Maksim Kabakou - Fotolia
The recent Microsoft Exchange hack reminds us that new cyberthreats are around every corner. By nature, zero-day attacks give threat actors the upper hand, enabling them to target systems they think are vulnerable. However, zero-day attacks can be prevented. There are measures to take to help identify zero-day threats, narrow the exposure window and patch systems before any real damage is done. Here are three critical steps to take now.
1. Maintain comprehensive visibility
Today's dynamic environments offer attackers plenty of opportunities to slip in unnoticed. Defending against zero-day threats requires comprehensive visibility into the network. It's essential to understand where all assets are and how they work normally to recognize the abnormal activity that can indicate the early stages of an attack. Continuously monitoring endpoints, SaaS and cloud environments, and custom web apps can provide the visibility necessary to identify potential vulnerabilities and threats. Detections can also be deployed along the attack kill chain. Attackers are placing a bet that resources to attain this level of visibility have not been deployed.
2. Check vulnerability advisory feeds
Just as seasoned detectives keep their ears to the ground to gather information, security admins should tune into the chatter around evolving cyberthreats. The unrelenting pace of attacks and the 24-hour news cycle guarantees a readily available wealth of information about new vulnerabilities, developing threats and breaches. Keeping up with it all can be daunting, but there are some strategies to filter the noise and get the information needed.
Make a habit of checking vulnerability alert and advisory feeds. Sites such as SANS Internet Storm Center, SecLists.org and the National Vulnerability Database provide alerts and vulnerability discussions, exploitation techniques and some industry gossip. Often, the first indicators of a new threat and its targets are discussed in such forums. These conversations can help security teams defend vulnerable parts environment before the threat is even known.
Following security insiders and security-related topics on social media is another way to stay informed. For example, Twitter makes it easy to follow real-time discussions about current cybersecurity, thanks to hashtags for trending topics. Users can also create their own content feeds around particular topics, vendors and security insiders.
3. Have a patch management plan
It's important to coordinate a patch management plan with ITOps, development and security teams. This will enable the quick patching of critical systems once vendors release fixes for the zero-day vulnerability.
Patch management is a process many organizations struggle with. Applying patches in complex modern environments can sometimes have unintended effects, such as slowing down hardware, disabling systems or hampering business operations. Patches can also take significant time and resources, as staff must test and deploy patches and reboot systems to complete the implementation. Automated patch management can alleviate these issues. These products download patches from vendors, scan the environment for missing patches, test the changes introduced by the patch, automatically deploy the patches and report on the status of the patch management process.
Note that patch management can't prevent zero-day attacks, but it can reduce exposure to them. Software vendors may issue a patch for a severe vulnerability within hours or days of its publishing. An effective patch management plan will help security teams deploy patches before attackers can exploit the vulnerability and compromise systems.
Partnering with an MDR provider for stronger protection
Typically, only large enterprises have the in-house resources needed to mount an effective defense against zero-day threats. Small and medium businesses lack the staff, tools and expertise to maintain the measures outlined above. For those organizations, it may make sense to partner with a managed detection and response (MDR) provider.
MDR can help protect against zero-day attacks. It emphasizes the deep visibility and 24/7 monitoring that helps organizations identify unauthorized events taking place anywhere in their environment. It's also informed by continuous threat intelligence to stay apprised of current threats and vulnerabilities across an organization's network, endpoints, servers and cloud environment. When a threat is detected, MDR provides a business with the guided expertise and human intermediation needed to investigate and remediate that threat.
About the author
Rohit Dhamankar is vice president of threat intelligence at Alert Logic. Dhamankar has more than 15 years of security industry experience across product strategy, threat research, product management and development, technical sales and customer solutions. Prior to Alert Logic, Dhamankar served as vice president of product at Infocyte and founded security consulting firm Durvaankur. He holds two Master of Science degrees: one in physics from the Indian Institute of Technology in Kanpur, India, and one in electrical and computer engineering from the University of Texas.