When the Log4j security flaw reared its ugly head in 2021—allowing cybercriminals to penetrate vulnerable computer networks with a single line of code—it seemed to be a once-in-a-blue-moon cybersecurity threat, a nuclear zero-day vulnerability that needed to be patched immediately.
But then, before you could say déjà vu, the Spring4Shell zero-day came along, capturing more headlines, panicking senior executives, and sending security teams into 24/7 overdrive.
And it hasn’t stopped there.
Just this week, Google patched a Chrome browser zero-day that hackers had been exploiting. Microsoft then did the same for its Edge browser, which had also been breached.
Times have certainly changed. It used to be that criminal hackers would reliably exploit such zero-days (code flaws that a software creator or vendor does not know exist until they are found or exploited) every few years or so. Now, as companies and governments increasingly rely on third-party software to run networks and organizational apps, these zero-days are becoming more frequent and severe.
Consider the data. So far this year, 18 zero-days have been found and exploited “in the wild,” according to Google Project Zero. Last year, 58 such flaws were detected and disclosed—the most since Google began tracking such issues back in 2014 and more than double the number of identified bugs in 2020.
Stay in the hunt!
But IT security professionals—and the executive leaders and boards they answer to—are asking: Are zero-days really increasing and getting worse? Or are security researchers and the bug bounty hunters who ferret out these flaws just getting better at their job?
Every zero-day is not a critical all-hands scenario.
Melissa Bischoping, a director of endpoint security research at Tanium, believes it’s the latter. “More zero-days are showing up, in part because so many people are looking for them now,” says Bischoping, who also runs threat-hunting workshops. “Every zero-day is not a critical all-hands scenario. The looming threat of the ‘big ones’ keeps you up at night, but those are only a fraction of the zero-days we see. I advise people to evaluate and react accordingly based on severity, not solely on the fact that it’s a zero-day.”
That said, she warns that it’s crucial for security professionals to stay in the hunt. Given the way criminal hackers can weaponize a single vulnerability to create widespread havoc (see the SolarWinds hack and its impact on companies and governments), staying on top of zero-days is key to network security.
Zero-day exploits are becoming more severe
Steve Wilson, chief product officer at Contrast Security, which provides a unified platform to help developers code more securely, sees an increase in the number and severity of zero-day exploits on the application layer, where Contrast focuses its work. A key reason, he says, is that much of the software code that enterprises use today was actually written many years or even decades ago. Apache Log4j, a Java library, has a 20-year-old history and is largely maintained by volunteers, Wilson notes.
“Many of the fundamental assumptions in these libraries were made in a time when developers knew less about how to build secure
code,” says Wilson. “Hackers are now clearly looking at these older, highly deployed ecosystems, where chinks in the armor can have massive repercussions.”
A growing attack surface
Tony Lauro, director of security technology and strategy at Akamai Technologies, agrees zero-day threats will persist for the foreseeable future, in large part because so many companies are digitizing, moving to the cloud, and letting employees work remotely from a variety of endpoint devices. In fact, 80% of all data breaches in 2019 were a result of zero-day exploits on endpoints, according to the Ponemon Institute.
“Unfortunately, we’re going to see this problem get worse before it gets better because there will be more available attack surfaces for attackers to target,” says Lauro. “And certainly, with all the new generations that are coming online, there’s bound to be more pools of victims as well.”
What’s more, zero-day exploits could increase because they are becoming money makers for the cyber underworld. NSA Director
of Cybersecurity Rob Joyce told one panel at this year’s RSA Conference that ransomware gangs are using their profits to buy
zero-day exploits, and that his agency is concerned with how
quickly criminals can take advantage of newly disclosed
The sky is not falling—until it is
Though some zero-day exploits may seem more menacing than they really are, IT security departments must take them all seriously and do their utmost to defend against them.
They’re getting 150,000 different warnings about various vulnerabilities, and that can be almost numbing.
Some security teams will balk at this approach. They’ve spent years hearing vendors, researchers, and software developers flagging new zero-days that end up as big nothing burgers. Besides, most security teams are overworked, understaffed, and underfunded. As such, they tend to ignore non-urgent alarms.
“It’s ‘alert fatigue,’” says Frank Dickson, group vice president at IDC. “They’re getting 150,000 different warnings about various vulnerabilities, and that can be almost numbing.”
