ra2 studio - stock.adobe.com
Zero-day exploits do exactly what they say on the tin: they take advantage of a previously unknown vulnerability in software, so it is the attack itself that alerts the world to the security flaw. No advance warning, no fixes immediately available.
While such attacks are relatively rare and their duration tends to be short as suppliers rush to release a patch, their impact can be huge. Some zero days may expose you to zero risk, but others could allow remote access to your most sensitive data.
Make no mistake: zero-day exploits are big business nowadays. If the good guys are working hard to find security flaws in hardware and software so they can be fixed, then the bad guys are working even harder to get there first and cash in – although not necessarily by launching an attack.
In September 2017, it offered $1m for exploits affecting Tor Browser on Tails Linux and Windows, and the going rate for zero-day vulnerabilities in popular messaging apps is $500,000. The sheer scale of these bounties makes choice of customer a no-brainer for hackers with a premium zero-day exploit they want to turn into a good pay-day.
This year, the Shadow Brokers, the group that leaked the NSA’s EternalBlue exploit used to power WannaCry, offered a subscription-based exploit service to hackers, security companies, governments, and anyone else prepared to stump up the necessary cryptocurrency.
The monthly dump service promises exploits targeting web browsers, routers, mobile phones and Windows 10.
Patches and promises
In theory, the exploit is over once a patch is released, but even if you move fast to secure your own enterprise, you may be at the mercy of someone else’s still unsecured operation. Has the trusted supplier with access to your data fixed the same security flaw?
Zero-day vulnerabilities discovered by white hat hackers during security stress tests are usually given to suppliers to patch: but can they always be trusted to do so? Some organisations fail to acknowledge a flaw due to the perceived cost benefit, encouraging white hats to release details to force suppliers to patch. Google’s Project Zero has routinely exposed Microsoft vulnerabilities that the tech giant has neglected to patch.
Firewall and endpoint security suppliers may claim their products offer complete protection against zero days. They do not. Antivirus technology has now moved away from its dependence on signatures as attackers can easily change a virus’s signature and security suppliers are looking to compete based on heuristic analysis, but such products are not fool proof. So what can you do to keep your enterprise as safe as possible?
A zero-day game plan
- Disable highly vulnerable software. Some software is more prone to new vulnerabilities than others – Adobe Flash being a prime example. Java has also been a victim of many zero-day exploits.
- Reduce your attack surface. The less software you are running, the fewer opportunities for breach. Avoid having server software exposed to the Internet where possible.
- Retire redundant applications. If you no longer use the software, remove it as a potential attack vector.
- Scrutinise security around new technology. Whenever a new application is added to the technology stack, plan lifelong security at its inception to ensure continued correct levels of support and patching.
- Keep software updated. A robust and regular patching policy will not prevent a zero-day attack, but it will ensure you are protected as soon as a patch is issued.
- Use security information and event management (SIEM) software. Correctly tuned, this combination of security information and event management software provides real-time analysis of attacks on your network and may shield you from the full fallout of a zero-day exploit.
- Employ behaviour-based antivirus protection. Heuristic algorithms may spot malicious behaviour that signature-based anti-virus products cannot detect.
- Sign up to threat intelligence programmes. The sooner you hear about a new zero-day threat, the sooner you can take action to patch against it.
There are three key elements the C-suite should focus on:
- Patching: have you put in place a strict set of rules and dates?
- Layering: are you wholly reliant on one security supplier or do you have a multi-layered defence?
- Response: have you got a robust incident response plan?
While varied from a technical standpoint, the reaction from your organisation should have been similar, so consider this:
- How early was the risk to your orgnisation identified following the release of the vulnerability?
- What information would have been exposed, did you have other mitigating controls in place?
- How soon did you manage to patch?
- Would you have noticed an attacker attempting to exploit the vulnerability?
- Did your enterprise measure up? Or do you still have work to do?