How often have you heard a co-worker say that he or she had to put out a fire? Depending on your job role, you may have anywhere from one to more than a dozen so-called fires weekly.

A zero-day vulnerability is an example of a work-related fire that a security operations analyst might have to extinguish. Enterprises should be prepared to handle zero-day fires and seek to reduce the number of incidents that result from unpatched security vulnerabilities. After all, many of the successful breaches of the past decade caught fire before anyone ever spotted the smoke.

Putting It Into Perspective

One of 2017’s most troublesome zero-day flaws is the Apache Struts 2 vulnerability, which was disclosed in March (CVE-2017-5638). Defined as critical, this vulnerability, if exploited, can allow a remote attacker to execute commands on a compromised server. The black-hat community quickly leveraged this vulnerability and set up distributed attack mechanisms to use it in malicious activities. At its peak, according to IBM Managed Security Services (MSS) data, attack activity targeting clients monitored by X-Force increased 48 times above the average number of similar attacks for the time period assessed.

This vulnerability certainly is worrisome, but it is a small part of the overall picture. If you’re only addressing zero-day fires, you might miss out on all the other vulnerabilities that fuel a much larger percentage of attacks.

Case in point: Did you know that, according to IBM X-Force Exchange, there are 75 Apache Struts vulnerabilities dating back more than a decade? We know that attackers don’t just exploit the new threats — they exploit what works, old and new alike. It’s no surprise, then, that analysis of IBM MSS data from January through September 2017 shows that nearly half of all attack activity — 46 percent — included about two dozen other Apache Struts 2 vulnerabilities, some dating back to 2010.

Source: IBM Managed Security Services (MSS) data. (January 2017 – September 2017)

This example is not an anomaly. We see similar scenarios play out across most applications, servers and operating systems. For any given zero-day flaw, there are dozens, sometimes hundreds, of exploits targeting a vulnerability in a particular software or hardware that could lead to a breach or compromise if left unpatched.

The issue is further exacerbated when users keep applications they hardly use on their endpoints or mobile devices and fail to update them, opening themselves up to additional threats.

Extinguishing Zero-Day Fires

The notion that where there’s smoke, there’s fire is not necessarily applicable to the exploitation of a zero-day flaw. Zero-day exploits often spring up, like spontaneous combustion, with no warning. If you’re trolling around in underground cybercriminal channels, you might hear some rumblings before it hits the mainstream. Still, most enterprises aren’t aware of zero-day flaws until they are exploited.

Many of the zero-day vulnerabilities that attackers choose to exploit are the ones that generate the most bang for their buck — that is, affect the largest pool of potential victims — and have ease of exploitation. To mitigate zero-day threats, organizations should implement the following strategies.

Asset Management

It’s important to note that zero-day flaws are just vulnerabilities for which there is no patch. Most won’t necessarily be considered critical in your environment. That’s why the time to begin identifying which IT assets could potentially be impacted is before a zero-day vulnerability is actively exploited.

An IT asset management (ITAM) program manages the life cycle and inventory of IT assets, both software and hardware. Without one, you are basically in the dark when it comes to risk to exposure. It’s not just about knowing what’s installed in your environment — it’s knowing when software or hardware is no longer needed and taking action to uninstall those IT assets accordingly.

Network Visibility

An effective threat detection solution that conducts deep analysis in real time can help security teams quickly identify zero-day attacks. Traditional means of detection and prevention may be blind to new exploits, but security information and event management (SIEM) solutions can help you identify the symptoms to enable timely detection and remediation.

Incident Response Plan

If you’re compromised by a zero-day attack, ask yourself what’s worse: a big fire or a small flame? A comprehensive incident response plan (IRP) can help you shift your security stance from reactive to proactive, potentially saving a great deal of time and money.

According to the “2017 Cost of Data Breach Study: Global Analysis,” “an incident response team reduced the cost by as much as $19 per compromised record.” Your IRP should be a dynamic document that is reviewed regularly.

Apply the Workaround

Even for organizations that strive to apply every patch, sometimes there is no fix immediately available. There are, however, typically workarounds to compensate for the lack of a patch in the interim. This may not always be practical because many IT environments are complex. Conduct a risk assessment of the threat in the context of your organization to make decisions about reducing exposure and applying controls.

