Surprise! It's Another Zero-Day Vulnerability
Security experts are debating the cause of a growing number of zero-day software flaws, but there is consensus about one thing: how to prepare for the next attack.
When the Log4j security flaw reared its ugly head — allowing cybercriminals to penetrate vulnerable computer networks with a single line of code — it seemed to be a once-in-a-blue-moon cybersecurity threat, a nuclear zero-day vulnerability that needed to be patched immediately.
But then, before you could say déjà vu, the Spring4Shell zero-day came along, capturing more headlines, panicking senior executives, and sending security teams into 24/7 overdrive.
Times have certainly changed. It used to be that criminal hackers would reliably exploit such zero-days (code flaws that a software creator or vendor does not know exist until they are found or exploited) every few years or so.
Now, as companies and governments increasingly rely on third-party software to run networks and organizational apps, these zero-days are becoming more frequent and severe.
Stay in the hunt!
But IT security professionals—and the executive leaders and boards they answer to—are asking: Are zero-days really increasing and getting worse? Or are security researchers and the bug bounty hunters who ferret out these flaws just getting better at their job?
Every zero-day is not a critical all-hands scenario.
Melissa Bischoping, a director of endpoint security research at Tanium, believes it’s the latter. “More zero-days are showing up, in part because so many people are looking for them now,” says Bischoping, who also runs threat-hunting workshops. “Every zero-day is not a critical all-hands scenario. The looming threat of the ‘big ones’ keeps you up at night, but those are only a fraction of the zero-days we see. I advise people to evaluate and react accordingly based on severity, not solely on the fact that it’s a zero-day.”
That said, she warns that it’s crucial for security professionals to stay in the hunt. Given the way criminal hackers can weaponize a single vulnerability to create widespread havoc (see the SolarWinds hack and its impact on companies and governments), staying on top of zero-days is key to network security.
Zero-day exploits are becoming more severe
Steve Wilson, chief product officer at Contrast Security, which provides a unified platform to help developers code more securely, sees an increase in the number and severity of zero-day exploits on the application layer, where Contrast focuses its work. A key reason, he says, is that much of the software code that enterprises use today was actually written many years or even decades ago. Apache Log4j, a Java library, has a 20-year-old history and is largely maintained by volunteers, Wilson notes.
“Many of the fundamental assumptions in these libraries were made in a time when developers knew less about how to build secure code,” says Wilson. “Hackers are now clearly looking at these older, highly deployed ecosystems, where chinks in the armor can have massive repercussions.”
A growing attack surface
Tony Lauro, director of security technology and strategy at Akamai Technologies, agrees zero-day threats will persist for the foreseeable future, in large part because so many companies are digitizing, moving to the cloud, and letting employees work remotely from a variety of endpoint devices.
“Unfortunately, we’re going to see this problem get worse before it gets better because there will be more available attack surfaces for attackers to target,” says Lauro. “And certainly, with all the new generations that are coming online, there’s bound to be more pools of victims as well.”
[Read also: What you don’t know about the remote-work revolution may hurt you]
What’s more, zero-day exploits could increase because they are becoming moneymakers for the cyber underworld. NSA Director of Cybersecurity Rob Joyce told one panel at this year’s RSA Conference that ransomware gangs are using their profits to buy zero-day exploits, and that his agency is concerned with how quickly criminals can take advantage of newly disclosed software vulnerabilities.
The sky is not falling — until it is
Though some zero-day exploits may seem more menacing than they really are, IT security departments must take them all seriously and do their utmost to defend against them.
They’re getting 150,000 different warnings about various vulnerabilities, and that can be almost numbing.
Some security teams will balk at this approach. They’ve spent years hearing vendors, researchers, and software developers flagging new zero-days that end up as big nothing burgers. Besides, most security teams are overworked, understaffed, and underfunded. As such, they tend to ignore non-urgent alarms.
“It’s ‘alert fatigue,’” says Frank Dickson, group vice president at IDC. “They’re getting 150,000 different warnings about various vulnerabilities, and that can be almost numbing.”
