Zero-day vulnerabilities are among the most worrisome cyber security risks for organizations, because they deal with the unknown and there is little time to mitigate the risks. These are software vulnerabilities that providers of software products are not initially aware of; or if they are aware of them, they have not had time to create a fix.
The problem of zero-day vulnerabilities can be compounded by threat actors accessing government-grade exploitation capabilities, as was experienced with the EternalBlue leak that enabled the notorious WannaCry ransomware attack in 2017.
Until these vulnerabilities are patched, cyber criminals can exploit them to launch zero-day attacks or in some other way impact the systems and data of companies. Once a fix has been developed and applied to the affected software, the chance of an exploit being successful decreases.
Log4j – A stark reminder
Zero-day events are intimidating because they seemingly come out of nowhere. The more recently a software vendor has become aware of a vulnerability, the more likely it is that no mitigation has yet been developed.
One of the most recent and prominent examples of a zero-day vulnerability is the one involving Log4j, a Java-based logging framework—part of the Apache Logging Services—that is widely used in commercial and open-source software products. In December 2021, researchers discovered the vulnerability, which involves arbitrary code execution in Log4j.
Cyber security experts called the software flaw one of the biggest and most critical vulnerabilities discovered in recent years, and it was assigned the highest possible risk score by the Common Vulnerability Scoring System (CVSS), a free and open industry standard for assessing the severity of computer system security vulnerabilities.
The vulnerability was given a CVSS 10 score due to its ability to remotely execute code on targeted hosts. It is likely to linger in IT infrastructures for an extensive period because of the widespread use of the Log4j2 logging framework. Also, it’s easy to exploit and applications using affected Log4j2 versions are subject to an extensive attack surface.
The discovery of the Log4j zero-day vulnerability serves as a stark reminder that new software vulnerabilities are constantly being discovered, in many cases without any prior knowledge or warning from the organization that developed the software.
CISOs and security teams at SMBs as well as enterprises need to be on constant guard for these types of risks.
“The challenge for any organization is whether they even know if they have been compromised,” said Danny O’Neill, director of global MDR security operations at Bitdefender. “Depending on which report is referenced, it is feasible that an attacker could have circumnavigated traditional perimeter defenses and remain undetected for several months, during which it can pivot and move laterally through the environment to get to the objective.”
Increasingly more sophisticated threat actors are continuously developing their tactics, techniques and procedures, O’Neill said. They are also making use of innovative tools to bypass defensive controls and technologies. “Reliance on traditional signature-based alerts and controls is not a good approach to a modern cyber security operation,” he says.
Cyber-threat defense strategy
When dealing with zero-day threats, a good defense strategy comes down to having the right people, processes and technology, O’Neill said. “Too many organizations rely on technology alone,” he says. “Their security teams end up managing technology, not actually conducting security operations to protect the organization and minimize business impact.”
A CISO should rationalize technology to meet the organization’s security requirements. Too many security teams have too many tools that add complexity to the operation. And they don’t need them all. “Build a security team with the skills to proactively monitor for anomalies in behavior and identify suspicious or unusual activity,” O’Neill said. “Don’t rely on the technology to tell us what we know; have expertise that can complement that approach.”
It’s vital for the CISOs team to be proactive and monitor for behavioral anomalies, to catch a zero-day quickly even if it does go beyond the prevention technologies, O’Neill said. “Just because a cybercriminal successfully exploits a vulnerability doesn’t mean the damage is done,” he said. “Time is an attacker’s greatest commodity; be in a position to detect rapidly, respond immediately and contain and remediate quickly in order to minimize business impact.”
With that in mind, cyber security leaders and teams need to accept that exploitation can and will happen. “That is not accepting defeat, just acknowledging reality,” O’Neill said. “That will help the CISO prepare for the threat from advanced actors and zero-day threats.”
Other good practices for security leaders at SMBs:
- Conduct cyber threat hunting. This is looking for signs of activity in the environment that tools may have missed.
- Carry out tabletop exercises to test the security team’s ability to detect, respond to, contain and remediate zero-day attacks.
- Test the communications plan and embed it at the C-Level. If the first time the CISO is talking to the CEO is to prepare for a broadcast to the media following a breach, that’s too late.
- Use a managed services provider. For smaller businesses with limited security funding and expertise, this can be a great way to acquire the necessary resources to defend against attacks.
MDR – managed detection and response
One service to consider is managed detection and response (MDR).
These services provide companies with the functionality of a managed security operations center (MSOC), delivered remotely.
Research firm Gartner has said these functions enable organizations to quickly detect, analyze, investigate and respond through threat mitigation and containment. MDR service providers “offer a turnkey experience, using a predefined technology stack—covering areas such as endpoint, network and cloud services—to collect relevant logs, data and contextual information,” the firm says.
Zero-day vulnerabilities and attacks can be devastating for any organization, including SMBs. But by taking the necessary precautions, companies can be ready for these sudden attacks and take action to defend against them.
Learn more about how Bitdefender can help protect your SMB.