Seven Ways to Reduce the Impact of Zero-Day Exploits

Reducing the impact of zero day exploits
Reducing the impact of zero day exploits

At the end of 2021, the Log4Shell remote code execution (RCE) exploit was discovered in a popular Java logging package, Log4j. With millions of devices and software packages affected, it became the worst cybersecurity vulnerability since the SolarWinds attack, with attacks continuing into the early months of 2022.

Log4Shell is an example of a zero-day exploit: zero-days are vulnerabilities exploited by malicious cyber actors immediately after they are discovered in devices and software products. The term “zero-day” is a reference to the number of days organizations and cyber defenders have to prepare – zero.

As cyber actors increase in sophistication, the number of zero-day exploits is increasing every year. In 2021, Mandiant found that the number of zero-days had doubled since 2019. In this article, we’ll explain where zero days are most likely to originate, and how businesses can protect themselves from harm.

Common Types of Zero-Days

Since zero-days are code-based vulnerabilities that allow remote actors to hijack devices and applications, any Internet-connected, programmable surface is susceptible to zero-day exploits. Today, common targets include:

  •  Third-Party Software – third-party applications are frequently built on top of dependencies that can suffer from zero-day exploits. Since Log4Shell targeted a component in Apache Logging Services, millions of apps which depend on Apache were impacted.
  • Web Browsers – every day, Internet users spend up to 6 hours of their day online – this makes Web Browsers like Edge, Chrome and Firefox common targets for malicious actors seeking zero day exploits. In 2022 alone, Google has patched seven zero-days in the Chrome browser.
  • Mobile Operating Systems – compromised mobile devices are a great source of sensitive data which makes them a major target for nation-state actors. Zero-day exploits often surface in iOS, Android and other mobile operating systems; worse, they can go undiscovered for years before they are patched.
  • Network Edge Devices – routers and switches regularly fall victim to zero days which enable cyber actors to bypass protocols and WPA encryption. In 2018, 83% of home and enterprise routers were found to possess publicly known vulnerabilities, and today, these devices are also a favorite target for ransomware attacks.

As organizations grow more reliant on information technology (IT), the threat of zero day exploits will continue to rise – the average business deploys over 100 software-as-a-service (SaaS) apps, and at least as many connected devices. Now more than ever, businesses need to take preventive steps to protect themselves from vulnerabilities.

Reducing the Impact of Zero-Day Exploits

The danger of a zero-day exploit is exacerbated by the fact that cyber defenders cannot detect its presence based on Common Vulnerabilities and Exposures (CVEs) or attack signatures. Fortunately, there are ways to reduce the likelihood of a zero-day exploit and increase your attack preparedness.

  1. Threat Detection Systems – aside from basic cyber defenses – such as firewalls and anti-virus – organizations should adopt real-time protection in the form of inline intrusion-prevention systems (IPS). An IPS system can use network intelligence to detect signs of intrusion even if it cannot detect the specific type of attack, alerting your team if a zero-day exploit is used.
  2. Egress Filtering – while filtering inbound traffic is crucial, filtering outbound traffic is equally important. This is possible with egress filtering, which can be implemented through a firewall or intrusion prevention system (IPS), enabling network admins to prevent applications on your network from reaching out to certain destinations or using unsafe protocols.
  3. Network Visibility – security teams often have limited visibility into the devices and applications that are operating across their networks. Bringing this fragmented knowledge together is essential for securing your network from exploits: keep an inventory of every device, whether IT, IoT or OT, classify and continually monitor them for configuration changes.
  4. Device Oversight – devices – including routers, switches, laptops and mobile phones – typically receive regular updates that patch zero-days when they are discovered by the malware researchers. Organizations should maintain an up-to-date inventory of all the devices connected to their network, set update policies, and replace devices that are no longer supported by the manufacturer.
  5. Third-Party Vendor Management – while no vendor can guarantee that their devices or software products won’t fall prey to a zero-day exploit, some vendors are more security conscious than others. Take inventory of your software supply chain, and research all your technology partners to ensure they are applying adequate security controls.
  6. Adopt a Zero-Trust Paradigm – when malicious actors compromise your network through a zero-day exploit, they will try to move laterally to other systems. A zero-trust security paradigm can stop them in the process by applying the principle of least privileges, and constantly verifying a user’s identity as they switch between devices and applications.
  7. Vulnerability Assessmentvulnerability assessments and penetration tests can help you to better document your IT infrastructure and remediate security gaps that increase the impact of zero-day exploits.While there’s no way to eliminate the chance of a zero-day exploit altogether, developing a strong cybersecurity program can give your business the tools it needs to close cybersecurity gaps, eliminate risky vendors, and respond quickly in a disaster. 

Partner With Cybersecurity Veterans

In today’s perilous cyber landscape, organizations need expert cybersecurity consultants to help them find and identify risks to their mission-critical assets. But with a worldwide shortage of cyber talent, finding experts has become increasingly difficult – fortunately, Securicon is here to help.

With a team comprised of veterans from the U.S security community – including DoD, DHS and the U.S Cyber Command – we are equipped to prepare your organization for the worst, from gap analysis to compliance consulting, assessment support and audit preparation. To learn more, contact us today.

