How to Reduce the Risk and Impacts from Zero-Day Exploit Attacks

A zero-day exploit attack occurs when criminals discover a software vulnerability that is 
unknown or unpatched by the software provider. According to MIT, zero-day exploit attacks 
reached record highs in 2021, which is not surprising since these attacks almost guarantee 
access to the victim’s environment.

HOW DO ZERO-DAY EXPLOIT ATTACKS WORK?
When a new vulnerability is discovered in software, SaaS apps, or even the underlying code libraries (think Log4J), criminals will try to exploit this security gap and attack before you – or the software manufacturer – even realize there is a problem. 

Once criminals know there is a vulnerability, they will quickly use these zero-day exploits to gain a 
foothold in your environment. From there, they can install malware, execute commands, steal data 
and credentials, and move laterally to expand their reach and privilege.

HOW TO REDUCE YOUR RISK FROM ZERO-DAY EXPLOIT ATTACKS
While you can’t really prevent zero-day attacks, there are things you can do to minimize the 
potential damage.

1. IMPLEMENT PERIMETER SECURITY TECHNOLOGY
   Perimeter security solutions, including network and application firewalls and IDS/IPS can significantly reduce the risk of zero-day exploit attacks by filtering traffic and blocking malicious activity. Configure perimeter security solutions to automatically update so that you are quickly protected against the latest threats.
   
   
2. STRENGTHEN YOUR SOFTWARE PATCH MANAGEMENT PROCESSES
   While you may not be able to prevent the initial zeroday attack, many organizations are attacked weeks or months after a patch is available. According to a survey conducted by the Ponemon Institute, 42% of the respondents that had been breached stated that the cause was a known, unpatched vulnerability for which a patch was available but not applied.
   
   Many organizations have a patch management policy that calls for monthly or bimonthly patching cycles. But hackers are actively trying to exploit vulnerabilities within hours or days. Reduce your risk by updating your patch management policies and procedures to ensure quicker patching for critical vulnerabilities. In addition, verify all patches. Many organizations think they have successfully patched their software, only to find out later the patch failed (this is often discovered 
   when they experience a resulting data breach). 
   
   If you need help optimizing your software patch management program, read our software patch 
   management tips.
   
   
3. SEGMENT YOUR NETWORK & LIMIT ACCESS
   Criminals can’t exploit what they can’t access. Unfortunately, poor network segmentation is still very common. Segment your network to severely limit access to sensitive data and systems, isolate any insecure systems (for example, legacy software/equipment), then ensure everyone in the organization has only enough access to do their particular job. This will limit a criminal’s 
   ability to move laterally and expand their access within your organization’s environment.
   
   
4. SUBSCRIBE TO EXPLOIT INTELLIGENCE SERVICES AND KEEP AN EYE ON CYBERSECURITY NEWS
   It’s important to act quickly when exploits are announced. If an exploit is announced before a patch 
   is available, be extra vigilant about reviewing your logs and begin proactive threat hunting until you can patch the vulnerability. Many organizations have cybersecurity alert lists or publish this information in their newsletters. You can sign up for our alerts and newsletter list, use a 
   threat intelligence service, and watch the cybersecurity news sites for mass exploit alerts.
   
   
5. ENHANCE YOUR MONITORING AND LOGGING POLICIES
   Ensure that logging is turned on and set appropriate retention rates. Consider centralizing your logs using a commercial tool or open-source products such as Elkstack/Kibana. Ensure you are monitoring your logs. This is one of the quickest ways to identify unusual activity 
   and find zero-day exploit attacks. For tips, watch our video on monitoring and logging.
   
   
6. CONDUCT PROACTIVE THREAT HUNTING
   If you don’t have a threat hunting program or tools in place, you should. This is becoming one of CISA’s top risk reduction recommendations when a zero-day exploit is announced. Since many zero-day exploits can bypass antivirus software, threat hunting for unusual activity enables you to see if an attacker is lurking in your environment. For more information on how to get started, read our blog on threat hunting.
7. GET A RISK ASSESSMENT
   A cybersecurity risk assessment involves identifying what you need to protect (i.e., sensitive data, critical systems) and the vulnerabilities and potential threats associated with those assets. It can identify additional security controls that can reduce the likelihood and mitigate the impact from zero-day exploit attacks; it will also help you improve your overall security posture. Read 
   tips for how to get the most out of your risk assessment.
   
   
8. ASK YOUR SOFTWARE VENDORS FOR A SOFTWARE BILL OF MATERIALS (SBOM)
   What is a Software Bill of Materials (SBOM)? It is an inventory of all software components and code bases, which can include: open-source software, dependencies, packages, vendor agents, SDKs, APIs, and more that are used in a software program. Having this information ensures you know what’s in your environment, and it can help you quickly identify if you are at risk from a software code library exploit (like Log4j). A 2021 Executive Orderrequires federal agencies to get SBOMs from vendors, and it’s smart to make this a requirement for your vendors. 
   Read our blog on SBOMs for more information on how to incorporate this tool into your cybersecurity plan.
   
   This blog is provided to NCB from LMG Security.