Shall we care about zero-day?
Gartner says that 99% of exploited vulnerabilities are publicly known. Does it mean we can ignore zero-days?
According to Gartner, through 2020, 99 percent of exploited vulnerabilities will continue to be ones known for at least one year. Does it mean that we should not care about zero-day vulnerabilities and private exploits market? The answer is no, but we need to explore the subject in order to understand why.
Exploits for zero-day vulnerabilities are expensive, and attackers using them have all the interest to keep them private and re-use in the upcoming cyber assault operations. Cybercriminals take all the necessary precautions to keep exploitation, intrusion and data exfiltration silent and invisible for their victims. Detection of the attack almost surely guarantees the cyber mercenaries depreciation of their investment into zero day, upcoming investigation of the incident and all the related problems with Europol, the FBI or other law-enforcement agencies fighting cybercrime.
Nowadays, cybercriminals on the Dark Web actively buy and sell continuous security monitoring services aimed to instantly detect unpatched systems and vulnerable software in the wild. Cybercrime groups will even carefully patch the vulnerabilities after a successful exploitation to prevent their “competitors” from getting it. The majority of data-breach reports are based on the reported security incidents, including vulnerability probing and information gathered from honeypots. Not surprisingly, over 99.9 percent of such reports are about publicly known vulnerabilities, including those discovered years ago. At the end of the day, most security reports highlight publicly known vulnerabilities, discreetly leaving zero days in the shadow.
Moreover, taking into consideration that over 76 percent of users reuse or share passwords, zero-day exploits are rarely required to get in. Speaking about web applications, we can even say that attackers almost never need a zero-day, as many companies host in-house web applications riddled with high or critical vulnerabilities, which an experienced attacker can detect and exploit within a few hours. The breach of 156,959 TalkTalk’s customers via a simple SQL injection is a good example when zero-day is not really needed to get to the crown jewels.
Last, but not least, many buyers and sellers of cybercrime services just cannot afford to pay for a good zero-day. All these factors move zero-days to the modest last place among detected and reported attack vectors.
Nevertheless, midsize and large sized companies regularly become victims of professional cyber mercenaries, intrusions of which they fail to detect and report due to lack of internal resources or high sophistication of the attackers. Obviously, before taking any decisions, one should properly evaluate and assess the risk of zero-day usage by his, or her, adversaries when performing enterprise risk assessment.
But, let’s see what to do if our enemies do have the financial means and motivation to use private exploits for zero-day flaws. Below are five fundamental principles that can significantly reduce the impact of zero-days for many companies:
Minimize external attack surface
Make sure that all the systems that do not require external access, are moved to your internal network or are properly firewalled. Systems that do not require global accessibility can be restricted to trusted IP ranges, Geo IP ranges, or made accessible only with a strong of two-factor authentication. Implementation of various deception technologies can be helpful as well.
Implement defense in depth and security hardening
The more types of different security controls are in place, the more difficult it is to conduct an attack, even leveraging a zero-day. An SQL injection vulnerability is significantly less dangerous if SQL server configuration is secure, web application is behind a WAF, passwords are properly hashed, admin interface is protected with an additional password, and any SQL errors triggered during the exploitation are immediately sent to security team.
Properly manage access control
Make sure that all your users have need-to-know access permissions and privileges. Proper network segmentation and user access segregation are critical, as if one host or user is compromised, the others won't be impacted. Implementing a manual human validation of business-critical operations is also a good idea for almost any information system.
Implement anomalies detection and continuous monitoring
Continuous monitoring of your digital assets, their state, integrity and vulnerabilities - is vital to keeping you crown jewels safe. Modern machine learning technologies can quite efficiently detect abnormal behavior, malicious activities and attacks patterns, and report them for further investigation. For those who are not yet ready to implement emerging technologies, properly configured and managed IDS or WAF can be a good solution as well.
Conduct regular information security awareness
According to PwC’s Global State of Information Security Survey 2017, phishing is the #1 vector of cyberattack this year against financial institutions. Humans remain the weakest link in any attack, with or without a zero-day. Therefore, make sure that your employees are continuously trained and educated about emerging threats, social engineering and hacking techniques. Otherwise, your technical controls won’t help.
By following the above-mentioned principles, even a competent Black Hat rival equipped with an expensive zero-day will have a lot of difficulties getting into your network and compromise your crown jewels.