FIRST TO DETECT BUT NEVER PUBLICIZE
By Chris Nyhuis, Vigilant CEO
A Vigilant Know More Series
In February 2021, Microsoft declared it had a vulnerability in Microsoft Exchange that allowed threat actors to gain access to the run commands inside the Exchange servers themselves. The vulnerability had been there for years.
Microsoft informed customers of the vulnerability in the notes inside a user update. How many customers do you think read the notes? Maybe a few. Now, how many threat actors do you think read notes about potential vulnerabilities, where they are and how they work? All of them!
Because threat actors are nimble and highly motivated (and companies often don’t install patches immediately), attackers applied Microsoft’s published update and breached companies all over the world.
Now Vigilant, a company fueled by human cunning (just like the adversaries) and our Adaptive Intelligence Process saw this attack pattern very early on, before Microsoft’s announcement. We built detection and ALL our clients were protected. We put detection inside both our endpoint and network technologies. Did we advertise what we did? No. We also don’t commoditize or share our technology. With no news of our success to be found and with no commodity to be purchased and practiced on back at “bad guy headquarters,” there was no way for threat actors to know what we do or how we do it.
Note: to further protect our clients, our methods and data we also: 1) Never reveal our clients in marketing, releases or… anywhere. 2) Our company is not for sale (no shareholders), so our business model is not beholden to external profit pressures. 3) We never off-shore our detection/analysis staff or data storage so our SOPs and strategies never leave our sight.
Now, after Microsoft’s announcement, there was accelerated threat traffic. That vulnerability was now public. As a result, the whole industry caught on and built detection. Good for them. Ultimately we are all on the same team, protecting companies, and we celebrate when threat strategies are thwarted.
Since Vigilant discovered this vulnerability in Microsoft Exchange early on, before even Microsoft announced it, there was a real temptation for Vigilant to climb on top of the mountain and pound our chests and tell the world. We could have done a press release and received some potentially powerful publicity, but what would have happened then?
Such an announcement would only tell the bad actors that it was time to adapt and our clients would therefore be at greater risk. That is something we can’t allow because we have committed to never bring undo risk to our clients.
Now, when new threat strategies surface (as they do all the time) we do share our intel. We share it with our friends and we, in particular, share it with our clients so they understand what we have seen and how they can partner with us to protect their people, property and profits.
We share that intel, carefully, like whispering among friends, not screaming it in a press release and certainly not beating our chest. Security first.
Each time a security company publicizes a discovery, our team watches in real time, how the threat technology adapts and changes.
In the case of this Microsoft Exchange vulnerability, we watched the threat actors switch file names to obscure the searches. So we protected against that. We watched as they adapted to an ever-changing file system. We protected against that. They built in randomization… we protected against that too.
Because the threats are ever-evolving, security needs to evolve just as fast. Vigilant kept modifying our detection, staying ahead of the threat actors and the industry…
…and we did so, to the best of or abilities, so as to never bring undo risk to our clients.