How Zero Trust Push Will Transform the Government

zero trust architecture
zero trust architecture

2021 has been an eventful year for cybersecurity, especially in the federal space. Following a series of high-profile cyberattacks targeting government organizations and public infrastructure, the White House decided to take action this summer with a sweeping executive order that demands broad reforms to improve America’s cybersecurity posture.

Now, federal agencies like the Office of Management and Budget (OMB) are leading the charge with a new strategy for transformation centered on zero trust security. But zero trust is more than a buzzword, or list of new procedures and rituals: instead, it represents a paradigm shift that will impact federal organizations and contractors at every level.

At the end of Cybersecurity Awareness month, we reflect on these developments in the context of a rapidly changing threat landscape, and explore the role that zero trust security will play in hardening federal infrastructure against advanced cyber actors.

Our Current Cybersecurity Crisis

Last year’s attack on IT platform SolarWinds Orion brought renewed awareness to the problem of supply chain security, after it impacted more than 18,000 organizations, including 9 federal agencies and their suppliers. Only five months later, a ransomware attack on Colonial Pipeline highlighted the precarious vulnerabilities of America’s critical infrastructure.

It would be nice to imagine that either of these events were flukes, but that is not the case: according to a study of large enterprises, 64% have been impacted by software supply chain attacks within the last 12 months. Meanwhile, the cost from ransomware attacks is expected to reach $20 billion this year – a 57-fold increase from the cost in 2015.

While there are undoubtedly many reasons that account for the explosive rise of cyber incidents, the White House cited “outdated security models” as a factor in May’s ‘Executive Order on Improving the Nation’s Cybersecurity’. In turn, it mandated a number of correctives, including the adoption of ‘Zero Trust Security Architecture’ throughout the federal government.

The Philosophy of Zero Trust

The principles that will guide federal implementation of zero trust security are outlined in a draft, released by the OMB on September 7th for public comment. At a high level, the philosophy of zero trust shifts the focus of cybersecurity from the perimeter of an organization to its internal networks, treating every user, device and application like it is potentially a threat.

Today, it is common for organizations to harden their public-facing networks against attacks from the outside. Cyber actors focus on overcoming these barriers, and move laterally from their point of entry to higher value targets. While they will meet varying degrees of resistance along the way, there’s a good chance of success as long as they can get their foot in the door.

Under a zero trust model, getting past the door won’t be nearly enough: users will be continually verified with multi-factor authentication as they switch between applications and devices. Checks will be constantly performed, and privileges will only be distributed as needed. Best of all, it works equally well against threats on the inside.

The Zero-Trust Maturity Model

On the same day that OMB released its memo, the Cybersecurity and Infrastructure Security Agency (CISA) issued two documents: a draft technical reference architecture, and a Zero-Trust Maturity Model (ZTMM), which outlines the “optimal” zero trust environment that government organizations will be held to over the coming years.

The ZTMM draft aligns with five specific security goals outlined in the OMB’s memo, which agencies are required to meet by the end of September 2024:

  • Identity – personnel must receive an agency-wide identity to access work applications, with phishing-resistant, multi-factor authentication (such as the government’s Personal Identity Verification Standard, or PIV).
  • Devices – agencies must maintain a complete inventory of every device it authorizes for use on government networks, with the ability to detect and respond to any cyber incidents originating from them.
  • Networks – agencies must encrypt all DNS requests and HTTP traffic within their environment, and segment networks around applications. They are expected to encrypt emails in-transit, if the government identifies a reliable method for doing so.
  • Applications – all applications must be treated as Internet-connected, and subjected on a regular basis to “rigorous testing” with the help of external vulnerability reports.
  • Data – agencies should work together to deploy protections with the use of data categorization. Cloud security services are recommended to monitor sensitive data access, and implement enterprise-wide logging/information sharing.

Acknowledging the scale of transformation required to meet these goals, the OMB has called on agencies with strong cybersecurity programs to help those in a weaker position. It also anticipates that CISA will offer zero trust maturity surveys in the future, helping agencies to identify and remediate gaps.

The Benefits of Zero Trust

Ultimately, zero trust architecture is just one of many initiatives stemming from May’s executive order. But while it will not magically render organizations invulnerable to cyberattacks, it will bring about significant transformation in more ways than one:

  1. Constant validation of user identity, activity monitoring and segmentation of apps from networks will make attacking significantly harder, both for foreign cyber actors and malicious insiders.
  2. Complete and accurate device inventories will give government agencies significantly more control over their infrastructure, rapid insights and the ability to respond quickly in an emergency.
  3. Ultimately, implementation of zero trust models will accelerate modernization of federal IT by requiring agencies to break down siloes and coordinate information sharing.

Today, threat actors are moving fast. To protect national security, government agencies and contractors will have to move faster. For a long time, our federal infrastructure and cybersecurity strategy has stagnated – but the progress we’ve seen in a single year gives us reason to be hopeful.

Find Your Weaknesses

In its recent memo on zero trust, the OMB recommends that agencies rely on third party vulnerability assessments to identify and remediate application vulnerabilities. Don’t fall prey to the next SolarWinds: partner with cybersecurity experts who can probe your organization for gaps before they are exploited.

Securicon hardens organizations against current and developing threats. With years of expertise trusted by the DoD, DHS and U.S Cyber Command, we help our clients through vulnerability and penetration tests; governance, risk and compliance (GRC) services, and security architecture review. Contact us to learn more