“Facing fear is better than running from it,” he said. “What if it’s fear you can’t beat?” “Then it might be better to be dead,” he answered.” ― David Baldacci, Zero Day If we talk about a Zero-day attack, people would probably think of the “SunBurst.” Companies are driven by fear and increase the budget on the most advanced technology to detect and hopefully stop becoming the next Solarwind or Fireye. Read it here . And yet, Zero-day attacks keep happening. The recent vCenter vulnerability exposed threats against 6,700 unpatched machines online. To explain this situation's cause, it is worth mentioning how this happens and how to prepare for the next Zero-day attack is more than essential. Zero-Day 101: (pronounced as “O” day) is a software defect that is possibly being abused in various ways and, most importantly, unknown to the targeted software. A Zero-day vulnerability The term indicates an attack situation in which a vulnerability Zero-day Attack is exploited and unknown to the target software. According to NIST, , a Zero-day attack is: NISTIR 8011 Vol. 3 "An attack that exploits a previously unknown hardware, firmware, or software vulnerability." “You Can’t Protect What You Can’t See.” The Zero-day vulnerability is recognized as the most dangerous way for infection. It is because there is less chance that the targeted system could detect and respond to the attack. Unlike other attack methods, a Zero-day attack is less dependent on the human factor (i.e., user awareness, social engineering). Use phishing email attacks as an example requires the targeted users to interact with the email, whether to download it, open the attachment, or click on a link. Oppositely, a Zero-day exploit would attack the flaw in the targeted software/ hardware directly. And thus hidden in the background and hard to detect. Types of Zero-Day Vulnerability In general, we can separate Zero-day vulnerability into two types: public and private. A private Zero-day vulnerability is only known to its “discoverer” and privately shared with whomever they have shared it. Elite cyberespionage groups, usually state-sponsored, mostly own the methodologies or attacks that exploit such vulnerabilities. On the other hand, if a vulnerability is discovered via a leak or disclosure, or publication by a security researcher, it is claimed publicly. In a sense, a public Zero-day could be a significant threat to an organization than a private one, especially the exposed rather than published vulnerability. Once that vulnerability goes into the wild, no matter if the patch is released, it turns into a competition between: Attackers who are trying to find the vulnerable hosts and create exploits for the targets, and; The targeted system needed to be fix or patch. The time window leads to an opportunity for attackers to abuse while targets out there are still exploitable. This race against time is what we called a One-day or N-day attack. Zero-Day Events A hacking group known as the Shadow Brokers leaked hacking tools and exploits of the United States National Security Agency (NSA) in April 2017. The leaked tools — EternalBlue exploit quickly turned into weapons for hackers. EternalBlue was the most well-known Zero-day attack. One of them is an exploit for a Microsoft Server Message vulnerability (CVE-2017–0144). The attacker can execute arbitrary code remotely in the compromised system using the weapon. led to massive ransomware campaigns from May to August 2017, including malware such as the most famous WannaCry, Petya, and others. This “once-and-for-all” weapon Although Microsoft had already 2017 also became the year of ransomware that posed significant security impacts worldwide, including utilities and transportation systems due to the massive number of windows machines that remained unpatched. patched the EternalBlue exploit one month before the leak, Nevertheless, this painful situation's bright side provided the most compelling reason for any enterprises to take a more proactive approach to , such as routinely software updates and reviews. cyber hygiene practices VMware’s latest Zero-Day with CVSS 9.8/10 Recently, CVE-2021–21972 was exposed by security researchers. VMware has taken this issue very seriously and has (The Common Vulnerability Scoring System (CVSS) is an open framework for quantitation of characteristics and severity of vulnerabilities, sponsored by CISA.) a vulnerability regarding VMware vCenter ( ) assigned a CVSS of 9.8 out of a maximum of 10. VMware is now urging customers to update their systems as soon as possible. According to , more than 6,700 vCenter servers are currently vulnerable online, allowing hackers to control the unpatched systems and even the entire network. a Shodan query Because of a vCenter server’s central role inside corporate networks, the matter was classified as highly critical and privately reported to VMware, which released official patches on February 23, 2021. As the number of companies that run vCenter on their network is vast, security firm Positive Technologies, who discovered the vulnerability, initially planned to keep details about the bug secret to prolonging system administrators’ time to test and apply the patch. The problem was raised seriously The one-line cURL request code then ultimately shortened companies grace period to patch. Also, hackers saved a large amount of time to write the scanning script for target searching. when a Chinese researcher posted the proof-of-concept code online. Since the PoC code is now out in the open, on the bug, so security teams can (backtracing). Positive Technologies has also chosen to publish an in-depth technical report learn how to exploit work and prepare additional defenses or forensics tools to detect past attacks VMware vCenter servers play a critical role in enterprise networks; a compromise of this layer could provide attackers access to any system that is connected or managed by it. With that in mind, hackers are trying to launch against a high-value target, like vCenter, to sell underground cybercrime forums to cybercriminals for Supply-Chain Attacks or Watering Hole Attacks “once-and-for-all” attack campaign. How to Protect Against Zero-day Attacks Zero-day exploits are a great challenge for even the most vigilant security practitioners. However, the proper defenses in place can considerably reduce the risks to critical systems. Cyber Hygiene — keeping the attack vector minimal, continuing education, — can that most likely involve human interactions. Good Cybersecurity hygiene maximizing visibility to the system, and patching dramatically