Mitigating Zero Day Attacks With a Detection, Prevention and Response Strategy

essidsolutions

In a zero-day attack scenario, threat actors discover previously unknown vulnerabilities and formulate one or more ways to exploit them. Organizations are, therefore, at risk of suffering surprise attacks at all times. Let’s look at how organizations can create and manage tools, techniques, and procedures (TTP) to mitigate risks posed by zero-day attacks. 

Zero-day attacks (ZDA) are one of the most challenging aspects of risk management. Managing risk requires some idea of the probable threats faced and the strength of our attack surface. ZDAs, however, exploit unknown weaknesses. Consequently, organizations must design their networks, systems, and related management procedures to prevent, deter, detect, and respond to ZDAs.

Zero-day Vulnerabilities

ZDAs exploit zero-day vulnerabilities. Cynet defines zero-day vulnerabilitiesOpens a new window as weaknesses in information technology or facility defenses that threat actors discover before the vendor and their customers know about them. The vulnerabilities, also introduced when engineers or administrators make changes that inadvertently create threat actor opportunities on the attack surface. The introduction of zero-day vulnerabilities allows threat actors to create exploits and attack vulnerable targets before the target organizations can defend against them.

Zero-day exploits are eventually blocked with vendor patches or changes to target controls, but organizations should never rely on quick identification of zero-day vulnerabilities. Instead, some advanced persistent threats (APTs) had used them for months before researchers, customers, or other sources notified them of the weakness.

An example of a zero-day APT is the zero-day exploit against on-premise Microsoft Exchange servers. Tara Seals reportsOpens a new window that at least ten nation-state-backed groups used four vulnerabilities unknown to Microsoft or their customers to launch attacks globally. Chinese threat actor Hafnium was able to access email accounts, steal data, and to implement malware.

See More: How Software Supply Chain Attacks Happen and How To Mitigate Them

The ZDA and Exploit Timeline

The timeline beginning with discovering a zero-day vulnerability varies in length, but the phases are constant across different instances. Figure 1 shows the timeline usually followed when a zero-day vulnerability is found in an operating system, for example.

Figure 1: Zero-day Vulnerability and Attack Timeline

Vulnerabilities are introduced by vendor software/firmware or by network/server engineer misconfigurations. Another way to introduce a vulnerability is to inject altered code into an upstream software/firmware supply chain, as I describe in Supply Chain Attacks: Why Risk Management and Business Continuity Planning are Essential.  

In a zero-day situation, threat actors discover the vulnerability and create one or more ways to exploit it. In some cases, a security researcher might find the vulnerability and publicize it before notifying the vendor or after waiting for a vendor response that never comes. In either case, affected organizations are at immediate and potentially long-term risk of an attack.

When the vulnerability and its exploits are publicized, multiple actions are taken. Once exploits are discovered, anti-malware vendors will work on updating their products to detect and stop them. Vendors of the affected software or firmware publish mitigation steps their customers can use until patches are available.  

Patches or other eradication methods are developed and released by the vendor. The customer organizations then have to test the solution and implement it so that it does not cause an unnecessary and significant adverse business impact.

This process can take weeks or months. This assumes that the vulnerability or related exploits are found. In narrowly targeted attacks, the vulnerability and exploit may not be discovered for months. In the case of misconfigurations, the vulnerability may never be discovered if active steps are not taken regularly to find network, server, and application weaknesses.

See More: Protect Your IT Assets from Ransomware Attacks This Labor Day Weekend: CISA, FBI

Managing ZDA Through Prevention, Detection and Response

Zero-day vulnerabilities and associated attacks will continue through the foreseeable future. As long as human error and supply chain attack surfaces exist, organizations must create and closely manage tools, techniques, and procedures (TTP) to mitigate the risk. Figure 2 shows 10 TTPs that can help manage zero-day risk. I divide these into three categories: prevention, detection, and response.

Figure 2: Zero-day Defense TTP

Prevention

Prevention safeguards help avoid misconfigurations and weaknesses that could enable or augment zero-day attacks.

  • Attack surface minimization. Minimizing network and system attack surfaces requires shutting down all entry points where human/process authentication is not required. Patching also falls under this safeguard.  
  • Configuration management. As part of change management, configuration management requires reviews and sign-offs by engineering and security teams for either new implementations or changes to network devices, servers, or end-user devices. This helps provide multiple assessments of the security impact of making changes to network devices, servers, and user devices.
  • Firewall configurations. Firewalls should block all traffic not needed to complete business tasks. This includes preventing internal devices from initiating unusual connections to external devices. It also addresses IoT or application connections for automatic updates. Because of the increased risk associated with supply chain attacks, organizations should restrict update access as part of closely managing vendor updates.
  • Anti-malware. Existing exploits might be modified or used to leverage a zero-day vulnerability. Using continuously updated anti-malware helps stop attacks that resemble known attacks. It is also an essential part of the response. Quick anti-malware updates are often part of detecting and blocking zero-day attacks.
  • Application whitelisting. Organizations should prevent users from installing applications not on an approved list, and IT should review all updates to approved applications before allowing employee use. This helps IT track what is installed on the network and the versions used, vital during detection and response activities.

Detection

  • Vulnerability scanning. Vulnerabilities exist regardless of how well organizations try to prevent them. Vulnerability scanners, like Nessus, help identify known vulnerabilities and help manage them if used regularly effectively. Organizations should consider at least quarterly scans of critical production systems. In addition, all new systems should be scanned before they are placed into production. Finally, code scanning is needed to ensure common coding errors do not exist that open up opportunities for threat actors.
  • Penetration testing. Scanning cannot find all attack surface gaps, so we also need authorized humans to attempt to leverage code and configurations to attack systems successfully. Penetration tests can also help identify better ways to detect and respond to zero-day attacks.
  • Threat management. Managing threats includes continuous identification of emerging threats and their TTP. It also assumes that there are always unknown vulnerabilities. As part of an overall threat management effort, threat hunting looks for indicators of attack that potentially show active threat actors going after both known and unknown vulnerabilities.
  • Behavior and log analysis. Again, organizations must assume there are vulnerabilities on their systems and networks, and that threat actors know about them. To identify statistical moves outside baseline limits, security teams should understand baseline network and endpoint behavior and user behavior analysis. Also needed are the aggregation, correlation, and analysis of logs from critical network devices and systems. Again, identification and analysis of compromise and attack indicators must consider abnormal behavior related to zero-day attacks.  

See More: Mitigating the Impact of Ransomware Attacks With Business Continuity Planning

Response

Potential zero-day vulnerabilities exist on the attack surfaces of all organizations, so zero-day attacks are probable for everyone. This requires the creation of a trained incident response team. Organizations that cannot afford an internal team should engage with response service providers.

The response begins with creating a technology environment that is reasonable to manage when an incident is detected. For example, network segmentation helps isolate identified threats. Log and behavior management help identify and assess possible attacks.

The free Incident Management and Response GuideOpens a new window provides the TTP needed to create a team and develop response procedures.  

Final thoughts

Zero-day attacks against previously unknown vulnerabilities are not going away. Organizations must take steps to prevent, detect, and respond to threat actors who know about coding weaknesses, misconfigurations, or other attack opportunities not known to vendors or target organizations.

The steps listed in this article are part of a continuous effort to identify and manage vulnerabilities and prepare for attacks.  

Do you think that these strategies can help in mitigating zero-day attacks on organizations? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you.

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA