Last year, we saw a rise in the number of reported zero-day incidents. The Zero-day tracking project reported 83 zero-day vulnerabilities discovered in 2021. This was a significant jump from the 38 zero-day vulnerabilities identified in 2020. Most recently we have seen the Log4j zero-day vulnerability, which unfortunately will likely take years to remediate because of how widely the error-logging software component is used in applications and services. We have already seen cases of exploitation to deploy ransomware using this vulnerability and recently Microsoft Windows and Azure customers to remain vigilant after observing state-sponsored and cyber-criminal attackers probing systems for the Log4j ‘Log4Shell’ flaw through December.  

Zero Day

A “0-day” vulnerability is typically a potentially exploitable security defect discovered within a software that enables cybercriminals to bypass the software’s security defences and cause significant damage. It is essentially an attack vector that the malicious actor can use to initiate their attack. The software vendor has zero number of days to create a solution. This means that by the time this type of vulnerability has been discovered, there are zero days left to repair any damage from it. A zero-day exploit refers to the actual practical method of taking advantage of the vulnerability.  

Report

The Smarttech247 Cybersecurity Insights for 2022 Report found that the increasing adoption of cloud applications, a hybrid environment and a reliance on one vendor to provide multiple products or services, has ushered in a new era for recalculating cybersecurity risks. Generally, products that are produced by the same vendor are developed using the same tools and processes, and in essence, may contain shared components. As such, if a zero-day vulnerability is identified in a shared component, the organisation is left very exposed to cyberattacks which can result in data breaches.  

The key to managing the continuously evolving advanced threat landscape is to realise that there is no one single security solution that can offer the perfect safeguard forever. To date, there is no such panacea in cybersecurity. 

What companies can do is try to minimise the impact of potential zero-day attacks and employ preventative measures, including: 

“The key to redundancy is independence.”

 Diversification is key to managing risks. It is important to ensure that the various product solutions used within the company are not sourced from a single vendor only. A closed ecosystem of product suites offers a much less robust level of security control.  

Enforce the principle of least privilege. 

Access should be allocated on a needs-must basis. Administrator privileges should be designated to a limited number of accounts. All privileged users should have a standard account profile for business-as-usual operations. Privileged credentials should only be used when performing administrative tasks such as installing new software. This measure reduces the risk of lateral movement.  

Maintain backups of critical systems. 

Follow the 3-2-1 backup best practice. This means that there should be 3 copies of the data, 2 different storage types used, and 1 copy of the data should be offsite. It is critical to ensure all servers are up to date and no end-of-life server is still being used. Full backup restore tests should be done on a regular basis to ensure this measure remains effective. 

Establish and regularly review the patch management programme. 

All endpoints and security solutions such as anti-virus software should closely follow the vendor’s security update schedule. Security patches or updates should be automatically rolled out throughout the organisation as they become available.  

Implement a layered approach to security.  

• A sound firewall defense should be maintained and updated on a regular basis. Blacklist or whitelisting rules should be reviewed periodically. Firewalls are a key aspect of network security, as they monitor the incoming and outgoing network traffic to ensure that no unauthorised parties enter the network.  
• An Intrusion Protection System (IPS) can further monitor the network for any suspicious activity. An IPS can scan software code against a known threat database. 
• Conduct regular vulnerability scanning and penetration testing to ensure that any existing vulnerabilities are resolved before they can be exploited. 

Define, implement and communicate an Incident Response Plan. 

This plan should define the key roles and responsibilities, with contact information easily accessible. There should be a checklist outlining the steps needed to manage and respond to incidents depending on the severity. 

Education is key. One of the most important defences against threats such as zero-day exploits is to ensure that the people within the organisation receive regular information security awareness training. This training should cover essential cybersecurity hygiene practices such as password security and awareness of social engineering tactics such as phishing emails.  

Summary

The nature of zero-day threats brings to focus the security concept of zero trust, which is built on the core belief that organisations should always verify all connection requests to their network and systems. This model uses identity as the new security perimeter. This means that anything already inside the organisation’s network perimeter should not be automatically trusted. Every access request should require strong authentication such as multi-factor authentication. Prior to granting access, all access requests should be inspected for anomalies. 

A Zero Trust framework is built upon an organisation’s architecture, adhering to three guiding principles. To verify explicitly, enforce least privileged access and implement micro-segmentation to minimise a security incident’s blast radius. A zero-trust approach to security can further fortify an organisation’s security posture to better manage zero-day exploits. 

Author: Mae Patlong,  Information Security Consultant, Smarttech247