The next time there is a zero-day sweeping the internet, your organization shouldn’t have to panic. This shouldn’t be a crisis. Instead, it should be a controlled exercise that follows a playbook that a drill has validated. While that’s easier said than done, this proactive approach will yield long-term benefits, saving time and minimizing stress. This article will provide some practical advice on how to deal with zero-days.
To begin, it is essential to categorize the various types of zero-days. Different types require unique resources and notifications. The playbook(s) should encompass a series of processes that outline the involvement of relevant parties in identifying the vulnerability, assessing the impact, devising phased remediation strategies and implementing the final solution. A sample set of types of vulnerabilities would include:
- Product or supply chain—Third-party software or service
- Protocol—Open source code (like Log4j)
- Infrastructure—Architecture like VPN (See FBI alerts for examples)
- Emerging malware—WannaCry (often part of a campaign)
- IoT/Medical devices—Stuxnet
As you think about the different teams you should involve for each type of issue, you need a set of processes/tasks that define who will support the zero-day based on the scope of impact. Most of these playbooks will be built on the NIST incident response cycle phases: Preparation, detection and analysis, containment, eradication, and recovery and post-event activity. For larger organizations, it should include a RACI matrix (see image below) that designates who is responsible, who is accountable, who is consulted and who is kept informed. For smaller companies, it can be part of the process.
Some sample tasks to identify ownership of are:
- Determine risk of threat based on infrastructure
- Do you have/use vulnerable systems/protocol?
- Determine a baseline of what impact could be
- Identify data or capabilities that are at risk
- Determine who you need to notify
- Determine what third parties are at risk
In the case of a vulnerability with the potential for material impact, it is necessary to transition from the playbook to a crisis management plan. A playbook tends to be focused on the operations of the cybersecurity team, while a crisis management plan includes the organization’s leadership and includes external communication plans. If the zero-day will result in reporting to regulators, answering calls from news reporters or making a press release, it’s imperative to execute a crisis management plan.
Dealing With the Zero-Day
First and foremost, you need visibility to identify where you have the vulnerability and then determine what the impact would be if exploited. Depending on the type, that information could be in a vendor management database or software bill of materials (SBOM). This step is where preparation truly pays off – knowing where the data is or who to ask will minimize the stress and maximize speed to get everyone home for the weekend (because this always happens at 3:00 p.m. on a Friday).
Next, it is important to consider the fundamental steps that need to be taken. In this case study, we will focus on a vulnerable protocol as an example. When Log4j was identified, Akamai saw that it was operationalized and in the wild within hours and had multiple variants within days. At its peak, we saw 42 million exploitation attempts per hour and, in one month, denied 2,480,512,073 exploitation attempts (note: Some of this was self-testing). Significant events will attract media coverage, leading to increased attention from internal leadership and external parties who will inquire about the potential impacts.
So, as we think about mitigating something like Log4j, I find it useful to use the people, processes and technology pillars. ‘People’ is built around the RACI. ‘Processes’ are the playbook. But let’s talk about ‘Technology,’ or the security controls. I think the best way to think about defenses is to follow the flow of data: Date requested and the reply (North/South) and access resources (East/West). To stop the attack at the edge, you use a web application firewall (WAF) or WAAP (N/S); internally, you would use microsegmentation to isolate the systems at risk (E/W). Next, you would monitor outbound traffic for indicators of compromise (N/S). At the endpoint, you want to leverage antivirus (AV) and EDR/XDR, but the fix is patching.
Thinking about Zero-Day Risk
A great way to think about risk and look at potential gaps from the attacker’s viewpoint is to use the steps from the MITRE ATT&CK framework. Much like the cyber kill chain, it follows the steps a criminal would follow to complete their attack. It includes reconnaissance, resource development, initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, command and control, exfiltration and impact. Disrupting any of these steps mitigates the attack. It can be a great template for a tabletop exercise and some SOCs use it for a training template.
Additionally, you need to address what anyone who has your data is doing. While you are collaborating with vendor management to answer questions about customer data, you also need to have them query your third-party vendors to understand what your risk is.
In conclusion, it is evident that we will encounter multiple zero-day vulnerabilities annually, with some reaching a level that demands a formal integrated response. Instead of finding ourselves in a crisis situation where we scramble to react, it is essential to develop a playbook that enables us to mitigate risks and minimize the associated challenges. By doing so, we can effectively navigate the next zero-day vulnerability with both minimal risk and pain.