Expect the Unexpected: How to Reduce Zero-Day Risk

Modern enterprises have sprawling tech stacks with hundreds or thousands of endpoints. The opportunities for vulnerabilities are vast. Sometimes these vulnerabilities are unknown to system and device developers and users: zero-days. If threat actors discover this type of vulnerability before it can be remedied, they can exploit it.

In 2023, the Zero-Day Vulnerability Tracking Project reported a total of 97 discovered zero-day vulnerabilities. Not all zero-days end up being exploited in the wild, but some are, and to great effect. The fallout from the exploitation of a zero-day vulnerability in the MOVEit file transfer tool unfolded over the course of 2023, with more and more victims coming to light.

Zero-days, by definition, cannot be predicted. They are unknown vulnerabilities that have yet to be patched. CISOs and their teams may not be able to foresee exactly when the latest zero-day vulnerability will arise, but they can recognize this security risk and prepare a plan of action.

Where Zero-Days Occur

Zero-days could potentially pop up anywhere in an organization’s tech stack, which for larger organizations is a complicated sprawl. Security teams need to consider where zero-day vulnerabilities could be found in third-party software and in software that has been developed in-house.

Related:Critical Zero-Day Atlassian Bug: What CISOs Must Know

“We’ve modernized,” says Nick Rago, field CTO at Salt Security, an API security company. “Now, we have all sorts of different places and exposure where we didn't before. [We] have multiple development teams using multiple clouds and multiple tools and technologies in multiple places.”

Where is the risk of zero-day vulnerabilities greatest? Threat actors that look for zero-day vulnerabilities are typically going to search for opportunities in well-distributed software that is difficult to update, according to Ivan Novikov, founder and CEO of Wallarm, an API and app security company.

“The parts that organizations need to look at first are the things on the attack surface. When you go look at zero-days that end up having wide applicability, it's things … in your browsers, in your networking stack, in your email readers, in your SMS,” David Brumley, CEO of software security firm, ForAllSecure, and a professor at Carnegie Mellon University, tells InformationWeek.

A number of zero-day bugs in browsers, for instance, have emerged in the first month of 2024. A zero-day (CVE-2024-0519) in Google Chrome, allows for code injection. Attackers actively exploited the vulnerability, which Google has patched by this point. A zero-day bug (CVE-2024-23222) in Apple’s WebKit browser engine for Safari has also been exploited and patched. Attackers could leverage that vulnerability to execute code on impacted systems.

Related:Internet-Wide Zero-Day Bug Fuels Largest-Ever DDoS Event

The Potential Damage

A zero-day vulnerability is typically not a problem if it is discovered and patched before it can be exploited. Once it is exploited, the question becomes what can threat actors do with the system access they gain?

“You think about zero-day vulnerabilities, [they are] sort of a toe in the door for an adversary to get into your environment and now move laterally,” says Andy Ellis, operating partner at YL Ventures, a cybersecurity-focused venture capital firm.

Lateral movement can allow threat actors to escalate privileges, inject malicious code, and exfiltrate data. Threat actors may also leverage a zero-day to execute ransomware attacks.

Common Vulnerability Scoring System (CVSS) ratings are assigned to vulnerabilities to indicate their severity, 0 being the least severe and 10.0 being the most severe. These ratings, while not a measure of risk, can help CISOs and their teams prioritize vulnerability management. Can a vulnerability wait, or does it need to be addressed immediately?  

Risk Mitigation

Security teams have more control over zero-day vulnerabilities that arise in software developed in-house. If they find these vulnerabilities before they are exploited, they control the remediation. Zero-days in third-party software are more complicated.

Related:Barracuda Zero-Day Vulnerability: Mandiant Points to Chinese Threat Actors

“We cannot, essentially, as users reduce the risk of zero-days [being] found, but what we can do is just reduce our own risk to be exploited or be compromised because of the zero-days,” says Novikov.

One of the first steps to reducing the risk of zero-day vulnerabilities is understanding the attack surface and shrinking it as much as possible. “How do we make sure that we really understand what our attack surface area is? And then, how do we reduce that to the minimum it can be, obviously, in order for us to run our business?” asks Fred Rica, partner, advisory at accounting and advisory firm BPM.

Shrinking that attack surface can be easier said than done. It requires robust asset management. “Organizations that go through that robust asset management process generally find things that either they didn't know they had or they don't need or aren’t [in] compliance or are end-of-life,” Rica shares.

With a comprehensive understanding of an enterprise’s attack surface, CISOs and their teams can identify paths that would-be attackers could take and determine if those pathways can be eliminated.

Speed is of the essence when it comes to zero-day response. The faster a security team knows that a new zero-day has the potential to impact their enterprise, the faster they can leap into action. “I think it's table stakes now to have a robust threat intelligence program in place,” says Rica. “So, just as quickly as zero-days pop up, information about them, how to stop them, how to prevent them also pops up.”

In addition to threat intelligence, proactive monitoring can play a role in catching zero-days before threat actors have ample opportunity to move laterally and cause more damage.

“Are your teams trained up? Are they looking for anomalous behavior?” Rica asks. “Because that can be a real indicator of something new or something unknown or something zero-day.”

Responding to a Zero-Day

Risk mitigation is important, but it cannot eliminate the possibility that a zero-day vulnerability will be exploited. Organizations need to be prepared for this scenario to contain the blast radius of an attack.

Vendors have a role to play when a zero-day in their software is being exploited. “If you sign a contract with a big vendor and you are an enterprise, you have to include some sort of SLAs for zero-days and vulnerability management,” says Novikov.

While many vendors do work proactively with customers on zero-days, providing security patches and updates, that level of support isn’t guaranteed. “What you should expect is nothing because sometimes you're going to get that,” says Ellis.  

Regardless of how involved a vendor is in a zero-day response, security teams are still going to need to lead the response efforts at their enterprises. They need to be able to answer a series of questions and act accordingly.

“What actually happened? How do I respond to it? Can I block and can I contain it? How do I capture evidence? Who do I have to notify about it? How do I fix it? How do I make sure this doesn't happen again?” says Rago.

Security teams need to be able to isolate the attacker and remove them from the system. But they also need to ensure that attacker cannot return for a second round of exploitation. Do an enterprise’s secrets need to be rotated? Do administrative credentials need to be updated?

“When you look at the best of breed, they have essentially a checklist and a methodology,” says Brumley. “It takes that sense of panic out of reaction to a zero-day.”

A well-rehearsed incident response plan can help enterprises avoid some of the potential pitfalls of responding to a zero-day attack. The kneejerk reaction may be to shut down the environment immediately and completely. In some cases, this is necessary. In others, it isn’t, and it can cause more disruption. “Sometimes taking down your environment is the right approach, but you should do so consciously and not by accident,” says Ellis.

Security teams also need to be prepared for the possibility that addressing a vulnerability won’t be a smooth process. “In the rush to patch or the rush to fix, there's definitely a risk that you might actually be doing more damage,” says Rica. “Organizations, many times … have very bespoke environments, customized operating systems, internally built web applications. All that stuff may or may not react differently to a fix.”

Zero-day exploits can have a ripple effect throughout the supply chain. Exploiting one entity can open the door to many others. Knowing that is a possibility, zero-day response is not just about internal responsibilities.

“You need to have a communication system at the same time that is going to be telling your customers whether or not you're impacted, what you're doing about it, how you're supporting them, and maybe what steps they might need to take to protect themselves in their environment,” Ellis explains.