Few security exploits are the source of more sleepless nights for security professionals than zero-day attacks. Just over Memorial Day weekend, researchers discovered a new vulnerability enabling hackers to achieve remote code execution within Microsoft Office. Dubbing the evolving threat the Follina exploit, researchers say all versions of Office are at risk. And because blue teams have no time to prepare or patch their systems to defend against these software vulnerabilities, crafty threat actors can take advantage, taking their time after they’ve accessed an organization’s environment to observe and exfiltrate data while remaining completely unseen.
And though sophisticated threat actors and nations have exploited zero-days for nearly two decades, last year saw a historic rise in the number of vulnerabilities detected. Both Google and Mandiant tracked a record number of zero-days last year, with the caveat that more zero-days are being discovered because security companies are getting better at finding them — not necessarily because hackers are coming up with new vulnerabilities. Not all zero-days are created equal, though. Some require sophisticated and novel techniques, like the attack on SolarWinds, and others exploit simple vulnerabilities in commonly used programs like Windows. Thankfully, there’s some basic cyber hygiene strategies that can keep your organization sufficiently prepared to mitigate zero-day exploits.
How Do Zero-Days Work?
Typically, what a zero-day will do is gain access to an environment through a vulnerability previously unseen, then it stealthily maps the environment and, when ready, launches the attack. This is far too late for an incident response team to prevent further damage. Staying alert for these slow-burn attacks requires an approach to security that prioritizes looking for certain techniques and behaviors that a hacker or known threat group may use, rather than scanning for specific pieces of malware. In other words, ensure that the technology your organization has is sufficient for protecting from the unknown. Many zero-days may never hit a hard drive, so pointing threat detection tools there could be fruitless.
While it might sound like a broken record, patching is integral to protection against exploits. As soon as a proof of concept (PoC) is made public on the Dark Web or more legitimate forums like GitHub, most vendors will develop a patch. Staying on top of guidance from industry organizations like (ISC)2 or federal authorities like the Cybersecurity and Infrastructure Security Agency is a good way to prioritize the exploits that are most relevant and most risky to your organization.
However, zero-day exploits are those that the vendor doesn’t know exist, and therefore no patch is available. It’s very difficult to defend against these without protections and detections that are broad enough to identify tactics, techniques, and procedures. In some cases, protection technologies can use behavioral detections to block certain activities, while in other cases, using detection technologies or human expertise in a security operations center is the only defense.
Above all, investing in the human element of security will place an organization in the best position to limit the financial and data losses zero-days can incur. By placing hands on keyboards and unlocking visibility into all aspects of an ecosystem, a security team can more readily detect hints that a zero-day might be targeted against them and deploy necessary patches. For example, if a robot you operate in the US randomly connects to a server in Ukraine without any other unusual behavior, it might signal that a zero-day has been leveraged. And while there may have been an initial access into your robot or environment through a zero-day, having a broad view of your IT security ecosystem, along with technologies like artificial intelligence, can alert an incident response team to create a patch for a vulnerability as soon as possible.
Thankfully, even though more zero-days are being discovered than ever before, they’re still relatively rare in the world of cybersecurity. Up until the last several years, zero-day exploits were mostly identified and held closely by national governments, who wanted to save them to deploy whenever necessary. But the commercialization of hacking groups, including ransomware-as-a-service platforms, has created an ecosystem incentivizing the purchasing and selling of zero-days, often with the financial or technological resources of a nation-state in support.
With such capable attackers, virtually every business should be worried — from large companies that serve as final targets for hackers, to smaller companies that can serve as stepping stones in a sequence of attacks. The constant of security operations can detect and mitigate threat actors from lurking behind the scenes of an IT ecosystem through a zero-day exploit, no matter the origin. So, while patching is proper preparation, the investment in trained security professionals, in-house or outsourced, is the best defense against zero-days.