“Facing fear is better than running from it,” he said.
“What if it’s fear you can’t beat?”
“Then it might be better to be dead,” he answered.”
― David Baldacci, Zero Day
If we talk about a Zero-day attack, people would probably think of the “SunBurst.” Companies are driven by fear and increase the budget on the most advanced technology to detect and hopefully stop becoming the next Solarwind or Fireye.
Read it here.
And yet, Zero-day attacks keep happening. The recent vCenter vulnerability exposed threats against 6,700 unpatched machines online. To explain this situation's cause, it is worth mentioning how this happens and how to prepare for the next Zero-day attack is more than essential.
Zero-Day 101:
A Zero-day vulnerability (pronounced as “O” day) is a software defect that is possibly being abused in various ways and, most importantly, unknown to the targeted software.
The term Zero-day Attack indicates an attack situation in which a vulnerability is exploited and unknown to the target software.
According to NIST, NISTIR 8011 Vol. 3, a Zero-day attack is:
"An attack that exploits a previously unknown hardware, firmware, or software vulnerability."
“You Can’t Protect What You Can’t See.”
The Zero-day vulnerability is recognized as the most dangerous way for infection. It is because there is less chance that the targeted system could detect and respond to the attack. Unlike other attack methods, a Zero-day attack is less dependent on the human factor (i.e., user awareness, social engineering).
Use phishing email attacks as an example requires the targeted users to interact with the email, whether to download it, open the attachment, or click on a link. Oppositely, a Zero-day exploit would attack the flaw in the targeted software/ hardware directly. And thus hidden in the background and hard to detect.
Types of Zero-Day Vulnerability
In general, we can separate Zero-day vulnerability into two types: public and private.
A private Zero-day vulnerability is only known to its “discoverer” and privately shared with whomever they have shared it. Elite cyberespionage groups, usually state-sponsored, mostly own the methodologies or attacks that exploit such vulnerabilities.
On the other hand, if a vulnerability is discovered via a leak or disclosure, or publication by a security researcher, it is claimed publicly. In a sense, a public Zero-day could be a significant threat to an organization than a private one, especially the exposed rather than published vulnerability.
Once that vulnerability goes into the wild, no matter if the patch is released, it turns into a competition between:
Attackers who are trying to find the vulnerable hosts and create exploits for the targets,
and;
The targeted system needed to be fix or patch.
The time window leads to an opportunity for attackers to abuse while targets out there are still exploitable.
This race against time is what we called a One-day or N-day attack.
Zero-Day Events
EternalBlue was the most well-known Zero-day attack. A hacking group known as the Shadow Brokers leaked hacking tools and exploits of the United States National Security Agency (NSA) in April 2017. The leaked tools — EternalBlue exploit quickly turned into weapons for hackers.
One of them is an exploit for a Microsoft Server Message vulnerability (CVE-2017–0144). The attacker can execute arbitrary code remotely in the compromised system using the weapon. This “once-and-for-all” weapon led to massive ransomware campaigns from May to August 2017, including malware such as the most famous WannaCry, Petya, and others.
Although Microsoft had already patched the EternalBlue exploit one month before the leak, 2017 also became the year of ransomware that posed significant security impacts worldwide, including utilities and transportation systems due to the massive number of windows machines that remained unpatched.
Nevertheless, this painful situation's bright side provided the most compelling reason for any enterprises to take a more proactive approach to cyber hygiene practices, such as routinely software updates and reviews.
VMware’s latest Zero-Day with CVSS 9.8/10
Recently, a vulnerability regarding VMware vCenter (CVE-2021–21972) was exposed by security researchers. VMware has taken this issue very seriously and has assigned a CVSS of 9.8 out of a maximum of 10. VMware is now urging customers to update their systems as soon as possible. (The Common Vulnerability Scoring System (CVSS) is an open framework for quantitation of characteristics and severity of vulnerabilities, sponsored by CISA.)
According to a Shodan query, more than 6,700 vCenter servers are currently vulnerable online, allowing hackers to control the unpatched systems and even the entire network.
Because of a vCenter server’s central role inside corporate networks, the matter was classified as highly critical and privately reported to VMware, which released official patches on February 23, 2021.
As the number of companies that run vCenter on their network is vast, security firm Positive Technologies, who discovered the vulnerability, initially planned to keep details about the bug secret to prolonging system administrators’ time to test and apply the patch.
The problem was raised seriously when a Chinese researcher posted the proof-of-concept code online. The one-line cURL request code then ultimately shortened companies grace period to patch. Also, hackers saved a large amount of time to write the scanning script for target searching.
Since the PoC code is now out in the open, Positive Technologies has also chosen to publish an in-depth technical report on the bug, so security teams can learn how to exploit work and prepare additional defenses or forensics tools to detect past attacks (backtracing).
VMware vCenter servers play a critical role in enterprise networks; a compromise of this layer could provide attackers access to any system that is connected or managed by it.
With that in mind, hackers are trying to launch Supply-Chain Attacks or Watering Hole Attacks against a high-value target, like vCenter, to sell underground cybercrime forums to cybercriminals for “once-and-for-all” attack campaign.
How to Protect Against Zero-day Attacks
Zero-day exploits are a great challenge for even the most vigilant security practitioners. However, the proper defenses in place can considerably reduce the risks to critical systems.
