the area of memory protection and pioneered solutions that provide critical visibility and control over this new security battleground.

Memory Protection: Technology Primer

Advanced attacks like SolarWinds and Hafnium are easily bypassing conventional security tools and targeting a blind spot – application runtime. While most tools try to guess at threats at the perimeter, or look for clues after the fact, they view application workloads as a “black box.”
 
Join security experts from Virsec as we discuss the urgent need to gain visibility, and control over critical workloads as code executes. This will include a demonstration of how Virsec maps acceptable application execution and instantly spots and stops deviations during runtime.

Runtime: The New Security Battleground

From ERP to SCADA to government databases, legacy applications are a fact of life and won’t go away anytime soon. Yet far too much of our security thinking assumes that organizations can always patch, upgrade, or rip-and-replace complex legacy applications to deploy new, supposedly safer systems. There must be a better way.
 
Join security experts from Virsec for a discussion on how to secure legacy applications, in any state, without depending on patching, upgrades, or significant downtime.

Leave No Apps Behind: Protecting Legacy Applications

As more alarming news emerges about nation-state attacks like SolarWinds and Hafnium, many organizations are not sure how to react. Even if you keep up with security basics, like patching, access control, and network hygiene, these attacks seem to easily bypass conventional security tools.
 
Join security experts from Virsec for analysis of the multi-step kill chains involved in these attacks, and new strategies to interrupt these attacks at multiple points, during runtime.

Defending Against Nation-State Attacks: Breaking the Kill Chain

Virsec delivers a detailed analysis of the Hafnium Microsoft Exchange server exploit. Watch recreations of the attacks perpetrated by the Hafnium hacking group that exploited vulnerabilities in Microsoft Exchange. We'll go through all the steps of the Kill Chain and discuss whether patching will be enough to repair the damage and how to best harden your defenses.

Hafnium Exchange Exploit: Is Patching Enough?

The SolarWinds supply chain attack was a brutal security failure that relied on perimeter tools, threat hunting and prior knowledge to stop an attack – only to find that these tools were powerless to identify and stop it. 

Existing security tools are not sufficient to secure the supply chain, namely because the most sophisticated attacks are occurring at runtime, a notorious blind spot in organizations. Conventional security tools are not instrumented to detect exploits in memory and do not provide any visibility into runtime. More importantly, they do not provide runtime protection, so evasive attacks that proliferate at the memory level often go undetected for days, months, or even years. 

Virsec joins the esteemed SANS Institute to share effective new tactics and tools to protect and defend against sophisticated and evasive supply chain attacks like remote code execution and other crippling runtime exploits. 

Watch a live demonstration of the technology that stops runtime exploits in its tracks, learn how to identify and prevent these attacks in your own infrastructure, and get best practices to protect your workloads against future or ongoing supply chain attacks.

Supply Chain Protection: Stop Remote Code Execution During Runtime

Protecting applications during runtime at the memory level has long been considered difficult to impossible. John Chambers, former CEO of Cisco, recently proclaimed that we are at the inflection point for the next paradigm shift in cybersecurity; the battleground has moved to the workloads, and the only way to effectively defend them is by ensuring application-aware protection at runtime. 

Traditional and legacy solutions are not enough to protect organizations from the extremely advanced attacks we are seeing today. Organizations will need to implement application-aware security controls in on-premises, cloud, hybrid, and / or container environments to effectively defend against sophisticated and evasive attacks and exploits. 

Mark Pelkoski, Senior Director of Security Architecture at Virsec, steps us through a real-time demonstration of Virsec’s unique ability to detect and stop memory-based attacks during runtime before damage is done.

Memory Protection Demo

This video shows a live demonstration of the full attack kill chain likely used by the Hafnium Group to attack thousands of Microsoft Exchange servers globally.

Demonstration of the Hafnium-MS Exchange Attack

As attacks on software supply chains, and critical applications continue, we need to extend the zero-trust model into cloud workloads during runtime, ensuring that only the right code and processes can execute, regardless of the threat environment.

Join security experts from Virsec as they discuss the challenges of protecting an expanding attack surface area with cloud, hybrid, and container environments, and the need for application-awareness, and effective runtime protection. Get best practices for security implementations for workloads that ensure vulnerability protection with granular application control, system integrity assurance, and advanced memory protection at runtime.

Willy Leichter, VP of Marketing and Product Strategy
Willy Leichter leads Virsec marketing and product strategy. With extensive experience in a range of IT domains including network security, global data privacy laws, data loss prevention, access control, email security and cloud applications, he is a frequent speaker at industry events and author on IT security and compliance issues. A graduate of Stanford University, he has held marketing leadership positions in the US and Europe, at CipherCloud, Axway, Websense, Tumbleweed Communications, and Secure Computing (now McAfee).


Shauntinez Jakab, Senior Director of Product Marketing 
Shauntinéz has spent over 20 years working with executives to create unique high-growth product and business strategies in cybersecurity, network management, parallel systems, enterprise software and cloud-based services. She has held senior positions at F5 Networks, Intuit, Aryaka Networks and Citrix Systems. Shauntinez holds a BS in Electrical Engineering from Grambling State University, with graduate studies in microelectronics.

Zero-Trust Cloud Workload Protection Cloud Security Summit

In this demo, the Virsec Research Lab demonstrates how the recent attack on a Florida Water Utility may have been perpetrated, through spear-phising, exploiting a vulnerability in TeamViewer, and launch remote code execution malware.

Florida Water Utility Attack Demonstration

The Virsec Security Lab has analyzed and recreated the attacks allegedly perpetrated by the Hafnium hacking group exploiting vulnerabilities in Microsoft Exchange. This video steps through all the steps of the Kill Chain and highlights where Virsec can stop these attacks.

Analysis of the Hafnium / MS Exchange Cyberattack

hafnium

remote code execution

Exchange vulnerability

Microsoft vulnerability

Cyber Attacks

CVE-2021-26857

CVE-2021-26858

CVE-2021-27065

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

Enterprise applications have become a crucial piece of infrastructure for many businesses. The enterprise applications community on BrightTALK features the latest insights in enterprise application integration, enterprise application architecture and EAS software. Join the community to gain access to thousands of videos and webinars presented by recognized enterprise information systems experts and arm yourself with the knowledge you need to succeed.

Enterprise Applications

Join thousands of engaged IT professionals in the application management community on BrightTALK. Interact with your peers in relevant webinars and videos on the latest trends and best practices for application lifecycle management, application performance management and application development.

Application Management

Network infrastructure professionals understand that a reliable and secure infrastructure is crucial to enabling business execution. Join the network infrastructure community to interact with thousands of IT professionals. Browse hundreds of on-demand and live webinars and videos to learn about the latest trends in network computing, SDN, WAN optimization and more.

Network Infrastructure

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Information Technology

Join this new, vibrant community to learn and connect with top thought leaders, startups and banks who are disrupting the financial services industry. Keep up with the latest news and trends in Fintech and take part in lively debates on topical issues and challenges.

Fintech

The accounting and finance community on BrightTALK features presentations from leading accountants and finance professionals. The accounting community includes tax planning strategies, QuickBooks webinars and other accounting webinars, while the finance community features presentations on financial capital regulations and forensic data analytics. Join the conversation by attending live financial and accounting presentations and connecting with industry thought leaders.

Analysis of the Hafnium / MS Exchange Cyberattack

Presented by

About this talk

Virsec