How often have you heard a co-worker say that he or she had to put out a fire? Depending on your job role, you may have anywhere from one to more than a dozen so-called fires weekly.

A zero-day vulnerability is an example of a work-related fire that a security operations analyst might have to extinguish. Enterprises should be prepared to handle zero-day fires and seek to reduce the number of incidents that result from unpatched security vulnerabilities. After all, many of the successful breaches of the past decade caught fire before anyone ever spotted the smoke.

Putting It Into Perspective

One of 2017’s most troublesome zero-day flaws is the Apache Struts 2 vulnerability, which was disclosed in March (CVE-2017-5638). Defined as critical, this vulnerability, if exploited, can allow a remote attacker to execute commands on a compromised server. The black-hat community quickly leveraged this vulnerability and set up distributed attack mechanisms to use it in malicious activities. At its peak, according to IBM Managed Security Services (MSS) data, attack activity targeting clients monitored by X-Force increased 48 times above the average number of similar attacks for the time period assessed.

This vulnerability certainly is worrisome, but it is a small part of the overall picture. If you’re only addressing zero-day fires, you might miss out on all the other vulnerabilities that fuel a much larger percentage of attacks.

Case in point: Did you know that, according to IBM X-Force Exchange, there are 75 Apache Struts vulnerabilities dating back more than a decade? We know that attackers don’t just exploit the new threats — they exploit what works, old and new alike. It’s no surprise, then, that analysis of IBM MSS data from January through September 2017 shows that nearly half of all attack activity — 46 percent — included about two dozen other Apache Struts 2 vulnerabilities, some dating back to 2010.

Source: IBM Managed Security Services (MSS) data. (January 2017 – September 2017)

This example is not an anomaly. We see similar scenarios play out across most applications, servers and operating systems. For any given zero-day flaw, there are dozens, sometimes hundreds, of exploits targeting a vulnerability in a particular software or hardware that could lead to a breach or compromise if left unpatched.

The issue is further exacerbated when users keep applications they hardly use on their endpoints or mobile devices and fail to update them, opening themselves up to additional threats.

Extinguishing Zero-Day Fires

The notion that where there’s smoke, there’s fire is not necessarily applicable to the exploitation of a zero-day flaw. Zero-day exploits often spring up, like spontaneous combustion, with no warning. If you’re trolling around in underground cybercriminal channels, you might hear some rumblings before it hits the mainstream. Still, most enterprises aren’t aware of zero-day flaws until they are exploited.

Many of the zero-day vulnerabilities that attackers choose to exploit are the ones that generate the most bang for their buck — that is, affect the largest pool of potential victims — and have ease of exploitation. To mitigate zero-day threats, organizations should implement the following strategies.

Asset Management

It’s important to note that zero-day flaws are just vulnerabilities for which there is no patch. Most won’t necessarily be considered critical in your environment. That’s why the time to begin identifying which IT assets could potentially be impacted is before a zero-day vulnerability is actively exploited.

An IT asset management (ITAM) program manages the life cycle and inventory of IT assets, both software and hardware. Without one, you are basically in the dark when it comes to risk to exposure. It’s not just about knowing what’s installed in your environment — it’s knowing when software or hardware is no longer needed and taking action to uninstall those IT assets accordingly.

Network Visibility

An effective threat detection solution that conducts deep analysis in real time can help security teams quickly identify zero-day attacks. Traditional means of detection and prevention may be blind to new exploits, but security information and event management (SIEM) solutions can help you identify the symptoms to enable timely detection and remediation.

Incident Response Plan

If you’re compromised by a zero-day attack, ask yourself what’s worse: a big fire or a small flame? A comprehensive incident response plan (IRP) can help you shift your security stance from reactive to proactive, potentially saving a great deal of time and money.

According to the “2017 Cost of Data Breach Study: Global Analysis,” “an incident response team reduced the cost by as much as $19 per compromised record.” Your IRP should be a dynamic document that is reviewed regularly.

Apply the Workaround

Even for organizations that strive to apply every patch, sometimes there is no fix immediately available. There are, however, typically workarounds to compensate for the lack of a patch in the interim. This may not always be practical because many IT environments are complex. Conduct a risk assessment of the threat in the context of your organization to make decisions about reducing exposure and applying controls.

The Fuel: Unpatched Vulnerabilities

The Apache Software Foundation said it best: “Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.”

Indeed, one of this year’s most notorious threats had a patch available prior to the actual outbreak. Although a patch had been available since March 2017, the WannaCry ransomware began impacting organizations globally in May.

To stay on top of the vulnerabilities most likely to impact their organizations, security professionals should follow the steps and processes outlined below.

Vulnerability Scanning

Many organizations fail to sufficiently monitor published vulnerabilities that may affect the technology protecting their data. As a result, they are unaware of the risk and potential impact of a data breach.

Solutions that scan data infrastructures to detect vulnerabilities and exposures such as missing patches, weak passwords, unauthorized changes and misconfigured privileges can help identify threats and security gaps.

Patch Management

It’s not enough to just scan for vulnerabilities. Timely patch management is vital in organizations of all sizes. Security intelligence and data analytics tools, along with patch management solutions, can help bridge the gap between scanning and remediation activities.

Penetration Testing

Traditional security assessments often fail to identify outside-the-norm vulnerabilities. Consider augmenting the massive quantities of vulnerability reports, whether performed in-house or by a third party, with penetration testing services.

It’s important to set up a thorough security testing program to evaluate all your potential threat targets, including your network and embedded devices, hardware, applications and humans. If your organization wishes to focus its testing plan, it can tailor the project to include only the systems most exposed to the threats documented in your recent assessments. Moreover, the organization can mandate a white-box test to further save on time and costs. While the scope of this testing depends on the organization’s risk appetite, it should be a part of any security program that aims to minimize business risk.

We Didn’t Start the Fire

No, we didn’t start the fire — but we have to do our best to prevent fires, or at least contain and extinguish them.

Fires garner attention because they are big, bright, destructive and capable of expanding rapidly. The same goes for security threats. But, like fires, many security incidents are preventable. Examine your digital immune system to see if you’re prepared to address critical zero-day fires and the unpatched vulnerabilities that fuel them.

More from Software Vulnerabilities

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

10 min read - September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

10 min read