Category: topcan

 


What are the origins of the names TaoSecurity and the unit formerly known as TAO? 

Introduction

I've been reading Nicole Perlroth's new book This Is How They Tell Me the World Ends. Her discussion of the group formerly known as Tailored Access Operations, or TAO, reminded me of a controversy that arose in the 2000s. I had heard through back channels that some members of that group were upset that I was operating using the name TaoSecurity. In the 2000s and early 2010s I taught classes under the TaoSecurity brand, and even ran TaoSecurity as a single-person consultancy from 2005-2007. 

The purpose of this post is to explain why, how, and when I chose the TaoSecurity identity, and to show that it is contemporaneous with the formal naming of the TAO group. The most reliable accounts indicate TaoSecurity predates the TAO brand.

TaoSecurity Began with Kung Fu and Taoism

With Sifu Michael Macaris, 21 June 1996

In the summer of 1994, after graduating from the Air Force Academy and before beginning my graduate program at what is now called the Harvard Kennedy School, I started watching re-runs of the 1970s David Carradine Kung Fu TV series, created by Ed Spielman. I was so motivated by the philosophical message of the program that I joined a kung fu school in Massachusetts. I trained there for two years, and studied what I could about Chinese history and culture. I learned from the show and that it was based on Taoism (for example) so I bought a copy of the Tao Te Ching by Lao Tzu and devoured it. 

Visiting China

Tai Chi on the Yangtze, May 1999

In the spring of 1999 my wife and I took a three week trip to China for our honeymoon. We were both interested in Chinese culture so it seemed like a great opportunity. It was an amazing trip, despite the fact that we were in China when the United States bombed the Chinese embassy in Belgrade

I include these details to show that I was quite the fan of Chinese culture, well before any formal cyber threat intelligence reports associated me with China. I read books on Taoism and embraced its concepts.

Creating TaoSecurity

WHOIS lookup for taosecurity.com

In the summer of 2000 I was a captain at the Air Force Computer Emergency Response Team, within the 33rd Information Operations Squadron. I decided I wanted to try creating a Web presence, so I registered the TaoSecurity domain name on 4 July 2000. The WHOIS record above shows 3 July, which is odd, because a previous post on the topic captured the correct date of 4 July 2000. I also coined the phrase "the way of digital security."

My wife commissioned an artist to design the TaoSecurity logo, which I have used continuously since then. At the time I had never heard of TAO. There was a good reason for that. TAO was just being born as well.

General Hayden on Creating TAO


Playing to the Edge by General Michael Hayden

The first public source on the history of TAO appeared in a 2013 story for Foreign Policy by Matthew M. Aid. He claimed that the agency created TAO in 1997. While it is possible that members of what would later be named TAO were working a similar mission in 1997, his story requires details that I add next.

A succinct source on the origins of the unit previously known as the TAO is the 18 October 2018 article by Steven Loleski. He wrote a piece called From cold to cyber warriors: the origins and expansion of NSA’s Tailored Access Operations (TAO) to Shadow Brokers (PDF). Mr. Loleski cited General Michael Hayden's 2016 book Playing to the Edge, which I quote more extensively here:

"In the last days of 2000, as we were rewiring the entire agency’s organizational chart (see chapter 2), we set up an enterprise called TAO, Tailored Access Operations, in the newly formed SIGINT Directorate (SID). We had toyed with some boutique end-point efforts before, but this was different. This was going to be industrial strength...And, even in a period of generalized growth, TAO became the fastest-growing part of NSA post-9/11, bar none."

Seeing as General Hayden was in charge of NSA at the time, that would seem to make it clear that TaoSecurity preceded TAO by several months, at least.

I also looked for details in the 2016 book Dark Territory: The Secret History of Cyber War by Fred Kaplan. I've enjoyed several of his previous books, and he interviewed and cited me for the text.

Mr. Kaplan explained how General Michael Hayden, NSA director from March 1999 to April 2005, named the unit, as part of a general reorganization effort. Thanks to Cryptome and FOIA requests by Inside Defense we can read the October 1999 report recommending organizational changes. That reorganization was the genesis for creating TAO.

Kaplan on Creating TAO
External Team Report Recommended Organization, 22 October 1999, Cryptome

This document, titled EXTERNAL TEAM REPORT: A Management Review for the Director, NSA, October 22, 1999 mentions the need to reorganize the "Signals Intelligence Mission (SIM)" into "three offices, Global Response, Tailored Access and Global Network." The October 2000 public news story by Inside Defense about the reorganization implies that it did not happen overnight. 