Dickson says companies must first address such frustrations. They must also address the threat zero-days pose by making a few obvious and less obvious changes in their cyber hygiene, such as:
- Delivering effective patches—the first time. This one is on the software vendors. In fact, of the 18 zero-days Google mentioned in its report, at least nine were variants of previously patched vulnerabilities, wrote Maddie Stone, a Project Zero security researcher. It’s a little like a fire crew extinguishing a blaze but missing embers that could eventually catch wind and turn into a whole new firestorm. “At least half of the 0-days we’ve seen in the first six months of 2022 could have been prevented with more comprehensive patching and regression tests,” Stone said. “Being able to correctly and comprehensively patch isn’t just flicking a switch: It requires investment, prioritization, and planning. It also requires developing a patching process that balances both protecting users quickly and ensuring it is comprehensive.”
- Know what you have. You can’t safeguard or patch what you can’t see, and surveys have shown that many CIOs lack visibility into all their on-premises and cloud-based assets. Similarly, in 94% of enterprises, up to 20% of endpoints are unknown. The first thing a ruffled C-suite executive will ask a CISO or CIO when a zero-day erupts is “How much do I need to care about this one?” and “Is this the end of the world for us or not?” says Tanium’s Bischoping. This is where strong data observability and endpoint management platforms can be crucial. They can help CIOs and their teams bridge gaps across data silos, see what’s going on with endpoints, and more quickly determine levels of zero-day exposure.
Incidentally, there are many worthy enterprise-class tools for this. But Bischoping points out that smaller organizations can find less expensive or free options for getting asset management under control.
- Stop the coding blame game. Vulnerabilities happen. They always will. But they happen more often when product managers or marketers push developers to write code so fast there isn’t time for security review or remediation. Product timelines are built around delivering a product to market. Cybersecurity is often a checkbox toward the end of that process.
We’re all going to have to continue fighting zero-days. The only easy day was yesterday.
Dickson says that has to change. Organizations must incentivize software developers to meet hard security goals. “Developers today are compensated for their ability to deliver products by a deadline and drive revenue, but we don’t necessarily compensate them for secure coding,” he says. “We should. Driving a security paradigm from the top down in organizations is extremely important.”
Bischoping adds that it’s also crucial to avoid hitting developers with a stick when occasional vulnerabilities appear and become zero-days. “We need to stop this culture of assigning blame when there is a breach,” she says. “Yes, you want to be able to go back and determine if the code was written poorly and look to see if processes were followed. But taking a punitive approach is counterproductive and doesn’t really solve anything. You need to focus instead on understanding the gaps that introduced the vulnerability and how to continually improve with each root cause analysis.”
- Consider attack surface management. CIOs grow the attack surface every time they adopt a new cloud service or provision more endpoints to support business growth and digital transformation. IDC’s Dickson says one of the newer approaches to consider for addressing zero-days is attack surface management (ASM). This is defined as the continuous discovery, inventory, classification, and monitoring of an organization’s IT infrastructure. It seeks to envision these security tasks from an attacker’s perspective. These tools constantly and automatically ping networks, much as a hacker might, looking for potential attack vectors..
- Create a living zero-day playbook. Many organizations today have playbooks for what they’ll do if hit by a ransomware attack. They’re often a collaborative effort by business, finance, legal, human resources, and technical staff. They need a specific incident-response plan for zero-days as well..
This is primarily because of the unforeseen nature of zero-days, which can often graduate from vulnerabilities into exploits and attacks in a matter of days. In addition, because vendors are typically learning about vulnerabilities long after their creation, they don’t always have an effective patch ready. Many times, the best they can do is offer temporary configuration-tweak suggestions, pending
Bischoping recommends creating and constantly updating a playbook to cover such matters as:
- How various zero-day alerts will be prioritized for action
- Who will be alerted and when—both within and outside the organization
- What technical steps will be taken to learn more and resolve each level of threat
- Which IT systems will be addressed first based on their criticality to the business
- What auditing measures will be taken to show company executives, investors, and regulators that proper steps were taken to handle the problem
“If you put in all the work now, when the five-alarm fire bells go off, you’ll have the confidence to know that most of what you’ll need to do is right there in your playbook,” says Bischoping.
Zero-day attacks are not a foregone conclusion. They might not affect most organizations, but they’re not going away.
“The battle is not done. We’re all going to have to continue fighting zero-days,” says Akamai’s Lauro. “The only easy day was yesterday, essentially.”