Proactive threat hunting is vital to zero-day vulnerability management

It’s well-known that zero-day vulnerabilities pose critical security risks until an effective patch is issued. But, patching a vulnerability doesn’t guarantee that an environment hasn’t already been exploited. It’s possible, even likely, that attackers found that zero-day vulnerability long before it was discovered or disclosed. Public disclosure is often delayed until patches are available, so attackers may have been in your environment for months, or even years, waiting for the right time to use the access they gained. This is especially important given the potential threats of cyber warfare from Russian threat actors, nation-state and criminal alike, launched against Ukraine and their supporters.

Vulnerabilities are Part of Software Development

The goal of software development is always to build and release high-quality, secure software. However, vulnerabilities are still introduced into the codebase unintentionally. This happens more often than you may think — every change in code or new product release may introduce a new vulnerability. There are a lot of variables as teams deploy code, moving fast to deliver to an increasingly demanding market. Many tools and training solutions can help reduce the likelihood of new vulnerabilities being introduced, yet it still happens. Risk Based Security released a report showing that 28,695 vulnerabilities were disclosed in 2021, a 23% increase from 2020. While vulnerabilities vary in terms of severity and exploitability, it’s undeniable that they continue to be discovered and disclosed.

It’s Time for a New Approach to Thinking About Risk

Unfortunately, the date of disclosure isn’t the date the vulnerability was first exploited. Malicious actors actively search for zero-day vulnerabilities — you may have no idea that they’re in your environment until you discover evidence through proactive hunting or they launch an attack that causes a critical incident for your organization. Even once such a vulnerability is found, disclosed, and patched, there’s no guarantee that it hasn’t already been exploited. Attacker dwell time, or the length of time a bad actor remains undetected in your system, affords them time to observe, discover weaknesses, and move laterally in your system.

A proactive approach to zero-day vulnerabilities is conducting hunts based on the assumption that your organization has already been breached using one or more zero-day vulnerabilities. During these hunts, investigators search for forensic pieces of data that identify potentially malicious activity within your system or network, commonly referred to as indicators of compromise (IOCs). Proactive threat hunting uses an investigation team’s analysis of known adversaries to create a hypothetical attack focused on an area likely to be compromised, often containing sensitive data, source code, or something similarly valuable to the organization. Proactively hunting for threats can leverage technology and automation to search for threats automatically based on known vulnerabilities, the forensic footprint of vulnerabilities, and available threat intelligence. Combined with a skilled team that can identify which scenarios to search for, you can maximize your effectiveness when seeking unknown compromises. It’s important to run these types of hunts periodically and change the hypotheses you’re investigating to keep up with changing threats and your own changing environment.

Patching is Still Important

While adopting a proactive approach by assuming your organization has been breached by zero-day vulnerabilities and searching for IOCs is important, it doesn’t take the place of patching known vulnerabilities. Some attackers search for vulnerabilities before they’re disclosed, while others are incredibly quick to exploit a new vulnerability when it is disclosed. The Log4j vulnerability, for example, quickly resulted in Log4Shell exploitations extensively in the wild because it was easy to exploit with public exploits available. Attackers don’t just rely on newly released vulnerabilities though. They don’t need to. Many organizations fail to patch known vulnerabilities for years, offering an easy attack vector for attackers.

To build a more secure organization that can react quickly to newly disclosed vulnerabilities, it’s important to leverage existing prevention solutions, adopt a zero-trust posture, and close security holes opened by new vulnerabilities as quickly as possible. That’s not enough — you also need to focus on detection and response to discover backdoors and IOCs. Today, as we see ongoing attacks integrated into cyber warfare from nation-state actors and cybercriminals, it’s likely that the impacts will reach far beyond the physical borders of any conflict. To prepare for a potential cyberattack, you need to increase your ability to detect, patch, and remediate against an increase in zero-day vulnerabilities, proactively look for new IOCs and run them against your environment, stay up to date on relevant threat intelligence, run drills and exercises, so your team is ready to respond, and have data recovery and incident response plans in place. This readiness approach will increase your resilience and reduce the severity of impact if a critical incident occurs.

Ariel Parnes is a co-founder and COO of Mitiga, a startup cloud incident readiness and response. He leads Mitiga’s cybersecurity research, readiness, and incident response teams. A retired Colonel in the Israeli Defense Forces’ 8200 Cyber Unit, Col. Parnes served for over 20 years in roles ranging from Intelligence and Information Technology to Offensive & Defensive Cyber Operations and Cyber Warfare. He was awarded the prestigious Israel Defense Prize for technological breakthroughs in the cyber field.