Mr. Kaplan notes that General Hayden initiated his "One Hundred Days of Change" program on 15 November 1999. A three-day server crash in January 2000 hampered reform efforts, prompting big changes in NSA approaches to computing. However, TAO was eventually operating some time in 2000. Mr. Kaplan notes the following in his book:

"It began, even under his expansion, as a small outfit: a few dozen computer programmers who had to pass an absurdly difficult exam to get in. The organization soon grew into an elite corps as secretive and walled off from the rest of the NSA as the NSA was from the rest of the defense establishment. Located in a separate wing of Fort Meade, it was the subject of whispered rumors, but little solid knowledge, even among those with otherwise high security clearances...

Early on, TAO hacked into computers in fairly simple ways: phishing for passwords (one such program tried out every word in the dictionary, along with variations and numbers, in a fraction of a second) or sending emails with alluring attachments, which would download malware when opened. 

Once, some analysts from the Pentagon’s Joint Task Force-Computer Network Operations were invited to Fort Meade for a look at TAO’s bag of tricks. The analysts laughed: this wasn’t much different from the software they’d seen at the latest DEF CON Hacking Conference; some of it seemed to be repackaged versions of the same software. Gradually, though, the TAO teams sharpened their skills and their arsenal."

It's clear from this passage that TAO started as a small unit that conducted less exotic operations. It was difficult to join, but a far cry from the powerhouse it would soon become. It's also clear that knowledge of this organization was tightly controlled. Even the term "tailored access" was not associated publicly with NSA until the October 2000 reporting by Inside Defense, reproduced by Cryptome.

Minihan's Role

Dark Territory by Fred Kaplan

Circling back to the mention of 1997 in Mr. Aid's article, we do find the following in Mr. Kaplan's reporting:

"Fort Meade’s would be the third box on the new SIGINT organizational chart—“tailored access.”

[Lt Gen Kenneth] Minihan [NSA director 1996-1999] had coined the phrase. During his tenure as director, he pooled a couple dozen of the most creative SIGINT operators into their own corner on the main floor and gave them that mission. What CIA black-bag operatives had long been doing in the physical world, the tailored access crew would now do in cyberspace, sometimes in tandem with the black-baggers, if the latter were needed—as they had been in Belgrade—to install some device on a crucial piece of hardware.

The setup transformed the concept of signals intelligence, the NSA’s stock in trade. SIGINT had long been defined as passively collecting stray electrons in the ether; now, it would also involve actively breaking and entering into digital machines and networks.

Minihan had wanted to expand the tailored access shop into an A Group of the digital era, but he ran out of time. When Hayden launched his reorganization, he took the baton and turned it into a distinct, elite organization—the Office of Tailored Access Operations, or TAO."

This reporting indicates that there was a tailored access group operating at NSA prior to General Hayden, but it was not actually named "TAO" and was not as large or exotic as what was to come.

Conclusion

"Tao inside," TAO's play on the Intel Inside marketing campaign

To summarize, General Hayden assigned the name TAO to a group inside NSA in late 2000, months after I registered the TaoSecurity domain name. Although General Minihan had created a tailored access group during his tenure, the existence of that team, as well as what was later formally called TAO, was a close-held secret. The term "tailored access" did not appear in the public until Inside Defense's reporting of October 2000. 

Although I worked in the unit (Air Intelligence Agency) that served as the cryptologic service group for NSA (the Air Force contribution to the agency), I was not aware of any tailored access teams when I chose TaoSecurity as the name for my repository of security ideas. I selected TaoSecurity to reflect my interest in Taoism, and it had nothing to do with TAO or the NSA.

Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
There's a good chance that if you're reading this post, you're the member of an exclusive club. I call it the security one percent, or the security 1% or #securityonepercent on Twitter. This is shorthand for the assortment of people and organizations who have the personnel, processes, technology, and support to implement somewhat robust digital security programs, especially those with the detection and response capabilities and not just planning and resistance/"prevention" functions. 

Introduction 


This post will estimate the size of the security 1% in the United States. It will then briefly explain how the security strategies of the 1% might be irrelevant at best or damaging at worse to the 99%.

A First Cut with FIRST


It's difficult to measure the size of the security 1%, but not impossible. My goal is to ascertain the correct orders of magnitude. 