reduce the security risk against the first step of most cyber attacks Cyber Hygiene, which leverages the concept of public health and uses it in the cyber world, emphasizes systematic IR triage: Prevention, which is the most fundamental element against all illnesses, is also the most effective measure for unknown and latest threats. PDC — Prevent, Detect, Correct . What you do good in daily healthcare routines should also move into your cyber self. In this case, washing your hands can be interpreted as the action of logging out of your account and shut down the machines after using it. To wash hand online = Minimizing attack vector by a fundamental-first strategy. To find potential health problems, do regular health-check = Regular Vulnerabilities Scanning+Shift-left To keep fit = Security updates and patches. To get well soon = Encryption + Backup + IR process Cyber Resiliency In cybersecurity, we have that enhances adaptation of the overall cybersecurity posture. According to — A Systems Security Engineering Approach , it defined cyber resiliency as: Cyber Resiliency NIST SP800–160 Vol.2 (Developing Cyber Resilient Systems ) “The ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that include cyber resources.” Cyber Resiliency is different from security defense. It is about knowing bad things will happen. The question is not about if but when. To become cyber resilient, the scope of protection would more than the “Crown Jewels.” It involves a more prominent coverage: the ecosystem of the business or organization. , so we need to be well prepared for the impacts and learn from them. I mentioned using the PDC security mindset. But there is one puzzle missing — to threats In Cyber Resiliency, we assume that attacks are unavoidable Adaptation . Prevent, Detect, Correct, (Do not mix it up with Plan-Do-Check-Act!) should be the better approach against fast-changing malicious activities. To add adaptation into the picture, we need a different approach. PDCA: and Adapt In a , we adopt security mindset in frameworks like or and an Adaptive Approach to find the root cause of the problem. holistic cybersecurity approach PDC (Prevent, Detect, Correct) PPT (People, Process, Technology) PDC becomes PDCA: Prevention — Think like a Security Architect (Focus more on design and plan) Detection — Think like a Security Engineer (Attack/Defense thinking and Finding the real threats) Correction — Think like a Security Consultant (Resume Business Continuity improvement) Adaptation — Think like a Security Forensic Investigator ( find the root cause after the event) XDR (Extended Detection and Response) The time frame between a Zero-day vulnerability is discovered, and it is remediated take weeks or even months. That is also the exposure period: the time length when the organization is possible to be attacked. Once the vulnerability is disclosed, the solution provider would release the (Indicator of Compromise) for companies to gain visibility against the security issue. Measures that can achieve this goal include: detection script or IoCs Vulnerability scanning SIEM correlation tool for backtracing Threat intelligence service that provides the latest threat feed . Companies need to arrange a suitable time for scanning, for example, without disrupting business operations. There will always be a window of vulnerability before any of the above could take place Nowadays, hackers have distributed attack tools that empower them to launch automated attacks as soon as they are disclosed. The increasing automation levels are shortening the time it takes for them to take advantage of vulnerable systems, so organizations’ pressure to reduce the length of exposure time is climbing. As a result, the best defense for detecting and mitigating Zero-day vulnerabilities comes down to how fast you can catch and diagnose your systems without having to wait for the next scanning window. That makes SIEM and intelligence feed so valuable against Zero-day attacks. With proper integration, the detection and backtracing could become automated and thus improve the response time. They leverage existing tools like vulnerability scanners and SIEM to work with all the sensors in places such as endpoints and firewalls that could be much more comfortable with automation. According to , ( ) is: analyst firm Gartner Extended Detection and Response XDR “A SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.” Hopefully, although still at an early stage, we could soon put XDR into real practices that enhance the visibility and operability of available security tools. XDR also provides unified visibility across multiple attack vectors and thus enables an organization to adopt proactive protection. Final Words Zero-day attacks can pose a serious risk to organizations, especially if they are not prepared. However, when organizations could act swiftly before, during, and after an incident, they can stay one step ahead of hackers and have confidence in their infrastructure's cybersecurity. has become more crucial than ever. As hackers only need one weakness to get access into the system, the fundamental measures should be taking care of by not cybersecurity practitioners only but everyone. With good cyber hygiene in place, attack vectors could be reduced and thus achieve risk mitigation. Cyber Hygiene If you understand the adopted software development lifecycle, the assumption of an unavoidable Zero-day attack is valid in most software that we use nowadays. The concept of makes use of that and takes a holistic approach to cybersecurity. Cyber Resiliency Adaptation against different risks should be considered. Risk Adaptation involves the security team t to review and strengthen the security posture against future attacks. That is why threat hunting is not just for security researchers anymore. hinking like the forensic investigator and finding the root cause when it comes down to Zero-day attack detection and protection. As the shorter the time frame before a vulnerability is patched, the less time for hackers to exploit. As a result, the prime focus for organizations should be Time is the key to reduce the time window for attacks. could be the solution for such. With too many alerts and events in a day, the security team must spot and stop the utmost threat as quickly as possible. XDR could be the framework to use technology that is not ready before, like threat prioritization and remediation assisted by AI, to gain better visibility and control in one place. Technology like XDR Thank you for reading. May InfoSec be with you🖖. Previously published here .

