Share this article on:
Of all the security concerns that keep chief information security officers awake at night, the most difficult to manage are zero-day vulnerabilities, Rafi Katanasho of Dynatrace writes.
These types of vulnerabilities are dubbed “zero day” because they are discovered in software when security teams had “zero days” to work on an update or a patch to remediate the issue. This means an organisation’s IT infrastructure is already at risk.
The term zero day is often linked to three different concepts: vulnerability, exploit, and attack. A zero-day vulnerability is an unknown software weakness that has been discovered by attackers before organisations can be made aware.
A zero-day exploit, meanwhile, is a technique attackers can use to take advantage of an organisation’s vulnerability and gain access to its IT infrastructure.
A zero-day attack therefore occurs when an attacker exploits these vulnerabilities and causes significant damage before an update or patch can be developed and deployed.
Detecting zero-day attacks
Zero-day attacks can be carried out in many different ways and can be very difficult for IT security teams to spot. One method of detection is to observe software behaviour and identify whether any activity is malicious.
Machine learning tools can also be used to identify data from previously known exploits to establish a baseline to guide future possible exploits. Application logs are a good data source for this method.
Another detection technique is statistics-based monitoring. This involves an organisation taking statistics from exploits that vendors have detected and feeding them into a system to learn and identify these attacks.
Increasing numbers
Around the world, security teams are reporting an increase in attempted attacks on zero-day vulnerabilities. One recent example was the widely reported Log4Shell vulnerability where, within a week of it being reported, Microsoft reported more than 1.8 million attempted attacks.
It transpired that Log4Shell was a widespread software vulnerability that occurred in Apache Log4j 2 which is a popular Java library for logging error messages in applications. The vulnerability enabled a remote attacker to take control of a device if that device was running certain versions of Log4j 2.
Another example was Spring4Shell which was a critical vulnerability that emerged in March this year and affects the Spring Java framework which is an open-source platform for Java-based application development. Spring4Shell is a very severe vulnerability since if an attacker exploited it, applications could be vulnerable to remote code execution (RCE).
Improving vulnerability management
To improve protection against future zero-day attacks, it’s important for organisations to implement a well-designed vulnerability management strategy. The strategy should focus on the important activities of identifying, prioritising, correcting, and reporting all vulnerabilities that occur.
As part of the process, an organisation should implement practices that cover the breadth of possible vulnerabilities and apply them to all IT systems. Such broad and thorough security practices ease the risk of a malicious actor compromising the organization’s IT services
The strategy should also incorporate the automation of vulnerability scanning to ensure security gaps are spotted as quickly as possible. Relying only on humans can significantly increase the level of risk.
When forming a vulnerability management strategy, it is important for security teams to consider several key factors when implementing processes and choosing tools. These factors include:
The threat post by zero-day attacks is likely to continue to rise, so it is important for all organisations to take the steps needed to ensure their protective measures are as robust as possible. Early detection and response is the best way to ensure that any disruption and damage is kept to a minimum.
Rafi Katanasho is the APAC chief technology officer and solutions sales vice president at Dynatrace.