One method is to review entities who are members of the Forum of Incident Response and Security Teams, or FIRST. FIRST is an organization to which high-performing computer incident response teams (CIRTs) may apply once their processes and data handling meet standards set by FIRST. 

I learned of FIRST when the AFCERT was a member in the late 1990s. I also assisted with FIRST duties when Foundstone was a member in the early 2000s. I helped or sponsored membership when I worked at General Electric in the 2000s and Mandiant in the 2010s. I encourage all capable security teams to join FIRST.

Being a FIRST member means having a certain degree of incident response and data handling capability, and it signals to the world and to other FIRST teams that the member entity is serious about incident detection and response.

As of the writing of this post, there are 540 FIRST teams worldwide. Slightly more than 100 of them are based in the United States. 

To put that in perspective, there are less than 4,000 publicly traded companies in the US. That means that even if every single US FIRST member represented a publicly traded company -- and that is not the case -- FIRST representation for US publicly traded companies is only 2.5%

Beyond FIRST


Some of you might claim FIRST membership is no big deal. My current employer, Corelight, isn't a member, you might say. 

Perhaps you could argue that for every US FIRST member, there are 9 others which have equivalent or better security teams. That would increase the cadre of entities with respectable detection and response capabilities from 100 to 1,000. That would still mean an estimate that says 75% of publicly traded US companies have sub-par or non-existent security programs.

Remember that we've only been talking about a population of 4,000 publicly traded US companies. The US Small Business and Entrepreneurship Council estimates that there were 5.6 million employer firms in the United States in 2016. Let's sadly reduce that to 4 million to account for the devastation of Covid. 

(This reduction actually makes the situation actually look better for security, as terrible as it is either way. In other words, if I used a denominator of 5.6 million and not 4 million, security estimates would be 40% worse.)


Small Business and Entrepreneurship Council


Let's be really generous and assume that only 1 in 100 of those 4 million businesses have any sensitive data. (That's again very generous.) 

That leaves us with 400,000 entities with data worth defending. (Again, all of these estimates make it look like we're doing better than we actually are. The reality is probably a lot worse.)

Remember that we only had 100 US teams in FIRST, and we assumed an incredible 10-to-1 ratio to add another 900 non-FIRST organizations to the list of entities with decent security.

Now let's be generous again and assume a 4-to-1 ratio, such that for every 1 team in the publicly traded world there are 3 in the private world that also have decent security.

This creates a total of 4,000 US organizations with decent security, out of 400,000 that need it. Those 4,000 are the security 1%.

If you think of the "best of the best," there's probably only about 40 US security teams that qualify as global leaders and innovators. These are the teams that can stand toe-to-toe with most foes, and still struggle due to the nature of the security challenge. You and I could probably name them: Lockheed Martin, Google, General Electric, etc.

That group of 40 is the 1% of the 1%, being 40 of the 4,000 of the 400,000. These 40 are the US .01%.

If you think I'm being too conservative with only 40 teams, then feel free to increase it to 400. I'd be really curious to see someone compile a list of 400 world-beating security teams. That would still mean that US group of 400 is the .1%.

Sanity Check: A Few Statistics


To give you a sense of my numbers, and whether they are of the right order of magnitude at least, here are a few statistics:

1. The 2020 Accenture Security Third Annual State of Cyber Resilience Report featured responses from 4,644 "executives," This is the same order of magnitude of my estimates here, diluted due to a global perspective. (In other words, there are actually less US executives responding to this survey due to the global respondent pool.)


2020 Accenture Security Third Annual State of Cyber Resilience Report, p 46


2. The 2021 PWC Global Digital Trust Insights Report featured responses from "3,249 business and technology executives around the world." This is again the same order of magnitude, again diluted due to global responses.

2021 PWC Global Digital Trust Insights Report, Web summary


3. A 2019 report by Bitglass found that 38% of the Fortune 500 do not have a CISO. That's 190 publicly traded companies! Hopefully it's less in 2020. Let's be crazy and assume the CISO count is 400 out of 500?

2019 Bitglass Report


4. The Verizon DBIR featured reporting from 81 entities, the highest number in the history of the report. I do not know how many are in the US, but it's obviously less than 100, so the order of magnitude is again preserved. In other words, of the 4,000 capable security organizations in the US, less than 2.5% of them contributed to the DBIR. That would be less than 100, or the number of US FIRST teams.


2020 Verizon DBIR Report


Remember that my focus here is the United States. This means the numbers from PWC, Accenture, and Verizon need to be reduced because they represent global audiences. However, the original FIRST count of roughly 100 American entities, and the statistic about the Fortune 500, which is just American companies, are already appropriately sized.

