No internet-connected code is truly secure. Today’s development process is deeply iterative, and this ever-shifting landscape of code can sometimes expose critical vulnerabilities. When these flaws are discovered by attackers first, zero-day exploits threaten not just your own integrity – but that of business partners and team members across the organization. With no vendor awareness and no patches, attackers are able to break and enter with relative ease through zero-day vulnerabilities.
One recent example of this occurred in late August 2023. The HTTP/2 protocol defines the architecture of the modern internet, connecting client-side requests to their associated servers. In this attack, malicious actors identified a technique known as HTTP/2 Rapid Reset – allowing them to multiplex requests over a single connection. In the realm of Distributed Denial of Service (DDoS) attacks – where attackers hope to overwhelm a site provider’s servers with sheer brute force – request volume defines its success. By initiating and rapidly canceling hundreds of thousands of HTTP/2 streams over established connections, these attacks quickly reached staggering volumes, peaking at 398 million requests per second (RPS) for Google, 155 million RPS for AWS, and 201 million RPS for Cloudflare.
Even more concerning – these attacks were orchestrated using a relatively small botnet.
What are zero-day vulnerabilities?
The term “zero-day” originates from crisis terminology, detailing a single point in time where a critical system fails. In the cybersecurity sense, a software’s defenses are rendered obsolete as attackers find a way past highly-sensitive security controls – before the software’s developers even become aware of the flaw. Due to the lack of available patches, users are left completely unprotected.
Generally, a zero-day timeline evolves in a familiar way: a software developer or organization inadvertently introduces a vulnerability into their software. An outside individual then detects this vulnerability before any remediation steps take place. Aiming to take advantage of this, the discoverer then crafts malicious code designed to take advantage of the vulnerability.
To unleash this new exploit upon an unsuspecting victim, it’s often packaged up in a wider phishing campaign, convincing end-users to help deliver the code to the vulnerable system. Once a successful attack takes place, the alarm is sounded for the threat’s existence. Devs scramble to implement a patch for their software. As the patch becomes available, the vulnerability ceases to be classified as a zero-day threat as further information is published to relevant stakeholders. From there, it’s up to affected organizations to install the patch before copycat attackers take advantage of the new vulnerability.
Zero-day vulnerabilities: Detection and discovery
When dealing with zero-days, every hour counts. Detection revolves around four key capabilities.
Regularly scanning for vulnerabilities
Regardless of an organization’s efforts, vulnerabilities are going to crop up. Common coding errors can always expose potential vulnerabilities and create opportunities for malicious actors – especially in third-party tools that form the backbone of your team members’ productivity. Regular scans of critical production systems should be conducted at least once per quarter – and all newly developed systems should undergo a vulnerability scan before being deployed.
Penetration testing
Pentesting works hand in hand with vulnerability scanning, as verified human experts work to find gaps in your pre-existing code and configurations. Pentesting takes advantage of the fact that vulnerability severity is about who knows about the flaw, rather than what the flaw necessarily is. White hat researchers are the people you want stress-testing your networks. State-sponsored hackers, on the other hand, are actively hoping you don’t notice.
New examples of state-sponsored attacks occur every month – as of October 2023, the most recent is Atlassian’s zero day. Measured a 10 on the CVE criticality scale, Microsoft has already issued a public warning over Chinese-backed state actors attempting to take advantage of it. Pentesting doesn’t just uncover vulnerabilities that might not be evident through scanning alone but further highlights any potential attack paths that can be constructed from smaller, apparently innocent misconfigurations.
Managing and delegating threats
The four categories of technology vulnerabilities are physical, personnel-based, configuration-based, and application-based. Keeping an eye on each of these fields demands not just industry-leading tools – but a finely-honed detection and mitigation roadmap. Key to this is a proficient incident response team. For organizations facing heavier budget constraints, your IT providers’ incident response service needs to be the first to know.
Taking a risk-based approach allows you to channel the constant hum of information from all 4 fields into action-based documentation. For example, your employees rely on a constant stream of email communications throughout every working day – but you need to find the one slip-up that sends sensitive documentation to phishers. In this way, identification is only the first of the four major vulnerability mitigation steps – but it’s easily the most important.