Cyber Hygiene
Good Cybersecurity hygiene — keeping the attack vector minimal, continuing education, maximizing visibility to the system, and patching — can dramatically reduce the security risk against the first step of most cyber attacks that most likely involve human interactions.
Cyber Hygiene, which leverages the concept of public health and uses it in the cyber world, emphasizes systematic IR triage: PDC — Prevent, Detect, Correct. Prevention, which is the most fundamental element against all illnesses, is also the most effective measure for unknown and latest threats.
What you do good in daily healthcare routines should also move into your cyber self. In this case, washing your hands can be interpreted as the action of logging out of your account and shut down the machines after using it.
- To wash hand online = Minimizing attack vector by a fundamental-first strategy.
- To find potential health problems, do regular health-check = Regular Vulnerabilities Scanning+Shift-left
- To keep fit = Security updates and patches.
- To get well soon = Encryption + Backup + IR process
- Cyber Resiliency
In cybersecurity, we have Cyber Resiliency that enhances adaptation of the overall cybersecurity posture. According to NIST SP800–160 Vol.2 (Developing Cyber Resilient Systems — A Systems Security Engineering Approach), it defined cyber resiliency as:
“The ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that include cyber resources.”
Cyber Resiliency is different from security defense. It is about knowing bad things will happen. The question is not about if but when. To become cyber resilient, the scope of protection would more than the “Crown Jewels.” It involves a more prominent coverage: the ecosystem of the business or organization.
In Cyber Resiliency, we assume that attacks are unavoidable, so we need to be well prepared for the impacts and learn from them. I mentioned using the PDC security mindset. But there is one puzzle missing — Adaptation to threats.
PDCA: Prevent, Detect, Correct, and Adapt (Do not mix it up with Plan-Do-Check-Act!) should be the better approach against fast-changing malicious activities. To add adaptation into the picture, we need a different approach.
In a holistic cybersecurity approach, we adopt security mindset in frameworks like PDC (Prevent, Detect, Correct) or PPT (People, Process, Technology) and an Adaptive Approach to find the root cause of the problem.
PDC becomes PDCA:
- Prevention — Think like a Security Architect (Focus more on design and plan)
- Detection — Think like a Security Engineer (Attack/Defense thinking and Finding the real threats)
- Correction — Think like a Security Consultant (Resume Business Continuity improvement)
- Adaptation — Think like a Security Forensic Investigator (find the root cause after the event)
- XDR (Extended Detection and Response)
The time frame between a Zero-day vulnerability is discovered, and it is remediated take weeks or even months. That is also the exposure period: the time length when the organization is possible to be attacked.
Once the vulnerability is disclosed, the solution provider would release the detection script or IoCs (Indicator of Compromise) for companies to gain visibility against the security issue. Measures that can achieve this goal include:
- Vulnerability scanning
- SIEM correlation tool for backtracing
- Threat intelligence service that provides the latest threat feed
There will always be a window of vulnerability before any of the above could take place. Companies need to arrange a suitable time for scanning, for example, without disrupting business operations.
Nowadays, hackers have distributed attack tools that empower them to launch automated attacks as soon as they are disclosed. The increasing automation levels are shortening the time it takes for them to take advantage of vulnerable systems, so organizations’ pressure to reduce the length of exposure time is climbing.
As a result, the best defense for detecting and mitigating Zero-day vulnerabilities comes down to how fast you can catch and diagnose your systems without having to wait for the next scanning window.
That makes SIEM and intelligence feed so valuable against Zero-day attacks. With proper integration, the detection and backtracing could become automated and thus improve the response time. They leverage existing tools like vulnerability scanners and SIEM to work with all the sensors in places such as endpoints and firewalls that could be much more comfortable with automation.
According to analyst firm Gartner, Extended Detection and Response (XDR) is:
“A SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.”
Hopefully, although still at an early stage, we could soon put XDR into real practices that enhance the visibility and operability of available security tools. XDR also provides unified visibility across multiple attack vectors and thus enables an organization to adopt proactive protection.
Final Words
Zero-day attacks can pose a serious risk to organizations, especially if they are not prepared. However, when organizations could act swiftly before, during, and after an incident, they can stay one step ahead of hackers and have confidence in their infrastructure's cybersecurity.
Cyber Hygiene has become more crucial than ever. As hackers only need one weakness to get access into the system, the fundamental measures should be taking care of by not cybersecurity practitioners only but everyone. With good cyber hygiene in place, attack vectors could be reduced and thus achieve risk mitigation.
If you understand the adopted software development lifecycle, the assumption of an unavoidable Zero-day attack is valid in most software that we use nowadays. The concept of Cyber Resiliency makes use of that and takes a holistic approach to cybersecurity. Adaptation against different risks should be considered.
Risk Adaptation involves the security team thinking like the forensic investigator and finding the root cause to review and strengthen the security posture against future attacks. That is why threat hunting is not just for security researchers anymore.
Time is the key when it comes down to Zero-day attack detection and protection. As the shorter the time frame before a vulnerability is patched, the less time for hackers to exploit. As a result, the prime focus for organizations should be to reduce the time window for attacks.
Technology like XDR could be the solution for such. With too many alerts and events in a day, the security team must spot and stop the utmost threat as quickly as possible. XDR could be the framework to use technology that is not ready before, like threat prioritization and remediation assisted by AI, to gain better visibility and control in one place.
Thank you for reading. May InfoSec be with you🖖.
Previously published here.