A quick start out of the gate is an enormous advantage for sprinters, swimmers, jockeys and race car drivers alike. It’s also extremely valuable to cybercriminals. By exploiting a zero-day vulnerability before anyone else knows about it, cybercriminals gain an early window to infiltrate systems and achieve goals like stealing data or deploying ransomware while avoiding detection.
Attacks that exploit zero-day vulnerabilities cannot be prevented — but they can be faced with confidence. This article offers practical guidance containing these threats by building a resilient IT infrastructure that features reducing the attack surface, fast detection and effective response.
Resident CISO EMEA and VP of Security Research at Netwrix.
The Frustration of Zero-Day Vulnerabilities
It is an inescapable fact that every operating system and software application have vulnerabilities that are not yet known by the vendor or the organizations using the product. Another unhappy fact is that cybercriminals are constantly looking for these vulnerabilities, and when they find one, they begin working hard to find a way to exploit it.
Organizations need to come to terms with the reality that adversaries sometimes succeed in developing an effective zero-day attack and there is little they can do to prevent the initial strike. Instead, they must focus on blocking the escalation of the threat and preventing attackers from gaining access to precious data or establishing control over the whole system.
Essentially, exploitation of a zero-day vulnerability is just the first stage of a longer battle for control over your valuable digital assets. To win that battle, security teams must proactively reduce their exposure to attack, stay on top of vulnerabilities, master threat detection and response, and ensure they can restore operations quickly after an incident.
Reducing the Attack Surface
The first priority in reducing the risk from zero-day vulnerabilities is to minimize the attack surface. Core strategies that will help include disabling unneeded services, implementing a robust patch management process, and segregating your network into distinct segments to isolate critical systems and sensitive data.
Another critical best practice is configuring stringent access controls that adhere to the least privilege principle. Even if an attacker gets into the system, their ability to move laterally will be restricted, since each account has only the access rights necessary for the user to perform their tasks.
For an even more robust approach, highly privileged accounts can be replaced with just-in-time (JiT) elevated privileges that are granted only after additional verification and that last only as long as needed for the task at hand. Such an approach further limits the ability of an adversary to escalate privileges.
Discovering and Mitigating Vulnerabilities
What makes a vulnerability a zero-day is that it is discovered by adversaries and exploited in attacks before anyone else knows about it. Software vendors usually quickly provide a security patch or mitigation strategy. Unfortunately, many organizations fail to perform the recommended action in good time, so they remain at risk from the vulnerability far longer than necessary.
Accordingly, a robust patch management strategy is another vital element in reducing the attack surface area. That strategy should include scanning systems for unpatched vulnerabilities so they can be mitigated promptly. One option is a traditional patch management tool that scans systems regularly. However, as the number of software products in use has grown, this process now takes more time than ever before. Modern solutions use a discovery process known as a scan-less scan, which maintains a real-time inventory of the software installed on the system and flags any vulnerabilities as they appear.
Detecting Threats in Their Early Stages
Attackers don’t advertise the time and place that they are going to attack, but entire websites are devoted to detailing the tactics and techniques that they use. Identity threat detection and response (ITDR) solutions leverage this knowledge, with a focus on detecting threats relating to identity and access control systems. Signs of these threats include unusual login attempts, suspicious access requests and unplanned changes to privileges. Detection of a threat can trigger automated responses like blocking access and resetting credentials.
Organizations also need an endpoint detection and response (EDR) system. EDR complements ITDR by monitoring endpoints for potentially malicious activity and enabling prompt response to those threats.
Of course, if these solutions flag too many events as suspicious, security teams will be overwhelmed with false alerts. Accordingly, file integrity monitoring (FIM) is also crucial, since it can filter out planned system changes and empower IT teams to focus on swift response to real threats.
Ensuring Quick Recovery
Organizations must also be prepared for attacks that succeed in taking down key systems and destroying or encrypting valuable data. To minimize disruption to the business in the wake of an incident, they need a documented strategy for data recovery and getting processes back on track as soon as possible.
A robust recovery plan starts with backing up key data and systems, testing those backups carefully and storing them securely. If attackers make malicious changes, IT teams should be able to identify the specific assets involved and granularly reverse the modifications. In a broader disaster, IT pros need to be able to quickly restore key domain controllers, applications and data to reduce downtime and business losses.
Conclusion
While it is not possible to prevent cybercriminals from discovering and exploiting zero-day vulnerabilities, organizations can and should take action to reduce the impact of these attacks. By implementing the practices above, organizations can build a multi-layered security strategy that enhances their resilience against not only zero-day exploits, but other types of cyberattacks and insider threats.
We've rated the best identity management software.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
