Mitiga Announces $30M Series B Led by SYN Ventures READ THE NEWS

Customers
Why Mitiga
Request a DemoEmergency Assistance
Home
»
Blog Main

A zero-day vulnerability is often considered a vulnerability in software or a service that may have been disclosed but has not been patched yet, while an exploit that attacks a zero-day vulnerability is called a zero-day exploit. Because they were announced before security researchers and software developers have a patch available, zero-day vulnerabilities pose a critical risk for the following reasons:

  • Cybercriminals race to exploit these vulnerabilities to cash in on their schemes
  • Vulnerable systems are exposed until a patch is issued by the vendor and the patch is applied

The recent rush to patch vulnerabilities in Log4j is an excellent illustration of how most organizations think about and address critical vulnerabilities — but patching alone is neither a guarantee nor an indicator that your environment has not been impacted by Log4Shell or another critical vulnerability.

The lifecycle of a vulnerability

Just as software development has a lifecycle, so do vulnerabilities. While the goal is to build and release high quality software that offers robust functionality, performs well, is secure, and delivers a good user experience, inevitably vulnerabilities are introduced into a codebase. It’s not intentional; it occurs when a change in code or a new product release results in a vulnerability. In the timeline below, that’s V(c) – the day the vulnerability is “created.” From this time on, the vulnerability exists. At some point, attackers find the vulnerability and begin to exploit it. That may be before or after it is found by the defenders, security researchers, and ethical hackers. Discovery may occur due to a security review, research, or through investigation of an attack that has already happened or is in progress.

Defenders typically follow vulnerability disclosure guidelines when they find a vulnerability. Vulnerability disclosure is the practice of reporting security flaws in software or hardware, disclosing them directly to the group or organization responsible for the vulnerable software or service. These stakeholders may prefer that the vulnerability is only disclosed publicly V(d) after patches are available.

The vulnerability timeline

Usually, vulnerabilities are called zero-day vulnerabilities during T1, the time between disclosure and when it is patched, V(p). Once that T1 period is over and we move into T4, a vulnerability is called a 1-day or n-days vulnerability.

The highest risk may be before disclosure

Thinking about the risk introduced by the vulnerability starting from the date of disclosure is the wrong approach, however. We need to think of zero-day for vulnerabilities during T3! T3 is a high-risk period, because there is an existing vulnerability in the system, and until it is found, disclosed, and patched, malicious actors can find it and use it for their own purposes.

During this period, it is exceedingly difficult to prevent and detect an intrusion due to the vulnerability in the codebase because no one knows what they should be looking for (or even that they should be looking). It’s important to be aware that attackers don’t wait for a vulnerability notification to try to get into your system. The vulnerability in the code existed long before the patch, so you may have had that door open for a year or more. Attackers may have already compromised your environment — you just don’t know about it yet.

There are many ways malicious actors may exploit a zero-day vulnerability: by creating backdoors that will allow them to exfiltrate data, execute a ransomware attack, or otherwise compromise your systems. In this scenario, attackers have the advantage of awareness of undisclosed vulnerabilities and the time to exploit them when they are unlikely to be detected.

A proactive approach to zero-day vulnerabilities

The challenge, therefore, is for organizations to find attackers dwelling in their environments. The best way to do that is through hunts – a proactive approach that assumes your organization is already breached by one or more zero-day vulnerabilities and search for indicators of compromise (IOCs). IOCs are pieces of forensic data that identify potentially malicious activity on a system or network.

Proactive threat hunting is driven by a hypothetical analysis of the tactics, techniques, and procedures (TTPs) of known adversaries and focused on an area likely to be compromised. Proactive hunts can also correlate the hypothesis with the attackers’ point of view.

Incident response teams do research and build up background knowledge based on their experience and use that to build patterns of attack and then hunt based on those patterns.

Technology and automation can help with this, by automatically searching for threats that are:

  1. Based on known vulnerabilities
  1. Based on the forensic footprints of one or more specific vulnerabilities
  1. Correlated with threat intelligence

The human factor is an essential element of proactive threat hunting because it relies on the hunters to define which scenarios and hypotheses to hunt for. Tackling these different scenarios by creating detailed playbooks helps you to run, re-run, and refine your hunts to maximize your effectiveness in finding unknown compromises.

For this process to be optimal, hunts should be run periodically and examine different hypotheses. It is also important to run the same hunts repeatedly to validate the results over time, because both the threat landscape and the organization’s environment are dynamic and change over time.

Patching is still important

While proactive threat hunting is important, it does not take the place of patching known vulnerabilities, just as patching doesn’t take the place of proactive hunts. For example, when the Apache Software Foundation released Log4j 2.15.0 for Java 8 users to address the remote code execution (RCE) vulnerability CVE-2021-44228, cybercriminals rushed to exploit the vulnerability Log4Shell. While the patching process is complex for Log4Shell for a variety of reasons, remember that attackers will continue to exploit the vulnerability until it’s no longer an option.

Zero-day vulnerabilities are typically involved in targeted attacks; however, many campaigns still use old vulnerabilities — because it works. Many attackers simply scan for known vulnerabilities and exploit them. Attackers need just one way in, so blocking any loopholes that you are aware of is essential to helping keep your organization secure. It’s also important to remember that patching does not evict existing attackers from your environment. You can only do so much to prevent an attack or close security holes, so you need to focus on detection and response to discover backdoors and indicators of compromise. Adopting a readiness mindset — not only when there’s a critical zero-day vulnerability disclosed, but on an ongoing basis — will help you increase your resilience before an incident and reduce the severity of impact if a cybercriminal exploits an unknown vulnerability to attack your organization.

9 fundamental ways cloud IR is different from traditional incident response

Read more about this topic in Security Magazine.

LAST UPDATED:

May 4, 2024

Don't miss these stories:

Cyber Trends for 2024: What Security Leaders Should be Executing Next

As we hurtle into this new year, it’s already clear that there is an evolving set of cyber risks that organizations will need to contend with successfully to manage threats and grow their organizational resilience in 2024. Below, I’ll outline three of the biggest ones, sharing recommendations and execution checklists that can help enterprises enhance their threat readiness and elevate security postures as the threat landscape continues to evolve.

How to Protect Your Business From the Most Dangerous Cyberthreats

Ransomware attacks are on the rise, and it now more important then ever to be prepared. Be prepared by having an up-to-date incident response plan. Learn more.

Stop Ransomware Attackers From Getting Paid to Play Double-Extortionware Games

In the past, many companies relied on backups to get back to business quickly if they were attacked. Reliable, secure backups separated from the primary environment made it much more difficult for an attacker to access and encrypt them. That long-standing process no longer deters double-extortionware actors — instead, today’s attackers not only encrypt the data but also exfiltrate it.

SEC Cyber Disclosure Rule FAQ: What Leaders are Asking Us

The U.S. Securities and Exchange Commission (SEC) recently implemented a new rule mandating stringent cybersecurity incident reporting and disclosure requirements for public companies.

Log4Shell - identify vulnerable external-facing workloads in AWS

Cloud-based systems should be thoroughly searched for the new Log4j vulnerability (CVE-2021-44228). But this is a daunting task, since you need to search each and every compute instance, from the biggest EC2 instance to the smallest Lambda function. This is where Mitiga can help.

For Incident Response, Give Peacetime Value a Chance

As an IR vendor, it is important to keep your customers up to date and prepared between breach attempts. Learn how to increase your peacetime value now.