Logging and analyzing behavior
Take the previous example of finding the malicious email in a haystack of inboxes – behavior-based analysis lends a new lens through which to parse an attacker from a colleague. Particularly in the realm of novel attack types, where no CVE is available, deviations from baseline network behavior can be the last line of defense against a successful attack.
However, in order to assess suspicious network and device behavior, your organization needs to have an on-the-ground understanding of what assets are within your organization. Not only does this lend you increased knowledge about the level of protection your organization might need, but it also sets a foundation of expected interaction between every endpoint. Collecting and analyzing logs is the following component of behavioral analysis: giving real-time alerts to abnormal behavior bolsters your ability to respond effectively.
How to prevent zero day attacks
Zero-day vulnerabilities and associated attacks will continue throughout the foreseeable future. As long as human error and supply chains exist, organizations must create and closely manage tools, techniques, and procedures (TTP) to mitigate their risk.
Minimize your attack surface
Your organization’s attack surface consists of every line of code and employee contributing to its productivity. As an organization grows more complex, its corresponding attack surface can slowly yet relentlessly bloat to unmanageable sizes. Technical policy mistakes or overly-permissive rules slowly accrue until an attacker is able to take advantage of them. Minimizing attack surfaces requires shutting down all entry points where authentication is not required. Each of the following steps help to decrease the attack surface – further helping lighten the burden of proactive zero-day prevention.
Patch responsibly
Older software versions are old for a reason – developers are constantly working to improve and streamline behind-the-scenes processes. End-users often fall into the patching procrastination trap – the lack of visible changes between most updates regularly lulls them into a sense of complacency. However, as an organization aiming to prevent zero-day exploitation, a proactive update position is vital. While it’s tempting to dismiss patches as risky – after all, it’s adding new code to your attack surface – a protective blanket of solutions that identify and mitigate attempted attacks can afford you the best protection possible. Assume any software without a recent update is vulnerable. To protect employees from patch procrastination, rely on auto-updates as much as possible.
Gain further insight with configuration management
Configuration management is a process that accurately tracks changes within complex software systems. Visibility is the ultimate goal of config management, as it lends granular insight into even rapidly-shifting microservices environments. The very first stage of configuration management focuses on aggregating and compiling data from different application environments, creating a full inventory of every component and service in use. With this inventory in place, it becomes possible to protect network and device changes with mandated sign-offs. Not only does this reveal the security impact of every change, but it helps remediate zero day attacks in real-time.
Use firewalls to your advantage
Firewalls play a critical role in security by restricting network traffic that isn’t essential. This prevents internal devices from establishing atypical connections with external servers, mitigating data leakage or malicious code deployment. The protection offered by firewalls extends to IoT devices and application updates, further helping solidify your zero day defenses. A core component of firewalls is the ability to whitelist applications. This blocks unauthorized applications from being installed on employee devices, helping limit the attack surface and prevent new threats from appearing.
Segment networks, not teams
There have long been silos between cybersecurity and IT teams. These barriers make it more difficult for teams to share valuable information to remediate security issues before attackers have a chance to wreak havoc. Fostering fluid communication between development, security, and other teams allows an organization to rapidly implement the previous zero-day-busting measures.
Networks, however, should not be granted the same connectivity. In the context of a zero-trust framework, stringent controls help to ensure that access to applications, files, and services is issued on a need-to-know basis. This is achieved with finely-tuned network segmentation, or microsegmentation, which establishes finely detailed and secure sub-networks within your broader environment. In these microsegments, users or devices can connect and access resources and services tailored to their specific requirements, ensuring a highly granular and secure access approach. Lateral movement – a staple of malicious actors – is made restrictively difficult thanks to your organization’s very architecture.
Don’t rely on any single countermeasure
Zero-day vulnerabilities have the potential to lurk within all organizations, making zero-day attacks a concern for everyone. Thanks to this sheer unpredictability, it’s impossible to rely solely on any single tool. That’s why NinjaOne offers a wide variety of integrations. Its continuous monitoring and ahead-of-time patch management make it a powerful tool in your security arsenal – and every organization needs to take full advantage of an adaptive and cohesive line of defense.