A CISO's Perspective - Zero-Day

It is challenging to protect organizations against unknown cyber threats like zero-day. In cases when threats are detected, organizations should promptly activate their robust contingency plans to effectively respond to them.

Cybersecurity is a race between cyber defenders and cyber threat actors. While cyber defenders need to patch and mitigate all vulnerabilities across all devices to protect their organization, just one vulnerability could be enough for cyber threat actors to compromise an entire organization. When it comes to zero-day, attackers will have a significant advantage.

Zero-day is a newly discovered vulnerability in the system that an attacker can use as an attack vector to compromise the targeted organization. Here, the product vendor has just learned of the loophole and is yet to provide a patch to fix the vulnerability. As a result, the vendor has “zero days” to mitigate the exposed issue that perhaps has already been exploited by the threat actors. For any security professionals, zero-day vulnerability is most challenging to protect against.?

Cybercriminals have been using zero-day for malicious intent, such as system penetration, data exfiltration, command and control (C2) communication, denial-of-service attacks, etc., which impacts the CIA of information systems.?

They tend to exploit zero-day vulnerabilities in a variety of systems, such as operating systems, Microsoft offices, email servers, web browsers, internet of things (IoT), etc, to target individuals, government, and private organizations for financial gain, political/social cause, sensitive information exfiltration, cyberwarfare, etc.

Some of the most famous zero-day attacks in history are Stuxnet, Operation Aurora, WannaCry ransomware,?Hafnium, RSA 2011, Sony zero-day attack, etc.

Organizations that solely rely on traditional cybersecurity strategies like patch management, antivirus solutions, signature-based detection, exploit detection, detection based on the indicator of compromise (IoC), etc., cannot protect their infrastructure against zero-day. It is because such implementations are not designed to detect, respond, and defend against unknown cases.

So, CISOs should incorporate the following essentials to tackle zero-day malware.

Continuous monitoring, Threat Hunting and Threat Intelligence

Continuous monitoring, threat hunting, and threat intelligence are proactive approaches to build a cyber-resilient environment. If applied correctly, it helps to timely detect and respond to new and advanced malware.

As vulnerabilities can be introduced at any time, organizations should

● identify critical assets and all path that lead to the assets,

● utilize threat intelligence to conduct threat hunting and identify threats,

● conduct a vulnerability assessment to identify gaps in all of its security controls, and

● continuously assess all channels to the sensitive data.

Once gaps are identified, they should be handled effectively and efficiently using a robust data-driven and risk-based approach. It is to be noted that zero-day malware attacks can only be challenged with highly skilled security professionals.

Utilize advanced and AI-powered tools such as SIEM, SOAR, UEBA, IDS/IPS, Breach and Attack Simulator (BAS), EDR, NDR, XDR, Threat Intelligence, etc., that makes the hunting exercise easier and faster. These tools provide support and allow analysts to take action on any threats identified during threat hunting.

Also, use various models to study and classify attacker’s techniques and understand their intent. This will help predict any suspicious activities due to the exploitation of zero-day vulnerabilities. Using the right sets of models will definitely ease the hunting exercise and can be used to enhance, analyze, and test the process. Some of the models that can be utilized in the process include?Mitre Att&ck,?Cyber Kill Chain,?the Diamond Model, etc.

Reduce product clutter and Invest in AI-powered Solutions

Disorganized security solutions and products with loose integration can pose a serious cybersecurity risk. Also, adding more products to the security stack increases the complexity of the network resulting in the expansion of the attack surface. Hence, organizations should re-evaluate the cybersecurity strategy and reduce product clutter/complexity.

For this, apply defense-in-depth and invest in breakthrough innovations that can make a difference. AI-powered solutions like AI-driven IAM tools, SIEM with SOAR/XSOAR and UEBA integration, next-generation XDR/DLPs/IDS/IPS, etc., can not only reduce product clutter but such machine learning models can also reliably detect anomalous behavior by comparing current behavior with the established baseline. With time, such machine learning solutions will adapt to the early detection of suspicious cases.

Zero Trust Model

As attacks can from both inside and outside the organization, we cannot trust any entities by default. In the case where zero days are concerned, trust is of great issue. So, the zero-trust model is an ideal concept to tremendously reduce the attack surface and tackle zero-days malware.

Zero trust adopts the principle of least-privilege strategy, network segmentation, and enforces strict access control. Consequently, malicious actors will not be able to easily move laterally inside the network and exfiltrate data.

Data and network segmentation

Creating one big data pool for all users to access is not ideal, and access policies to data and resources without correct data segmentation will increase the chance for malicious actors to play around.

So, data and network segmentation according to the type, sensitivity, and use are ideal for protecting critical data. This approach will potentially reduce the attack surfaces, stop threat actors from misusing data, and prevent lateral movement through the network.

Security Awareness Program

In most zero-days attack cases, cybercriminals use phishing emails with malicious attachments as an initial access vector.?

So, provide social engineering and phishing training to employees. Practice safe surfing habits and educate employees to recognize potential threats, not to open suspicious emails, not to click links contained in such emails, or post sensitive information online, and to never provide usernames, passwords, or personal information in answer to any unsolicited request. Educate users to hover over a link with their mouse to verify the destination prior to clicking on the link.

Follow best security practices

The organization needs to ensure that the necessary security practices and policies are in place and are continuously assessed to evaluate the security posture.

Some security policies to implement are password and access control policy, remote access policy, firewall, and IDS/IPS management, email security policy, patch management, acceptable use policy, etc.

Conduct red team testing, attack simulations, penetration testing, vulnerability assessment, threat intelligence and threat hunting, security audits, etc., to assess the overall cyber risk profile and identify the damage that could happen due to a cyberattack.

Other general considerations

● Stay informed about the latest vulnerabilities and trends of attack

● Keep your software and operating systems with the latest patches.

● Have a tested BCP and DRP strategy for critical systems

● Have an incident response plan tested and ready