Security and the One Percent


What do these numbers mean for security? 

Speaking first just for the US, it means that most of the conversations among security practitioners on Twitter, in mailing lists, during Webinars, within classes, and other gatherings of people take place within a very small grouping. These are the 1% that are part of the roughly 4,000 entities in the US that have a decent security capability. 

If those are the 1%, it means that the 99% are not included in these discussions.

This means that free threat intelligence, or free classes, or free post-exploitation security tools, or other free capabilities mean nothing, or almost nothing to those 99% of organizations that do not have security capabilities, or whose capabilities are so low or stretched that they cannot take advantage of whatever the 1% offers.

An Analogy: Personal Finance


I almost became a certified financial planner. Had I not secured a job in the AFCERT, I planned to separate from the Air Force, earn my CFP designation, and advise people on how to manage their assets and prepare for retirement. 

I've come to realize that discussions I witness in the "security community" are like the discussions I see in the finance community. It requires taking a big step back to appreciate this situation.

People at the 1% level in finance want to know how to manage their stock options, or how to save money for their child's college tuition through specialized savings vehicle, or, at the highest ends, how to move assets throughout "Moneyland" in pursuit of ever lower taxes. 

These concerns are light-years away from the person who has a few dollars saved in an employer-provided 401(k) program, or who has little to no savings whatsoever.  


The Consequences of the Security One Percent


So what's the big deal?

The consequence of the existence and mindshare dominance of the security 1% is that the strategies and tactics they employ may work for the 1%, but not the 99%. 

I'm not talking about the "rich" preying on the "poor." That's neither my message nor my philosophical outlook. 

Rather, I mean that methods that the security 1% use to defend themselves are irrelevant at best to the 99%, and damaging at worst to the 99%.

An example of irrelevance would be providing free indicators of compromise (IOCs) or other forms of threat intelligence. It's well-meaning but ultimately of no help to the 99%. If an entity in the 99% has a rudimentary security capability, or essentially zero security capability, threat intelligence is irrelevant.

An example of damage would be publication of post-exploitation security tools, or PESTs. The 1% may have the ability to use such tools to equip their red or penetration testing teams, determining if the countermeasures implemented by their blue team can resist or detect and respond to their simulated and later actual attacks. The 99%, however, have little to no ability to leverage PESTs. They end up simply being victims when actual intruders use PESTs to pillage the 99%'s assets.

Conclusion


Readers can argue with my numbers. These are estimates, yes, but I believe I've gotten the orders of magnitude right, at least in the US. It's probably worse overseas, especially in the developing world. 

The point of this exercise is to propose the idea that the benefits of certain activities that may accrue to the 1% may be, and likely are, irrelevant and/or damaging to the 99%.

In brief:

I challenge the security 1% to first recognize their elite status, and second, to think how their beliefs and actions affect the 99% -- especially for the worse.

As this is a wicked problem, there is no easy answer. That may be worth a future blog post.
Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)


Just what are "tactics"?

Introduction


MITRE ATT&CK is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else.

The MITRE ATT&CK Design and Philosophy document from March 2020 says the following:

At a high-level, ATT&CK is a behavioral model that consists of the following core components:

• Tactics, denoting short-term, tactical adversary goals during an attack;
• Techniques, describing the means by which adversaries achieve tactical goals;
• Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and
• Documented adversary usage of techniques, their procedures, and other metadata.

My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive.

The key word in the tactics definition is goals. According to MITRE, "tactics" are "goals."

Examples of ATT&CK Tactics


ATT&CK lists the following as "Enterprise Tactics":

MITRE ATT&CK "Tactics," https://attack.mitre.org/tactics/enterprise/

Looking at this list, the first 11 items could indeed be seen as goals. The last item, Impact, is not a goal. That item is an artifact of trying to shoehorn more information into the ATT&CK structure. That's not my primary concern though.

Military Theory and Definitions


As a service academy graduate who had to sit through many lectures on military theory, and who participated in small unit exercises, the idea of tactics as "goals" does not make any sense.

I'd like to share three resources that offer a different perspective on tactics. Although all three are military, my argument does not depend on that association.

