Zero-day attacks are by their very nature more difficult to protect against than known vulnerabilities. With a zero-day attack, hackers have found a security hole and a way to exploit it before the victim is even aware that there is a weakness on their network. Hackers can then leverage that exploit to get into the victim's environment and take malicious action - whether that be stealing corporate intellectual property, installing ransomware for extortion, or even selling access to the victim's environment on the dark web.
We've seen the crippling repercussions of zero-day attacks in the ‘Eternal Blue' vulnerability with ‘WannaCry' and with hacking groups, such as ‘The Shadow Brokers'. It's clear that security products as a whole aren't that helpful with stopping zero-days and it takes more than just a simple tool to fix a zero-day attack. Ultimately, it comes down to three phases of action that businesses can take with zero-days: preparation before an attack, stopping the threat when an attack occurs, and halting post exploitation activity.
Prepare, prepare, prepare
A critical component of being prepared for an inevitable attack is having a plan in place well in advance, and taking enough steps to ensure that plan is effective. Some of the best preparation techniques include red teaming, penetration testing and tabletop exercises. These ensure that your network is hardened and not filled with holes that are easily exploitable by hackers. Businesses benefit from undertaking cyber-exercises such as penetration testing and tabletop exercises, since these review security operating plans, firewall rule sets, network intrusion detection systems, and very importantly, the ability of your employees to counter a zero-day exploit.
Knowing who potentially is targeting your organisation ahead of time is critical in helping to plan your defence appropriately. Cyber-threat intelligence allows you to assess which adversaries might be targeting your assets and organisation and gives you insight into the tactics, techniques and procedures they may employ. Arming your organisation with this knowledge can help you to take the appropriate tactical, operational and strategic actions to help improve your overall security posture.
Another basic step includes getting an incident response plan and retainer in place, in case your organisation does get breached - allowing you to respond without delay. An incident response retainer would also lead to an overall risk assessment for your organisation, which can help you understand exposure and minimise the likelihood of an attack. These assessments should investigate the organisation's cyber-security environment to identify any weak points and potential vectors that could be exploited and helps ensure that each endpoint and software instance is effectively monitored and patched against known vulnerabilities.
What now?! In the wake of a breach
If an IT professional is working from the assumption that an attack is inevitable, the question then becomes how can I stop an initial intrusion from escalating into a mega-breach? Organisations should focus on how they can reduce the impact of such an event or stop malicious activity from creating more damage.
Today's modern endpoint products all have anti-exploitation capabilities, and these are important to your overall cyber-security. It's vital to keep these security capabilities turned on and up-to-date at all times. New endpoint protection technologies can also integrate behavioral analytics, artificial intelligence and machine learning that help move the needle and stop zero-days at the point of attack. Endpoint detection and response (EDR) tools can help with behavioural protection logic that looks for the telltale signs of an intrusion. Examples of such signs include credential theft, privilege escalation, lateral movement, or even evidence that someone is trying to encrypt, destroy, or leak files. EDR products can detect and block these behaviours, reducing risk to the organisation. This approach adds a second layer of defence to stop malicious activity from escalating even if the attacker is successful in establishing an initial foothold with a zero-day exploit.
Establishing the right response
It's critical to be able to detect post-exploitation activities, which can minimise dwell time from when a malicious attack enters your network and remains undiscovered. Dwell times from an undetected zero-day attack can leave an organisation vulnerable for days, week, or even months, and having the right tools in place can minimise this exponentially.
Organisations that are prepared with an incident response retainer, must be able to activate their incident response plan instantly and isolate infected systems and devices across their network. This is especially important if the attack has the ability to propagate through their network. This incident response plan should encompass a plan for immediate response and remediation but also, take into consideration the business' operational needs, existing investments and resources. In fact, many businesses are moving away from mere “incident response” towards a model of “continuous response,” which employs big data technologies to apply pattern detection and “what-if” scenarios to identify zero-day exploit signatures much faster – potentially within a matter of hours rather than weeks.
Implementing the best defences and the tools, process and technology can help mitigate an attack and quicken time to remediation. It's important as a modern business to think about not only the tools, but the process, people, intelligence and technology to stop an attack before it's done too much damage. A business that can demonstrate that it has made every effort to prevent and contain malicious activity that threaten sensitive data, will undoubtedly recover much more quickly in the event of a zero-day attack.
Dan Larson, VP of Product Marketing at CrowdStrike
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.