Software vulnerabilities are a fact of life with more identified every day. In 2021, 28,695 new vulnerabilities were discovered in production software. These vulnerabilities can potentially create a backdoor to companies, letting attackers come in and out as they please.
However, some vulnerabilities are significantly more dangerous than others with widespread impact. Many of these high-impact vulnerabilities — such as Log4j and Follina — are zero-days, where vulnerabilities are exploited by cyber threat actors in the wild before they become publicly disclosed. We’re going to show you what zero-day exploits are and how organizations can best combat them.
What are zero-day exploits?
Ideally, software vulnerabilities are discovered by the software manufacturer or a security researcher that ethically reports them to the software manufacturer. If this is the case, public disclosure of the vulnerability occurs when a patch is released, giving organizations a chance to fix the problem before it is exploited by an attacker.
This creates a race between attackers (malicious actors) and defenders (organizations) where defenders are at an advantage, needing to just deploy an available patch. Attackers, on the other hand, still need to develop an exploit before they can use it. Once a patch is applied via the software updates, any exploits will simply just fail.
- A zero-day refers to a circumstance where this scenario doesn’t happen and vulnerabilities are discovered by a cybercriminal before the manufacturer or security researcher. Here’s some terminology to be aware of.
- A zero-day vulnerability refers to a vulnerability that’s only discovered when it’s known that attackers are exploiting it. No patch exists because the software manufacturer is unaware of the vulnerability and has not developed a fix.
- A zero-day exploit refers to the means an attacker uses that targets a zero-day vulnerability. For example, many cybercriminals built malware incorporating zero-day exploits that targeted the Log4j and Follina vulnerabilities.
- A zero-day attack campaign refers to an active exploitation of zero-day vulnerabilities. In many cases, zero-day vulnerabilities are found in widely adopted software, putting thousands if not tens of thousands of organizations at risk, and giving attackers ample targets.
In this race, the attacker has a significant advantage. Zero-day exploits are identified “in the wild” where security researchers or defenders discover active attack campaigns that use them against vulnerable systems. Once the exploit is discovered, security researchers then need to reverse-engineer the exploit to understand the vulnerability that it is targeting. When the vulnerability is identified, defenders can take steps to mitigate the risk. However, defense can be limited as there’s no available patch. Only with the vulnerability details, the software manufacturer can then begin developing a patch that closes the security hole.
Zero-day exploits often have a significant impact, and many of the biggest cyberattack campaigns of recent years took advantage of zero days. Some famous zero-day vulnerabilities include Stuxnet, Log4j, and Follina. However, these are only the tip of the iceberg with 58 zero-day vulnerabilities identified in 2021, compared to 25 the previous year.
How zero-day exploits can impact organizations
Zero-day exploits differ from the exploitation of other vulnerabilities because cybercriminals have the opportunity to attack vulnerable systems before the vulnerability is public knowledge or a patch is available. Until a patch is available, organizations can only take steps to block identified attacks or mitigate their effects, rather than rendering them impossible by closing the security gap.
As a result, zero-day vulnerabilities increase the probability that a cybercriminal will succeed in their attack campaign. Zero-day vulnerabilities may be exploited to perform data breaches, plant ransomware or other malware, or take other actions to harm an organization or disrupt its operations. For example, the Log4j vulnerability allows remote code execution, enabling attackers to take over affected systems by exploiting the vulnerability.
How organizations can defend against zero-day exploits
Zero-day vulnerabilities provide cybercriminals with an additional advantage when attacking an organization. Their head start in identifying the vulnerability and developing an exploit provides a window where organizations can’t immediately fix the problem. However, this doesn’t mean that organizations are helpless against zero-day exploits. Companies can use a variety of detective, preventative, and proactive security tools to help protect against zero-day vulnerabilities and vulnerabilities in general.
Mitigating business impacts
With zero-day exploits, there will be a period during which no patch is available. During this window, organizations need to take action to minimize the effect that the zero-day exploit has on the business.
Round-the-clock threat detection and response are critical to managing the threat of zero-day vulnerabilities. Core threat detection capabilities include:
- Endpoint Detection and Response (EDR): Cyber threat actors often look to access data or install malware on an organization’s endpoints. EDR solutions support rapid detection and response to attempted intrusions on a company’s systems.
- User Behavior Analysis (UEBA): After compromising the initial system, attackers go after credentials and privileges to access more systems and data. Understanding user behavior can help identify attacker activity from a normal user.
- Privileged Access Abuse: Understanding when an attacker is trying to increase their privileges to access deeper into the environment can prevent further attacks. This should include hardening of identity systems as well as detection of privileged account and escalation abuse.
In general, cybercriminals start scanning for vulnerable systems within fifteen minutes of a vulnerability being publicly disclosed. With a zero-day vulnerability, some of these threat actors are ready to launch an exploit as soon as they find a vulnerable system. Ideally access to those systems should be restricted especially from public access and should be taken offline if further protection mechanisms can’t be put in place.
In the event that an attack slips through, security teams can also take action to mitigate its effects. Once an intruder is detected, rapid response can contain the intrusion and remove the attacker’s access to the organization’s systems. Quick action may prevent the attacker from successfully accessing sensitive data or taking systems and/or data offline.
After a zero-day vulnerability is discovered, the manufacturer will work quickly to develop and distribute an update that fixes the issue. Once this patch becomes available, the focus transitions to closing the security gap and making further exploitation impossible.
Often, patch management is the point where organizations fall short and zero-day vulnerabilities become a major issue. On average, it takes an organization 60 days to patch critical vulnerabilities, compared to 12 days for an attacker to develop an exploit after a vulnerability is made public. This gap means that cybercriminals have a significant window in which to exploit vulnerabilities even after they stop being zero-day vulnerabilities. Patches should be applied as soon as they are available and have been properly tested. It’s recommended to apply critical patches within 24 hours where possible.
Once the patch has been applied, the organization is theoretically secure against exploitation of the vulnerability. However, ongoing monitoring and testing are always a good idea. If a patch doesn’t properly close the vulnerability or is not properly applied to all vulnerable systems, then attackers may continue to use the zero-day vulnerability to gain access to the organization’s systems.
How an MSSP can help
Managing a zero-day attack can be complex. An organization needs to identify and protect vulnerable systems until a patch is available and then rapidly roll out the update before attackers can exploit the vulnerability.
A modern managed security service provider (MSSP) provides the knowledge, expertise, and support necessary to effectively manage a zero-day vulnerability. MSSPs may have early visibility into newly-discovered zero-day exploits and can provide advice on the tools and techniques that companies should use to minimize the impacts on the business until a patch is available and deployed.
SolCyber provides round-the-clock threat detection and response, providing companies with the tools that they need to manage zero-days and other vulnerabilities. To learn more about how we can help, reach out today.