The Fuel: Unpatched Vulnerabilities

The Apache Software Foundation said it best: “Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.”

Indeed, one of this year’s most notorious threats had a patch available prior to the actual outbreak. Although a patch had been available since March 2017, the WannaCry ransomware began impacting organizations globally in May.

To stay on top of the vulnerabilities most likely to impact their organizations, security professionals should follow the steps and processes outlined below.

Vulnerability Scanning

Many organizations fail to sufficiently monitor published vulnerabilities that may affect the technology protecting their data. As a result, they are unaware of the risk and potential impact of a data breach.

Solutions that scan data infrastructures to detect vulnerabilities and exposures such as missing patches, weak passwords, unauthorized changes and misconfigured privileges can help identify threats and security gaps.

Patch Management

It’s not enough to just scan for vulnerabilities. Timely patch management is vital in organizations of all sizes. Security intelligence and data analytics tools, along with patch management solutions, can help bridge the gap between scanning and remediation activities.

Penetration Testing

Traditional security assessments often fail to identify outside-the-norm vulnerabilities. Consider augmenting the massive quantities of vulnerability reports, whether performed in-house or by a third party, with penetration testing services.

It’s important to set up a thorough security testing program to evaluate all your potential threat targets, including your network and embedded devices, hardware, applications and humans. If your organization wishes to focus its testing plan, it can tailor the project to include only the systems most exposed to the threats documented in your recent assessments. Moreover, the organization can mandate a white-box test to further save on time and costs. While the scope of this testing depends on the organization’s risk appetite, it should be a part of any security program that aims to minimize business risk.

We Didn’t Start the Fire

No, we didn’t start the fire — but we have to do our best to prevent fires, or at least contain and extinguish them.

Fires garner attention because they are big, bright, destructive and capable of expanding rapidly. The same goes for security threats. But, like fires, many security incidents are preventable. Examine your digital immune system to see if you’re prepared to address critical zero-day fires and the unpatched vulnerabilities that fuel them.

More from Software Vulnerabilities

Analysis of a Remote Code Execution (RCE) Vulnerability in Cobalt Strike 4.7.1

Command & Control (C2) frameworks are a very sensitive component of Red Team operations. Often, a Red Team will be in a highly privileged position on a target’s network, and a compromise of the C2 framework could lead to a compromise of both the red team operator’s system and control over beacons established on a target’s systems. As such, vulnerabilities in C2 frameworks are high priority targets for threat actors and Counterintelligence (CI) operations. On September 20, 2022, HelpSystems published…

Controlling the Source: Abusing Source Code Management Systems

For full details on this research, see the X-Force Red whitepaper “Controlling the Source: Abusing Source Code Management Systems”. This material is also being presented at Black Hat USA 2022. Source Code Management (SCM) systems play a vital role within organizations and have been an afterthought in terms of defenses compared to other critical enterprise systems such as Active Directory. SCM systems are used in the majority of organizations to manage source code and integrate with other systems within the…

X-Force Research Update: Top 10 Cybersecurity Vulnerabilities of 2021

From 2020 to 2021, there was a 33% increase in the number of reported incidents caused by vulnerability exploitation, according to the 2022 X-Force Threat Intelligence Index. A large percentage of these exploited vulnerabilities were newly discovered; in fact, four out of the top five vulnerabilities in 2021 were newer vulnerabilities. Vulnerability exploitation was the second most common initial infection vector observed by IBM Security X-Force in 2021, falling closely behind phishing. Cybercriminals are finding new ways of bypassing security…

How Log4j Vulnerability Could Impact You

MITIGATION UPDATE: New vulnerability in 2.17 — CVE-2021-44832 Upgrade to 2.17.1 to mitigate this vulnerability Do NOT enable JNDI in any versions Follow: If you hadn’t heard of Apache Log4j, chances are it’s on your radar now. In fact, you may have been using it for years. Log4j is a logging library. Imagine writing your daily activities into a notebook. That notebook is Log4j. Developers and programmers use it to take notes about what’s happening on applications and servers.…