How to Prevent Zero-Day Attacks

How to Prevent Zero-Day Attacks 

 

Cybercriminals are using many different avenues to compromise environments today, both on-premises and in the cloud.  One of the types of attack vectors that attackers often use is vulnerabilities.  There is a particular type of vulnerability that is especially dangerous to your environment.  It is known as the zero-day vulnerability and often leads to zero-day attacks.

In this post, we are going to take a closer look at the zero-day attack.  What is a zero-day attack?  What makes one vulnerable to this type of attack?  How do organizations protect themselves and prevent zero-day attacks from compromising their environments?  

What is a zero-day attack?

First, organizations must understand the zero-day attack and why it is so dangerous.  What is it exactly?  The zero-day attack happens when an attacker takes advantage of a zero-day vulnerability.  The vulnerability may consist of a recently discovered or brand-new flaw in either hardware or software that allows an attacker to compromise the environment due to the flaw easily.  

The real danger of a zero-day vulnerability is not necessarily how major the flaw is in itself. Instead, it has to do with the fact that a patch is non-existent to remediate the vulnerability.  Hopefully, a security researcher discovers the critical flaw.  If this is the case, the researcher will disclose the vulnerability to the software vendor before news of the exploit is released.  The software vendor will then have time to release a patch before a working proof of concept (POC) of the exploit code is demonstrated in “the wild.”

The news of a zero-day flaw can often break one day.  Attackers may attempt to exploit or use the vulnerability days if not hours later.  Once software developers have time to patch the vulnerability, exploitation is much more difficult.  Given this fact, attackers are quick to capitalize on newly discovered weaknesses to capitalize on slow to patch environments.  

The worst-case scenario is the zero-day vulnerability is found by cybercriminals.  They then use the vulnerability to compromise existing systems, unbeknownst to the client organization.  It will generally take time before an attack is discovered and then even more time for the organization to figure out how to mitigate the attack vector once found.

Anatomy of a zero-day attack

How does a zero-day attack look when carried out?  A typical series of events that leads to exploiting a vulnerability may look something like the following:

1. Software developers release a new version of code for software/hardware that, unbeknownst to them, contains a flaw in how the code has been implemented
2. Cybercriminals discover the flaw – This may either be in an externally exposed system or an internal system that can be exploited by a compromised host on the internal network
3. Exploit code is then written by the attacker which capitalizes on the vulnerability
4. After writing the exploit code, the attacker then uses the code to test the compromise on a public-facing server or an internal server in an environment where they have compromised an internal machine
5. After the attack is launched, organizations may realize they have been compromised.  Discovering the breach may take days, weeks, or longer.  The scale of the zero-day attack may correspond to how quickly the vulnerability is recognized and patched
6. Software developers release a patch for the exploit
7. Client organizations Patch systems to remediate the vulnerability

How to prevent zero-day attacks

Organizations cannot prevent vulnerabilities altogether.  Unfortunately, with software development, bugs and other code inconsistencies are going to happen.  These vulnerabilities can create the perfect breeding ground for a zero-day vulnerability.  However, several best practices can help to prevent zero-day attacks in your environment.  Let’s take a look at the following:

1. Patch your systems
2. Protect your email solution
3. Train end-users
4. Create a “zero-trust” environment
5. Use a Cloud Access Security Broker (CASB)
6. Use Multi-factor authentication
7. Backup your data

1.  Patch your Systems

Patching is one of the most basic practices in an organization that can bolster security across the entire technology landscape.  Most software vendors release patches at a predetermined release cadence.  Microsoft notably releases patches on the second Tuesday of every month, known unofficially as Patch Tuesday to most.  Other vendors such as Adobe, Oracle, and others also patch on this day.  

Microsoft issues security and other patches on Patch Tuesday to resolve known and discovered vulnerabilities on Windows client and server operating systems.  Attackers often look for longstanding security vulnerabilities that have often had patches issued for months or even years.  Environments that are either slow to apply updates or do not apply them at all are especially vulnerable to zero-day attacks.  

Using an automated patch solution helps ensure that patching is carried out regularly across the environment.  It is important to patch the underlying systems and third-party applications that run on top of the operating system.  Even if organizations apply Windows patches, there could be a critical vulnerability in a third-party program that can expose your organization.  The moral of the story – patch your systems and applications!

2.  Protect your email solution

Even with instant messaging and other solutions, email is still the most common communication platform in the enterprise.  Attackers are still targeting businesses using email-based attacks.  These attacks include phishing emails that often masquerade as legitimate senders only to drop malware on the end-user system.

Using phishing emails, attackers persuade end users to download an attachment or click a web link.  While it may appear seemingly harmless, the attachment or link can install a trojan, ransomware, or another malicious tool that can be leveraged by an attacker to get on the inside of the network perimeter.  Infiltrating the network using a phishing email can lead to the attacker compromising the environment with a zero-day attack or another vulnerability exploit.  

