Since it is likely the group will continue to update their tactics, techniques, and procedures (TTPs) it is important to make sure all patches are applied as soon as possible. The joint advisory also included a mitigation measures that will give organizations the best chance at defending against these attacks, those include:
• Managing and applying security updates as quickly as possible will help reduce the attack surface available for SVR actors and force them to use higher equity tooling to gain a foothold in the networks.
• By implementing good network security controls and effectively managing user privileges, organizations will help prevent lateral movement between hosts. This will help limit the effectiveness of even complex attacks.
• Detecting supply chain attacks, such as the Mimecast compromise, will always be difficult. An organization may detect this sort of activity through heuristic detection methodologies such as the volume of emails being accessed or by identifying anomalous IP traffic.
• Organizations should ensure sufficient logging (both cloud and on-premises) is enabled and stored for a suitable amount of time to identify compromised accounts, exfiltrated material, and actor infrastructure.
• Use Microsoft’s mailbox auditing action called ‘MailItemsAccessed’ to investigate the compromise of email accounts and identify emails accessed by users. This gives organizations forensic defensibility to help assert which individual pieces of mail were or were not maliciously accessed by an attacker.
Link to the joint advisory: https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf