Don’t Just Put Out the Zero-Day Fire — Get Rid of the Fuel
How often have you heard a co-worker say that he or she had to put out a fire? Depending on your job role, you may have anywhere from one to more than a dozen so-called fires weekly.
A zero-day vulnerability is an example of a work-related fire that a security operations analyst might have to extinguish. Enterprises should be prepared to handle zero-day fires and seek to reduce the number of incidents that result from unpatched security vulnerabilities. After all, many of the successful breaches of the past decade caught fire before anyone ever spotted the smoke.
Putting It Into Perspective
One of 2017’s most troublesome zero-day flaws is the Apache Struts 2 vulnerability, which was disclosed in March (CVE-2017-5638). Defined as critical, this vulnerability, if exploited, can allow a remote attacker to execute commands on a compromised server. The black-hat community quickly leveraged this vulnerability and set up distributed attack mechanisms to use it in malicious activities. At its peak, according to IBM Managed Security Services (MSS) data, attack activity targeting clients monitored by X-Force increased 48 times above the average number of similar attacks for the time period assessed.
This vulnerability certainly is worrisome, but it is a small part of the overall picture. If you’re only addressing zero-day fires, you might miss out on all the other vulnerabilities that fuel a much larger percentage of attacks.
Case in point: Did you know that, according to IBM X-Force Exchange, there are 75 Apache Struts vulnerabilities dating back more than a decade? We know that attackers don’t just exploit the new threats — they exploit what works, old and new alike. It’s no surprise, then, that analysis of IBM MSS data from January through September 2017 shows that nearly half of all attack activity — 46 percent — included about two dozen other Apache Struts 2 vulnerabilities, some dating back to 2010.
Source: IBM Managed Security Services (MSS) data. (January 2017 – September 2017)
This example is not an anomaly. We see similar scenarios play out across most applications, servers and operating systems. For any given zero-day flaw, there are dozens, sometimes hundreds, of exploits targeting a vulnerability in a particular software or hardware that could lead to a breach or compromise if left unpatched.
The issue is further exacerbated when users keep applications they hardly use on their endpoints or mobile devices and fail to update them, opening themselves up to additional threats.
Extinguishing Zero-Day Fires
The notion that where there’s smoke, there’s fire is not necessarily applicable to the exploitation of a zero-day flaw. Zero-day exploits often spring up, like spontaneous combustion, with no warning. If you’re trolling around in underground cybercriminal channels, you might hear some rumblings before it hits the mainstream. Still, most enterprises aren’t aware of zero-day flaws until they are exploited.
Many of the zero-day vulnerabilities that attackers choose to exploit are the ones that generate the most bang for their buck — that is, affect the largest pool of potential victims — and have ease of exploitation. To mitigate zero-day threats, organizations should implement the following strategies.
It’s important to note that zero-day flaws are just vulnerabilities for which there is no patch. Most won’t necessarily be considered critical in your environment. That’s why the time to begin identifying which IT assets could potentially be impacted is before a zero-day vulnerability is actively exploited.
An IT asset management (ITAM) program manages the life cycle and inventory of IT assets, both software and hardware. Without one, you are basically in the dark when it comes to risk to exposure. It’s not just about knowing what’s installed in your environment — it’s knowing when software or hardware is no longer needed and taking action to uninstall those IT assets accordingly.
An effective threat detection solution that conducts deep analysis in real time can help security teams quickly identify zero-day attacks. Traditional means of detection and prevention may be blind to new exploits, but security information and event management (SIEM) solutions can help you identify the symptoms to enable timely detection and remediation.
Incident Response Plan
If you’re compromised by a zero-day attack, ask yourself what’s worse: a big fire or a small flame? A comprehensive incident response plan (IRP) can help you shift your security stance from reactive to proactive, potentially saving a great deal of time and money.
According to the “2017 Cost of Data Breach Study: Global Analysis,” “an incident response team reduced the cost by as much as $19 per compromised record.” Your IRP should be a dynamic document that is reviewed regularly.
Apply the Workaround
Even for organizations that strive to apply every patch, sometimes there is no fix immediately available. There are, however, typically workarounds to compensate for the lack of a patch in the interim. This may not always be practical because many IT environments are complex. Conduct a risk assessment of the threat in the context of your organization to make decisions about reducing exposure and applying controls.
The Fuel: Unpatched Vulnerabilities
The Apache Software Foundation said it best: “Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.”
Indeed, one of this year’s most notorious threats had a patch available prior to the actual outbreak. Although a patch had been available since March 2017, the WannaCry ransomware began impacting organizations globally in May.
To stay on top of the vulnerabilities most likely to impact their organizations, security professionals should follow the steps and processes outlined below.
Many organizations fail to sufficiently monitor published vulnerabilities that may affect the technology protecting their data. As a result, they are unaware of the risk and potential impact of a data breach.
Solutions that scan data infrastructures to detect vulnerabilities and exposures such as missing patches, weak passwords, unauthorized changes and misconfigured privileges can help identify threats and security gaps.
It’s not enough to just scan for vulnerabilities. Timely patch management is vital in organizations of all sizes. Security intelligence and data analytics tools, along with patch management solutions, can help bridge the gap between scanning and remediation activities.
Traditional security assessments often fail to identify outside-the-norm vulnerabilities. Consider augmenting the massive quantities of vulnerability reports, whether performed in-house or by a third party, with penetration testing services.
It’s important to set up a thorough security testing program to evaluate all your potential threat targets, including your network and embedded devices, hardware, applications and humans. If your organization wishes to focus its testing plan, it can tailor the project to include only the systems most exposed to the threats documented in your recent assessments. Moreover, the organization can mandate a white-box test to further save on time and costs. While the scope of this testing depends on the organization’s risk appetite, it should be a part of any security program that aims to minimize business risk.
We Didn’t Start the Fire
No, we didn’t start the fire — but we have to do our best to prevent fires, or at least contain and extinguish them.
Fires garner attention because they are big, bright, destructive and capable of expanding rapidly. The same goes for security threats. But, like fires, many security incidents are preventable. Examine your digital immune system to see if you’re prepared to address critical zero-day fires and the unpatched vulnerabilities that fuel them.