Organizations need to use strong email security defenses to help protect end-users from phishing-based attacks.  Phishing protection that captures phishing emails at the perimeter before arriving at the end-user means less chance the end-user will succumb to a phishing email attack.  Cloud email environments are also not immune to phishing-based attacks, as demonstrated by security researchers.  

3.  Train end-users

No phishing email protection solution is perfect.  A small amount of phishing or otherwise malicious emails may make their way to the end-user.  Will your end-user be able to recognize a phishing attack?  Employee security awareness training is a necessary part of the overall security solution in the enterprise today.  

Security awareness training can help end-users recognize a phishing email when they see one.  It helps them to be able to stay vigilant to various attack vectors and the signs to look for when an email is “phishy”.  These signs can include the return email address not matching the sender address, illegitimate images, spurious domain names, and many other characteristics that may indicate an attacker is phishing your organization.  

4.  Create a “zero-trust” environment

There is a buzzphrase that you may have heard tossed around called “zero trust.”  In the context of security best practices today, it is vital.  In traditional environments, internal networks are separated from the “outside world” using a firewall.  Everything in the inside network is “trusted.”  This legacy approach to architecting network design and access to resources is dangerous.  What happens when an attacker infiltrates the perimeter firewall and compromises a client on the inside network?  They have access to everything.  

Designing modern networks and environments has shifted to a “zero-trust” approach using micro-segmentation to create very small “sub-networks” that only allow a subset of clients and server applications to communicate.  It helps to bring the least privilege access model to the network.  By comparison, a client in a traditional internal network may only need to communicate with one server for one application. However, that client can “see” and communicate on all other network ports and with all other network nodes. 

If attackers discover a zero-day exploit, having resources architected with zero-trust in mind drastically reduces the attack surface and opportunity for compromise.  The vulnerable system may only be able to communicate with a specific number of clients.  Due to the zero-trust design, these may be difficult for an attacker to infiltrate.  

5.  Use a Cloud Access Security Broker (CASB)

Cloud Software-as-a-Service (SaaS) environments have become extremely popular in migrating organization data to the cloud.  Cloud SaaS environments provide many excellent capabilities to organizations.  However, they can also be wrought with security woes if not appropriately controlled.

Cloud Access Security Brokers (CASB) systems allow organizations to have control over cloud SaaS environments.  CASB solutions enable your organization to apply on-premises organization policies to your cloud environment.  Modern API-based CASB solutions provide seamless integration with cloud environments at scale.  These often provide other security benefits that allow providing governance controls and even ransomware protection.  CASB solutions help to protect modern cloud environments from zero-day attacks.  

6.  Use multi-factor authentication

 

Attackers often use compromised credentials to attack environments.  Again, to capitalize on a zero-day attack, the attacker may need to be on the internal network.  More often than not, compromised credentials are what a cybercriminal may target to infiltrate business-critical systems on the inside easily.  Multi-factor authentication is a great way to bolster authentication security.

Even if an attacker knows the username and password, they still do not have everything they need to log in if multi-factor is enabled.  An end-user uses a smartphone or other physical device to authenticate the login session.  When an end-user enters the username and password along with a one-time password, the session is validated.  Other systems enable validating a “push” notification to grant the login.  Zero-day attacks may be more difficult to exploit if an attacker does not have the credentials needed to position themselves in the network where they need to be for exploitation.  

7.  Backup your data

Even when your organization uses the best security recommendations, a zero-day attack is still possible.  Data could be lost or corrupted by a ransomware attack or outright deleted by the attacker.  Zero-day vulnerabilities can undoubtedly lead to a perfect storm of a zero-day attack and data loss.

Due to a zero-day vulnerability, if an attacker can carry out a zero-day attack against your business, your best line of defense is to have good data backups.  Having data backups means you have a copy of your data at a known-good point in time, before an attack and before data loss resulted.  

Protecting your organization against data loss includes having good backups of your cloud SaaS environments such as Google Workspaces (formerly G Suite) and Microsoft 365.  Using a tool like SpinBackup to protect your cloud data allows you to ensure that your organization’s migrated business-critical data in cloud SaaS environments is protected.  Even if you suffer data loss due to a zero-day attack, you can recover the data.

Wrapping Up

Zero-day vulnerabilities are a tremendous risk for your organization’s data.  It is often not a question of how significant the vulnerability is, but rather the fact there is no patch to remediate the breach potential.  It can often take software vendors weeks, if not longer, to produce a patch to remediate the vulnerability effectively.

By following certain best practices as described, your organization can prevent zero-day attacks by using adequate security mitigations to offset the potential risk.  By patching, protecting email solutions, end-user training, zero-trust configurations, CASB implementation, multi-factor authentication, and backing up your data, you can help prevent a zero-day attack effectively.