Zero-day exploits are particularly challenging because the application vulnerability remains unknown until its exploited. Then, the company has to jump into remediation mode which may lack an appropriate game plan. Meanwhile, as long as a hacker knows about the vulnerability and the company does not, the hacker may be able to use the vulnerability in various ways, such as to discover user IDs and passwords, to develop potential phishing contact lists, to view and exfiltrate sensitive data, inject malware, etc,
Essentially, a zero-day vulnerability provides the hacker(s) who discover it the gift of time to wreak whatever form of havoc they want while the potential victims continue with business as usual. Eventually, the motive for the attack and the vulnerability become clear to the primary victim who must now explain a breach to management, shareholders, partners, customers and the media. Of course, there are organizations that say as little as possible and in those cases, the media, former employees and others may craft their own narrative.
Why Zero-Day Vulnerabilities Are Becoming More Worrisome
As if the nature of zero-day vulnerabilities aren’t enough to keep CISOs and their teams up at night, there’s a trend toward supply chain attacks, meaning that the zero-day vulnerability could have far-reaching impacts for the company, its partners and customer. The Kayesa ransomware attack is the most recent example of a zero-day exploit that’s also a supply chain attack.
Interestingly, The Register reported that Kayesa did not consider its incident a supply chain attack which is worth discussing. If the harm flows from a company to its customers and even further still to those customers’ customers, then it is a supply chain attack. Creating malicious open source components or infecting open source projects is another type of supply chain attack.
The purpose of a supply chain attack is to maximize the blast radius to inflict the greatest amount of damage and/or make the maximum amount of money.
Hackers Have the Upper Hand
Most security teams lack the expertise, human resources, and tools they need to protect the organization adequately. Hackers have all kinds of help. They share information and tips on the DarkWeb and they can buy exploit kits instead of building them. A hacker only has to find one vulnerability to succeed with an attack while the victim’s CISO and team need to protect the organization from every possible kind of attack. It’s asymmetric warfare.
Days, weeks, or months may pass between the time a bad actor discovers a vulnerability and when they weaponize that vulnerability. Then, when the attack is discovered, the security team is expected to fix the problem right now which typically doesn’t happen. First, the security team needs to understand what was compromised and how it was compromised before they can decide how to remediate the issue. To stop the spread of an attack, they may need to shut down entire systems and their customers may have to shut down their systems until a patch can be developed. Sometimes that happens in a few days, sometimes it can take considerably longer and also involve a rollout plan that involves different versions of the product (e.g., SaaS and on-premises) and different geographies.
The Kayesa attack had a zero-day element and an n-day element. One CVE dated back to 2015 and the other (zero-day) was recently published.
Software vendors have been actively trying to move their customers to SaaS for some time. One of the most recent drivers is cyber security issues. Quite often a company will say an attack affected their on-premises customers, not their SaaS customers, which could provide a false sense of security. For example, the Kayesa breach required the company to update its SaaS product and its on-premises product (law enforcement and consultants were suggesting security enhancements in addition to the fixes. Companies and the vendors they choose need to proactively manage cloud security risks.
According to a report by ESG which was sponsored by Capsule8, zero-day exploits are the most prevalent attack in hybrid cloud environments. Forty-two percent of the 450 IT and information security professional survey respondents said their hybrid cloud environments had been attacked in the last year. Twenty-eight percent said the origin was a zero-day exploit.
The problem is complexity. There are multiple environments, multiple locations, multiple users accessing different systems and with time, more infrastructure is shifting to cloud-resident workloads and containerized apps. Still, the minor percentage of companies are cloud-native, still. Most have hybrid environments that consist of some combination of on-premises software, private cloud, and public cloud (of which there may be more than one, such as AWS and Azure).
Tools to Combat Zero-Day Attacks
There are two aspects to combating zero-day attacks: threat detection and threat prevention. Following are some tools that can help:
- Threat intelligence. The vendors who make these tools are constantly studying potential threats and transferring that knowledge to their tools. The tools use AI to discover patterns that may not be obvious otherwise.
- Behavioral monitoring. Identified anomalous behavior.
- Intelligent automation. The same AI that identifies a threat may also be able to neutralize it by using or creating a fix.
- Intrusion detection and prevention (IDS and IPS). The names are self-explanatory. Organizations should use both.
- Vulnerability scanning. While it won’t catch all zero-day threats, it may identify issues in a software update.
- Network access control. Prevent unauthorized machines from connecting to the network. This may also help minimize the potential impact of a zero-day threat.
- Firewall. As old as they are, they’re still valuable. Configuring for only some types of transactions may help narrow the scope of possible zero-day threats.
- Anti-virus. Bad actors tend to target many different companies with a zero-day attack. Once the signature has been discovered, McAfee, Norton et al. will update their software against the threat to help stop its spread.
- Next-generation anti-virus. This combines threat intelligence, behavioral analysis and code analysis for the purpose of identifying zero-day threats.
- Patches. Once a threat has been identified and a fix released via a patch, install it ASAP.
- Incident response plan. While an incident response plan won’t prevent a zero-day attack, it can help speed remediation because there’s a plan describing what to do. Clearly, from a hacker’s point of view, the upside of a zero-day attack is its surprise factor. While you may not be able to anticipate the exact attack, you can have a game plan that simply needs to be modified as opposed to created during the panic phase of an attack.
- Cyber hygiene training. People are can be the weak link enabling zero-day exploits.