The DOD Dictionary of Military and Associated Terms defines tactics as "the employment and ordered arrangement of forces in relation to each other. See also procedures; techniques. (CJCSM 5120.01)" (emphasis added)

In his book On Tactics, B. A. Friedman defines tactics as "the use of military forces to achieve victory over opposing enemy forces over the short term." (emphasis added)

Dr. Martin van Creveld, scholar and author from the military strategy world, wrote the excellent Encyclopedia Britannica entry on tactics. His article includes the following:

"Tactics, in warfare, the art and science of fighting battles on land, on sea, and in the air. It is concerned with the approach to combat; the disposition of troops and other personalities; the use made of various arms, ships, or aircraft; and the execution of movements for attack or defense...

The word tactics originates in the Greek taxis, meaning order, arrangement, or disposition -- including the kind of disposition in which armed formations used to enter and fight battles. From this, the Greek historian Xenophon derived the term tactica, the art of drawing up soldiers in array. Likewise, the Tactica, an early 10th-century handbook said to have been written under the supervision of the Byzantine emperor Leo VI the Wise, dealt with formations as well as weapons and the ways of fighting with them.

The term tactics fell into disuse during the European Middle Ages. It reappeared only toward the end of the 17th century, when “Tacticks” was used by the English encyclopaedist John Harris to mean 'the Art of Disposing any Number of Men into a proposed form of Battle...'"

From these three examples, it is clear that tactics are about use and disposition of forces or capabilities during engagements. Goals are entirely different. Tactics are the methods by which leaders achieve goals. 

How Did This Happen?


I was not a fly on the wall when the MITRE team designed ATT&CK. Perhaps the MITRE team fixated on the phrase "tactics, techniques, and procedures," or "TTPs," again derived from military examples, when they were designing ATT&CK? TTPs became hot during the 2000s as incident responders with military experience drew on that language when developing concepts like indicators of compromise. That fixation might have led MITRE to use "tactics" for their top-level structure. 

It would have made more sense for MITRE to have just said "goal" or "objective," but "GTP" isn't recognized by the digital defender world.

It's Not Just the Military


Some readers might think "ATT&CK isn't a military tool, so your military examples don't apply." I use the military references to show that the word tactic does have military origins, like the word "strategy," from the Greek Strategos or strategus, plural strategoi, (Greek: στρατηγός, pl. στρατηγοί; Doric Greek: στραταγός, stratagos; meaning "army leader"). 

That said, I would be surprised to see the word tactics used as "goals" anywhere else. For example, none of these examples from the non-military world involve tactics as goals:

This Harvard Business Review article defines tactics as "the day-to-day and month-to-month decisions required to manage a business." 

This guide for ice hockey coaches mentions tactics like "give and go’s, crossing attacks, cycling the puck, chipping the puck to space and overlapping."

The guide for small business marketing lists tactics like advertising, grass-roots efforts, trade shows, website optimization, and email and social marketing.

In the civilian world, tactics are how leaders achieve goals or objectives.

Conclusion


In the big picture, it doesn't matter that much to ATT&CK content that MITRE uses the term "tactics" when it really means "goals." 

However, I wrote this article because the ATT&CK design and philosophy emphasizes a common language, e.g., ATT&CK "succinctly organizes adversary tactics and techniques along with providing a common language used across security disciplines."

If we want to share a common language, it's important that we recognize that the ATT&CK use of the term "tactics" is an anomaly. Perhaps a future edition will change the terminology, but I doubt it given how entrenched it is at this point.

Update: This Tweet from Matt Brady made this point:

"Agreed - for example, supply chain compromise is a tactic used for initial access, whereas software supply chain compromise (ShadowHammer) is a specific technique."
Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

The FBI intrusion notification program is one of the most important developments in cyber security during the last 15 years. 

This program achieved mainstream recognition on 24 March 2014 when Ellen Nakashima reported on it for the Washington Post in her story U.S. notified 3,000 companies in 2013 about cyberattacks

The story noted the following:

"Federal agents notified more than 3,000 U.S. companies last year that their computer systems had been hacked, White House officials have told industry executives, marking the first time the government has revealed how often it tipped off the private sector to cyberintrusions...

About 2,000 of the notifications were made in person or by phone by the FBI, which has 1,000 people dedicated to cybersecurity investigations among 56 field offices and its headquarters. Some of the notifications were made to the same company for separate intrusions, officials said. Although in-person visits are preferred, resource constraints limit the bureau’s ability to do them all that way, former officials said...

Officials with the Secret Service, an agency of the Department of Homeland Security that investigates financially motivated cybercrimes, said that they notified companies in 590 criminal cases opened last year, officials said. Some cases involved more than one company."

