Reality check: one zero-day doesn’t equal an attack

Vulnerabilities are everywhere, and although they can’t be totally evaded, they can be countered effectively.

When someone downloads an app, they’re putting themselves at risk. How? They are prompted by the request to connect a device allowing software coders access to personal information such as contacts, photos, and even voice recordings.

When you download a programme onto your PC, laptop or tablet, there is a risk involved. Even more simply, when you open an email or click on an online advertisement, you expose yourself, and potentially your organisation, to risk. Most recently, hackers have been exploiting a vulnerability in Microsoft Word to attack users.

Some zero-days

There is no doubt that zero-day malware poses a serious threat. It’s sophisticated and can go undetected by traditional, signature-matching antivirus solutions. But they are also expensive. This means that hackers are likely to reserve these targeted attacks for high ticket organisations or individuals.

>See also: 30% of malware attacks are zero day exploits – report finds

Alternately, malicious actors sidestep the issue of cost by simply exploiting the weakest link in the security chain – the uninformed user – reserving zero-days for the biggest players. So why is that a positive thing?

Simply put, organisations aren’t necessarily being targeted in the way they anticipate. Attacks are multi-pronged.

Yes, the zero-day is a real threat, but it is not the only way that hackers gain access to prized data. The sooner we recognise that the zero-day is just one element of an attack, the more we can do to increase the odds to defeat malicious intent.

Share and share alike

Beyond zero-day, cyber threats have a lot in common. Namely, the way in which we can protect against them not as individuals, or even countries, but as a global society.

Cyber intelligence operations that inform policies for the armed forces and other intelligence operations, in any given country, could be valid in the fight against cyber security.

Although contentious, by disclosing intelligent analysis we could enable hundreds of organisations to readily defend against threats and close in on cyber criminals.

>See also: UCL hit with zero-day ransomware attack

However, this doesn’t have to be a one-sided approach. In fact, it must be reciprocal if we are to have a real impact on crime. All organisations can share intelligence by speaking to these actors’ operations, tools, infrastructure, and motivations based on the activity that they encounter daily.

This might well be a step away from the big fish ‘zero-day vulnerability’ but it still enables other organisations to defend against the process by which actors ultimately exploit those vulnerabilities.

In an ideal environment, governments and private sector organisations would freely share fundamental security data so that organisations have the intelligence needed to bolster their defences against attackers, while still ensuring the continuity and effectiveness of government operations.

This environment offers two major benefits with respect to the adversary: first, by getting to a point where a person understand how the adversary operates, we enable defences against their activity, (potentially) irrespective of their present or future zero-day armoury.

>See also: Facebook hit by “sophisticated” zero-day malware attack

Second, one of the overlooked components of advanced persistent threat (APT) operations are the faceless humans behind the attacks.

However, most defensive methods and tools focus on blocking or otherwise mitigating the digital assets they employ, organisations often fail to incorporate their human adversaries in their preventive defensive strategies.

Denying the human adversary any degree of success and punishing him for each intrusion attempt, through exposure and information sharing, presents the adversary with a cost-to-benefit decision point.

As more of an APT’s infrastructure, capabilities, and tactics are identified and exposed or shared, the more the humans behind the operations are impacted.

As these individuals are bogged down by having to register new domains, procure new infrastructure, recompile malware, or institute new tactics whenever they are exposed, the greater the effect on their psyche.

>See also: Flawless defence – how Glasswall protected itself from a cyber attack

This can lead to a point where an organisation can annoy adversaries, impact the humans behind them, hinder their daily efforts, and ultimately become a factor in their cost-to-benefit analysis.

There’s no such thing as being overzealous

In an ideal world, we would be able to see a zero-day coming and analyse the hackers’ pattern of behaviour to predict and anticipate future attacks and therefore, mitigate risk.

Nonetheless, as these zero-day disclosure discussions inevitably continue, we need to bear in mind that the vulnerability alone is not the entire operation.

Remote malicious actors still must identify their targets, employ an attack vector to gain access to an organisation, use an exploit to take advantage of the zero-day, control the compromised host or move around the network using malware or other tools, and transfer data via a command and control infrastructure.

>See also: DNS-based attacks ‘cost businesses more than $2M annually’

By researching, identifying, and sharing intelligence on these steps of actors’ operations, we can become more knowledgeable about the actors themselves; and more readily monitor for, defend against, and publicly disclose their operations.

In consistently doing so, there is a move from a reactive to a proactive defensive state that may ultimately impact the adversaries themselves.

If a zero-day is recognised alone, it does not make an attack. It is one element of many, and therefore one can accept that there is much more that they can do to increase the odds of these attacks being defeated.

By putting cyber threat intelligence in place across all areas of the business, and creating a cohort of shared intelligence, organisations can do more to defend against attackers one step at a time.


Sourced from Adam Vincent, CEO of ThreatConnect

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...