Zero-day exploits are an especially dangerous form of hacking because they use vulnerabilities that were previously unknown and for which no patch yet exists. Depending on the company, the time between breach and fix can span days, weeks, months, or even years as hackers lie in the shadows and plot their attack.
It’s a growing problem. Ransomware affected 649 critical infrastructure organizations in 2021, according to the FBI’s latest annual Internet Crime Report. The Ponemon Institute says up to 80% of successful breaches are zero-day attacks.
“One contributing factor in the higher rate of reported zero-days is the rapid global proliferation of hacking tools,” a report by MIT Technology Review said. “Powerful groups are all pouring heaps of cash into zero-days to use for themselves — and they’re reaping the rewards.” Many of those groups are state sponsored.
Given the severity of the threat, it is necessary for organizations to take a proactive and comprehensive approach to warding off zero-day exploits. That strategy should include the following five parts.
1. Strong security hygiene in software development
In today’s fast-paced, multi-faceted development environment, it has become more difficult than ever to avoid introducing vulnerabilities at some point. The heavy use of modular components means that developers often use resources they don’t even control, such as open source and other third-party code and tools. This means it is inherently difficult to identify every possible hole.
As a result, it is critical for organizations to double down on their efforts to uncover vulnerabilities. For example, penetration testing to assess security across the software pipeline should be standard practice at every company. Another smart move is to use bounty hunters, white-hat hackers hired to detect vulnerabilities in a company’s infrastructure that bad actors could exploit.
Companies also can and should continuously scan their systems and data over time to identify compromises as soon as they happen and remediate quickly.
These kinds of internal controls may not be able to stop every vulnerability, but they can go a long way in detecting unseen errors introduced in development that can lead to big security problems down the road.
2. Zero trust security
Zero trust is a “trust no one, always verify” security architecture that assumes everything in an enterprise represents a possible attack vector. It differs from the traditional “trust but verify” model that gives users or devices with basic credentials wide access to digital assets. Instead, zero trust limits and restricts access to only the minimum set of users and devices, places time constraints on privileged access, and considers every access point a point of a potential breach.
Though zero trust has traditionally been viewed as a network security model, the principles apply to data security and security architecture, in general. Zero trust is a great model for defending data across enterprise, cloud and Software as a Service workloads.
While zero-trust security doesn’t protect networks from every possible attack, it lowers risk and accelerates threat detection. Every organization — regardless of size or industry — would be wise to adopt it.
3. Rigorous patching practices
Zero-day exploits begin with previously unknown vulnerabilities. In fortunate cases, patches are issued to plug the vulnerabilities before a successful attack is made. But it’s up to companies to apply them.
In 2020, the FBI charged four Chinese military-backed hackers with executing a 2017 cyberattack against consumer credit reporting agency Equifax that led to the largest known theft of personally identifiable information ever carried out by state-sponsored actors. The attackers initially gained access through a consumer complaint web portal by using a widely known vulnerability that the company never patched.
Monitoring and administering patches can be a very time-consuming and tedious task. However, as onerous as it can be, organizations have no choice but to develop solid patching discipline. An ounce of prevention is worth a pound of cure.
This is another area that requires considerable time and effort, but employee education is a must to reduce the risk of zero-day and any other attacks. The best training is across the board, from phishing attack awareness programs to helping developers understand what they can do to avoid security shortcuts.
Every company, no matter its size or industry, should assume it is a potential target and be aggressive in training employees to help protect against attack.
5. Recovery plan
Unfortunately, even despite the four measures above, an attack can still happen. That’s simply the reality of today’s threat landscape and the continued use of outdated legacy technology that was never built with security in mind at conception. Thus, organizations need to have a plan in place for if a zero-day attack happens.
Questions companies should be asking themselves include: Do we know where all our data resides, especially the most sensitive data? (Astonishing numbers of companies lack that full understanding.) Do we have a well-crafted recovery and backup plan? Do we have a default process outlining what steps need to be taken, in what order, led and executed by whom? How quickly can we recover? Have we tested our recovery practices to prepare for a real-life scenario?
If the answer to any of those is no, a company will surely have more trouble bouncing back from a zero-day attack than is necessary.
Zero-day exploits are some of the nastiest cybersecurity surprise that an organization can face, but as these five points show, it is possible to prepare for the unexpected. Remember: The defense needs to be as aggressive as the threat.