The reason this program is so important is that it shattered the delusion that some executives used to reassure themselves. When the FBI visits your headquarters to tell you that you are compromised, you can't pretend that intrusions are "someone else's problem."

It may be difficult for some readers to appreciate how prevalent this mindset was, from the beginnings of IT to about the year 2010.

I do not know exactly when the FBI began notifying victims, but I believe the mid-2000's is a safe date. I can personally attest to the program around that time.

I was reminded of the importance of this program by Andy Greenberg's new story The FBI Botched Its DNC Hack Warning in 2016—but Says It Won’t Next Time

I strongly disagree with this "botched" characterization. Andy writes:

"[S]omehow this breach [of the Democratic National Committee] had come as a terrible surprise—despite an FBI agent's warning to [IT staffer Yared] Tamene of potential Russian hacking over a series of phone calls that had begun fully nine months earlier.

The FBI agent's warnings had 'never used alarming language,' Tamene would tell the Senate committee, and never reached higher than the DNC's IT director, who dismissed them after a cursory search of the network for signs of foul play."

As with all intrusions, criminal responsibility lies with the intruder. However, I do not see why the FBI is supposed to carry the blame for how this intrusion unfolded. 

According to investigatory documents and this Crowdstrike blog post on their involvement, at least seven months passed from the time the FBI notified the DNC (sometime in September 2015) and when they contacted Crowdstrike (30 April 2016). That is ridiculous. 

If I received a call from the FBI even hinting at a Russian presence in my network, I would be on the phone with a professional incident response firm right after I briefed the CEO about the call.

I'm glad the FBI continues to improve its victim notification procedures, but it doesn't make much of a difference if the individuals running IT and the organization are negligent, either through incompetence or inaction.

Note: Fixed year typo.

Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
CVE-2020-0688 Scan Results, per Rapid7

tl;dr -- it's the title of the post: "If You Can't Patch Your Email Server, You Should Not Be Running It."

I read a disturbing story today with the following news:

"Starting March 24, Rapid7 used its Project Sonar internet-wide survey tool to discover all publicly-facing Exchange servers on the Internet and the numbers are grim.

As they found, 'at least 357,629 (82.5%) of the 433,464 Exchange servers' are still vulnerable to attacks that would exploit the CVE-2020-0688 vulnerability.

To make matters even worse, some of the servers that were tagged by Rapid7 as being safe against attacks might still be vulnerable given that 'the related Microsoft update wasn’t always updating the build number.'

Furthermore, 'there are over 31,000 Exchange 2010 servers that have not been updated since 2012,' as the Rapid7 researchers observed. 'There are nearly 800 Exchange 2010 servers that have never been updated.'

They also found 10,731 Exchange 2007 servers and more than 166,321 Exchange 2010 ones, with the former already running End of Support (EoS) software that hasn't received any security updates since 2017 and the latter reaching EoS in October 2020."

In case you were wondering, threat actors have already been exploiting these flaws for weeks, if not months.

Email is one of, if not the most, sensitive and important systems upon which organizations of all shapes and sizes rely. The are, by virtue of their function, inherently exposed to the Internet, meaning they are within the range of every targeted or opportunistic intruder, worldwide.

In this particular case, unpatched servers are also vulnerable to any actor who can download and update Metasploit, which is virtually 100% of them.

It is the height of negligence to run such an important system in an unpatched state, when there are much better alternatives -- namely, outsourcing your email to a competent provider, like Google, Microsoft, or several others.

I expect some readers are saying "I would never put my email in the hands of those big companies!" That's fine, and I know several highly competent individuals who run their own email infrastructure. The problem is that they represent the small fraction of individuals and organizations who can do so. Even being extremely generous with the numbers, it appears that less than 20%, and probably less than 15% according to other estimates, can even keep their Exchange servers patched, let alone properly configured.

If you think it's still worth the risk, and your organization isn't able to patch, because you want to avoid megacorp email providers or government access to your email, you've made a critical miscalculation. You've essentially decided that it's more important for you to keep your email out of megacorp or government hands than it is to keep it from targeted or opportunistic intruders across the Internet.

Incidentally, you've made another mistake. Those same governments you fear, at least many of them, will just leverage Metasploit to break into your janky email server anyway.

The bottom line is that unless your organization is willing to commit the resources, attention, and expertise to maintaining a properly configured and patched email system, you should outsource it. Otherwise you are being negligent with not only your organization's information, but the information of anyone with whom you exchange emails.
Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)