Dickson says companies must first address such frustrations. They must also address the threat zero-days pose by making a few obvious and less obvious changes in their cyber hygiene, such as:
- Delivering effective patches—the first time. This one is on the software vendors. In fact, many zero-days Google are often previously patched vulnerabilities, wrote Maddie Stone, a Project Zero security researcher. As for prevention? Stone observed that at least half of the zero-days she studied “could have been prevented with more comprehensive patching and regression tests.” It’s a little like a fire crew extinguishing a blaze but missing embers that could eventually catch wind and turn into a whole new firestorm. “Being able to correctly and comprehensively patch isn’t just flicking a switch: It requires investment, prioritization, and planning. It also requires developing a patching process that balances both protecting users quickly and ensuring it is comprehensive.”
- Know what you have. You can’t safeguard or patch what you can’t see, and surveys have shown that many CIOs lack visibility into all their on-premises and cloud-based assets. The first thing a ruffled C-suite executive will ask a CISO or CIO when a zero-day erupts is, “How much do I need to care about this one?” and “Is this the end of the world for us or not?” says Tanium’s Bischoping. This is where strong data observability and endpoint management platforms can be crucial. They can help CIOs and their teams bridge gaps across data silos, see what’s going on with endpoints, and more quickly determine levels of zero-day exposure.
[Read also: Why visibility and breaking down silos are key to any cybersecurity action plan]
Incidentally, there are many worthy enterprise-class asset management tools that can help with this, but equally as important is to address the culture around deprioritizing cybersecurity and hygiene for the sake of speed.
- Stop the coding blame game. Vulnerabilities happen. They always will. But they happen more often when product managers or marketers push developers to write code so fast there isn’t time for security review or remediation. Product timelines are built around delivering a product to market. Cybersecurity is often a checkbox toward the end of that process.
We’re all going to have to continue fighting zero-days. The only easy day was yesterday.
Dickson says that has to change. Organizations must incentivize software developers to meet hard security goals. “Developers today are compensated for their ability to deliver products by a deadline and drive revenue, but we don’t necessarily compensate them for secure coding,” he says. “We should. Driving a security paradigm from the top down in organizations is extremely important.”
Bischoping adds that it’s also crucial to avoid hitting developers with a stick when occasional vulnerabilities appear and become zero-days. “We need to stop this culture of assigning blame when there is a breach,” she says. “Yes, you want to be able to go back and determine if the code was written poorly and look to see if processes were followed. But taking a punitive approach is counterproductive and doesn’t really solve anything. You need to focus instead on understanding the gaps that introduced the vulnerability and how to continually improve with each root cause analysis.”
- Consider attack surface management. CIOs grow the attack surface every time they adopt a new cloud service or provision more endpoints to support business growth and digital transformation. IDC’s Dickson says one of the newer approaches to consider for addressing zero-days is attack surface management (ASM). This is defined as the continuous discovery, inventory, classification, and monitoring of an organization’s IT infrastructure. It seeks to envision these security tasks from an attacker’s perspective. These tools constantly and automatically ping networks, much as a hacker might, looking for potential attack vectors.
- Create a living zero-day playbook. Many organizations today have playbooks for what they’ll do if hit by a ransomware attack. They’re often a collaborative effort by business, finance, legal, human resources, and technical staff. They need a specific incident response plan for zero-days as well.
[Read also: Not sure what your incident response playbooks should look like? Copy CISA’s]
This is primarily because of the unforeseen nature of zero-days, which can often graduate from vulnerabilities into exploits and attacks in a matter of days. In addition, because vendors are typically learning about vulnerabilities long after their creation, they don’t always have an effective patch ready. Many times, the best they can do is offer temporary configuration-tweak suggestions, pending
an update.
Bischoping recommends creating and constantly updating a playbook to cover such matters as:
- How various zero-day alerts will be prioritized for action
- Who will be alerted and when—both within and outside the organization
- What technical steps will be taken to learn more and resolve each level of threat
- Which IT systems will be addressed first based on their criticality to the business
- What auditing measures will be taken to show company executives, investors, and regulators that proper steps were taken to handle the problem
“If you put in all the work now, when the five-alarm fire bells go off, you’ll have the confidence to know that most of what you’ll need to do is right there in your playbook,” says Bischoping.
Zero-day attacks are not a foregone conclusion. They might not affect most organizations, but they’re not going away.
“The battle is not done. We’re all going to have to continue fighting zero-days,” says Akamai’s Lauro. “The only easy day was yesterday, essentially.”