Chain

Microsoft

Target

Interested in Infosec & Biohacking. Security Architect by profession. Love reading and running.

2021 - HackerNoon Contributor of the Year - CULTURE

2022 - HackerNoon Contributor of the Year - Beginners Guide

2022 - HackerNoon Contributor of the Year - Containers

2022 - HackerNoon Contributor of the Year - Cybersecurity

2022 - HackerNoon Contributor of the Year - Data Privacy

2022 - HackerNoon Contributor of the Year - Privacy

2022 - HackerNoon Contributor of the Year - Security

Support Me on Coil

2021 - HackerNoon Contributor of the Year - PERSONAL-DATA

Nominated for 2022 - HackerNoon Contributor of the Year - Cybersecurity

Nominated for 2022 - HackerNoon Contributor of the Year - Security

Nominated for 2022 - HackerNoon Contributor of the Year - Privacy

Nominated for 2022 - HackerNoon Contributor of the Year - Beginners Guide

Nominated for 2022 - HackerNoon Contributor of the Year - Containers

Nominated for 2022 - HackerNoon Contributor of the Year - Data Privacy

Too Long; Didn't Read

Questions about cloud security? Get answers here.

“You Can’t Protect What You Can’t See.” Cyber Hygiene and Zero-Day Vulnerability

“You Can’t Protect What You Can’t See.” Cyber Hygiene and Zero-Day Vulnerability

Too Long; Didn't Read

Companies Mentioned

Coin Mentioned

Zen Chan

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

“You Can’t Protect What You Can’t See.” Cyber Hygiene and Zero-Day Vulnerability

Too Long; Didn't Read

Companies Mentioned

Coin Mentioned

Zen Chan

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES