How often have you heard a co-worker say that he or she had to put out a fire? Depending on your job role, you may have anywhere from one to more than a dozen so-called fires weekly.

A zero-day vulnerability is an example of a work-related fire that a security operations analyst might have to extinguish. Enterprises should be prepared to handle zero-day fires and seek to reduce the number of incidents that result from unpatched security vulnerabilities. After all, many of the successful breaches of the past decade caught fire before anyone ever spotted the smoke.

Putting It Into Perspective

One of 2017’s most troublesome zero-day flaws is the Apache Struts 2 vulnerability, which was disclosed in March (CVE-2017-5638). Defined as critical, this vulnerability, if exploited, can allow a remote attacker to execute commands on a compromised server. The black-hat community quickly leveraged this vulnerability and set up distributed attack mechanisms to use it in malicious activities. At its peak, according to IBM Managed Security Services (MSS) data, attack activity targeting clients monitored by X-Force increased 48 times above the average number of similar attacks for the time period assessed.

This vulnerability certainly is worrisome, but it is a small part of the overall picture. If you’re only addressing zero-day fires, you might miss out on all the other vulnerabilities that fuel a much larger percentage of attacks.

Case in point: Did you know that, according to IBM X-Force Exchange, there are 75 Apache Struts vulnerabilities dating back more than a decade? We know that attackers don’t just exploit the new threats — they exploit what works, old and new alike. It’s no surprise, then, that analysis of IBM MSS data from January through September 2017 shows that nearly half of all attack activity — 46 percent — included about two dozen other Apache Struts 2 vulnerabilities, some dating back to 2010.

Source: IBM Managed Security Services (MSS) data. (January 2017 – September 2017)

This example is not an anomaly. We see similar scenarios play out across most applications, servers and operating systems. For any given zero-day flaw, there are dozens, sometimes hundreds, of exploits targeting a vulnerability in a particular software or hardware that could lead to a breach or compromise if left unpatched.

The issue is further exacerbated when users keep applications they hardly use on their endpoints or mobile devices and fail to update them, opening themselves up to additional threats.

Extinguishing Zero-Day Fires

The notion that where there’s smoke, there’s fire is not necessarily applicable to the exploitation of a zero-day flaw. Zero-day exploits often spring up, like spontaneous combustion, with no warning. If you’re trolling around in underground cybercriminal channels, you might hear some rumblings before it hits the mainstream. Still, most enterprises aren’t aware of zero-day flaws until they are exploited.

Many of the zero-day vulnerabilities that attackers choose to exploit are the ones that generate the most bang for their buck — that is, affect the largest pool of potential victims — and have ease of exploitation. To mitigate zero-day threats, organizations should implement the following strategies.

Asset Management

It’s important to note that zero-day flaws are just vulnerabilities for which there is no patch. Most won’t necessarily be considered critical in your environment. That’s why the time to begin identifying which IT assets could potentially be impacted is before a zero-day vulnerability is actively exploited.

An IT asset management (ITAM) program manages the life cycle and inventory of IT assets, both software and hardware. Without one, you are basically in the dark when it comes to risk to exposure. It’s not just about knowing what’s installed in your environment — it’s knowing when software or hardware is no longer needed and taking action to uninstall those IT assets accordingly.

Network Visibility

An effective threat detection solution that conducts deep analysis in real time can help security teams quickly identify zero-day attacks. Traditional means of detection and prevention may be blind to new exploits, but security information and event management (SIEM) solutions can help you identify the symptoms to enable timely detection and remediation.

Incident Response Plan

If you’re compromised by a zero-day attack, ask yourself what’s worse: a big fire or a small flame? A comprehensive incident response plan (IRP) can help you shift your security stance from reactive to proactive, potentially saving a great deal of time and money.

According to the “2017 Cost of Data Breach Study: Global Analysis,” “an incident response team reduced the cost by as much as $19 per compromised record.” Your IRP should be a dynamic document that is reviewed regularly.

Apply the Workaround

Even for organizations that strive to apply every patch, sometimes there is no fix immediately available. There are, however, typically workarounds to compensate for the lack of a patch in the interim. This may not always be practical because many IT environments are complex. Conduct a risk assessment of the threat in the context of your organization to make decisions about reducing exposure and applying controls.

The Fuel: Unpatched Vulnerabilities

The Apache Software Foundation said it best: “Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.”

Indeed, one of this year’s most notorious threats had a patch available prior to the actual outbreak. Although a patch had been available since March 2017, the WannaCry ransomware began impacting organizations globally in May.

To stay on top of the vulnerabilities most likely to impact their organizations, security professionals should follow the steps and processes outlined below.

Vulnerability Scanning

Many organizations fail to sufficiently monitor published vulnerabilities that may affect the technology protecting their data. As a result, they are unaware of the risk and potential impact of a data breach.

Solutions that scan data infrastructures to detect vulnerabilities and exposures such as missing patches, weak passwords, unauthorized changes and misconfigured privileges can help identify threats and security gaps.

Patch Management

It’s not enough to just scan for vulnerabilities. Timely patch management is vital in organizations of all sizes. Security intelligence and data analytics tools, along with patch management solutions, can help bridge the gap between scanning and remediation activities.

Penetration Testing

Traditional security assessments often fail to identify outside-the-norm vulnerabilities. Consider augmenting the massive quantities of vulnerability reports, whether performed in-house or by a third party, with penetration testing services.

It’s important to set up a thorough security testing program to evaluate all your potential threat targets, including your network and embedded devices, hardware, applications and humans. If your organization wishes to focus its testing plan, it can tailor the project to include only the systems most exposed to the threats documented in your recent assessments. Moreover, the organization can mandate a white-box test to further save on time and costs. While the scope of this testing depends on the organization’s risk appetite, it should be a part of any security program that aims to minimize business risk.

We Didn’t Start the Fire

No, we didn’t start the fire — but we have to do our best to prevent fires, or at least contain and extinguish them.

Fires garner attention because they are big, bright, destructive and capable of expanding rapidly. The same goes for security threats. But, like fires, many security incidents are preventable. Examine your digital immune system to see if you’re prepared to address critical zero-day fires and the unpatched vulnerabilities that fuel them.

More from Software Vulnerabilities

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

Patch Tuesday -> exploit Wednesday: Pwning windows ancillary function driver for WinSock (afd.sys) in 24 hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities. Figure 1 — Exploitation timeline However, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today