It’s every security professional’s nightmare – an organisation you are responsible for securing gets hit by a cyberattack exploiting a zero-day vulnerability in a piece of software that your business relies upon, bringing the business to its knees in a matter of minutes. You break into a cold sweat and questions race through your mind – did I do something wrong? Is our company data safe? Will our customers be impacted? How will the market react? Will I lose my job?
With 74% of malware detected in Q1 2021 classified as zero-day malware, and 2021 setting the record for the number of zero-day hacking attempts, being aware of the impact of zero-day attacks is critical. This blog aims to help organisations understand what zero-day vulnerabilities are, and how to be ready to respond when the unpredictable happens.
So firstly, a definition: A zero-day vulnerability is a weakness in a computer system which is previously unknown by the software author and for which no patch has been released, allowing a cybercriminal to exploit the system freely. And herein lies the problem – how can I protect against something if I don’t know what it is, effectively an unknown unknown?
The information security industry has been trying to answer this exact question for several years, and there are many technologies that assist with varying degrees of effectiveness – think of compensatory controls such as network-level ‘virtual patching’, or endpoint protection products offering buffer overflow protection and behavioural-based controls, or operating systems controls such as Data Execution Prevention (DEP) and Address Space Layout Randomisation (ASLR) in Windows 10.
Whilst all these controls certainly help to protect against zero-days, they are much more focused around the known unknowns, rather than the ‘unknown unknowns.’ So the first step to dealing with zero-day vulnerabilities is the acceptance that even with a high level of security control maturity, a worst-case scenario could involve an attack vector that evades all of these controls.
If an organization is able to accept that there is no silver bullet that will protect against all zero-day eventualities, then a different approach can to be taken to the way security architecture is addressed. Best practices should be followed around security hygiene to cover regular patching and platform hardening. Everything with relevance to the security of the platform should be logged, and the logs should be integrated into a mature security operations capability. And, most importantly, incident response plans and business continuity planning need to address how the organization will survive when hit with the feared ‘unknown unknown’. Many of the organizations that we speak to have accepted this and are exploring how to address this concept, known as cyber resiliency, by incorporating it into their security frameworks.
Cyber resiliency is defined by NIST as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources”[1] and organizations now see cyber resiliency as a natural follow on in terms of maturity from a traditional BC/DR[2] model. The main difference between traditional BC/DR and cyber resiliency is that whereas BC/DR is focused on recoverability, cyber resiliency is focusing more on sustainability[3].
So, if we put that in terms of dealing with a zero-day attack as per the NIST definition, we can consider the following:
Anticipate: As part of the planning phase for cyber resiliency, performing holistic risk assessments across the entire organizational estate to understand where risk exists is a critical first step in becoming cyber resilient and being prepared to deal with any states of adversity. Risk assessment can be controls-based – for example, looking at existing architecture documentation – or of a more technical nature – such as performing a vulnerability assessment against an in-house developed application.
Withstand: Being able to maintain business critical functions during a zero-day attack depends upon having the right cybersecurity architecture in place. A cyber resilient organization has followed principles such as zero trust in segmenting the infrastructure and has a mature level of security hygiene to efficiently reduce the impact of a zero-day attack. Business continuity planning in the face of impending disaster plays a key role here, as does having a tried and tested incident response plan detailing the roles and responsibilities that will be called upon during a cyber incident.
Recover: Although cyber resilience is aiming more around continuity than recovery, having a disaster recovery strategy in place that extends to highlight the steps that should be followed to neutralize the impact of a zero-day attack is a necessary part of cyber resiliency.
Adapt: The final goal of a cyber resiliency plan is to be able to learn from what has happened and adapt architectural capabilities to be able to better withstand future events, based upon changes to either the operational environment, or the threat landscape. Handled correctly, the adapt phase can be considered as ongoing threat modeling following the agile concept of continuous improvement.
Organisations can get a head start with the development of the cyber resilient enterprise by working with HPE. Our HPE Pointnext Services team helps customers to adapt using our risk assessment methodologies and cyber resilience maturity assessment services. We help our customers to withstand by following secure-by-design and zero-trust principles when implementing digital transformations. We support customers in designing their BC/DR frameworks and offer Backup as a Service and DR as a Service via HPE GreenLake data protection services, and in the worst-case scenario we support customers who need to recover with our malware recovery services. We also offer a full range of education services, including the new NIST Cybersecurity Professional curriculum to help customers understand what is needed to adapt their cyber resiliency plans.