There's more to security response than patching

When vendors and researchers announce a zero-day vulnerability, security people jump into action. The recently discovered flaw in Apache Log4j, a widely used logging library written in Java, is a perfect example. An updated version of Log4j was released as the vulnerability was announced, so responsible admins applied the updates as soon as possible. But is that where their responsibility ended?

Within days of the flaw's announcement, reports of active attacks began to surface. Disclosed by the Apache Software Foundation on Dec. 9, the New Zealand Computer Emergency Response Team warned of malicious activity on Dec. 11: "Reports from online users show that this is being actively exploited in the wild and that proof-of-concept code has been published." It's logical to assume that these attacks were created after the vulnerability was released. Still, there may have been attacks before that, attacks that were sophisticated enough to have gone undetected.

The rise of zero-days and the window of risk

Log4j was a zero-day vulnerability, a vulnerability that is disclosed before patches are available. A zero-day exploit is the worst-case scenario, one in which an effective exploit is in the wild before a patch is available.

In recent years, according to a tally maintained by Google and others, the number of zero-day exploits has been trending higher. In 2021, 57 such exploits were counted, compared with 2014, when 11 zero-days came to light.

With some zero-days, the vulnerability may be disclosed before attacks are launched or a patch is available. In the initial hours after such a disclosure, the attackers have the advantage. Typically, the software provider will get to work immediately developing a patch and, hopefully, help customers monitor for signs of compromise. Should attacks be identified, the associated tools, techniques, and procedures should be shared with customers. At some point, the software maker will issue a patch to fix the vulnerability.

Please read: What is zero trust?

During this period, attackers are busily developing their own tools to exploit the software flaw. "It's easier to create working exploits than it is to get patches out that work and don't create additional disruptions," says Scott Crawford, a security analyst at 451 Research.

That's why the time between when the zero-day vulnerability becomes known and when an enterprise can successfully patch its at-risk software is a significant and dangerous window. As such, even after patches have been successfully deployed within organizations, there is a chance that organizations have already been breached and active attacks are underway.

Chris Blow, director of offensive security at Liberty Mutual, says the company will enact extra monitoring around patched systems or resources, especially if it's a nasty vulnerability close to business-critical systems. "We will actively look for indicators of compromise, and we will bring in various security teams to plan how we can mitigate the risk," Blow says.

Best practices are not enough

"When it comes to externally facing zero-days, there's a good chance that organizations are actively being targeted and may have already been compromised," says Michael Farnum, CTO at Set Solutions. "It's why it's not enough to patch and move on."

He adds, "You want to investigate to determine if your organization has been compromised or if any applications have been accessed. You need to place strict egress filtering on your firewalls so that you can stop a later phase of a potential attack."

Of course, patches often can't be rapidly deployed throughout an enterprise for various reasons, even during the best of circumstances. "You'd like to get patches out immediately," says Simon Leech, operational security lead at Hewlett Packard Enterprise. "Such as on Microsoft Patch Tuesday, you'd want to get those patches to all of your 5,000 Windows servers. But, practically, that's difficult to do."

Please read: The cash for bugs business is booming. Here's why

Why can't enterprises just set their patches and deploy them? It turns out, there are plenty of reasons why. First, those patches need to be tested internally against the servers and applications as well as the resources in the environment. "You have to make sure they're not going to conflict with a major critical business application," says Leech.

And under the typical patching workflow, enterprises need to identify what zero-day vulnerabilities exist within their environments and where, then determine what vulnerabilities pose the most significant risks to the most valuable systems and data, and then remediate systems based on priority.

Threat hunting: A critical step

The same rules apply to zero-day attacks and business criticality. No organization has the resources to constantly be retroactively threat hunting for recent zero-days. "For zero-days with a lot of activity around them, you need to look for signs of attack. You have to examine your logs for related activity. You have to look for indicators of compromise," says Blow.

"Today, mature cybersecurity operations centers will be retaining logs for at least a month," explains Leech. "That's enough data to evaluate for threats and search for indicators of compromise."

Leech says following the patching of a zero-day vulnerability, organizations must continue to look for potential related suspicious activity. "You want to look for activity from new IP addresses or requests to domain names that have only been registered within the past 24 hours. When you find anything like that, you can start to investigate more closely," he explains.

Vendors often provide guidance on how to respond to specific vulnerabilities, and it needs to be carefully evaluated. In "Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities," Microsoft provides specific guidance with respect to a series of vulnerabilities disclosed in March 2021. As it notes, "Applying the March 2021 Exchange Server Security Updates is critical to prevent (re)infection, but it will not evict an adversary who has already compromised your server."

Please read: Constant scrutiny is the key to making zero trust happen

451 Research's Crawford says enterprises are taking the risks seriously. In a recent survey of enterprises, extended detection and response (XDR) capabilities topped the list of security pilot or proof-of-concept priorities in the next six to 25 months. XDR capabilities capture and connect data across the enterprise environment, including application logs, cloud workloads, endpoint network telemetry, and servers, to aid in the type of threat investigations Blow and Leech describe. "It illustrates a high sensitivity to threat detection, and this sensitivity will certainly ramp up in the coming year, especially following the Log4j vulnerability," says Crawford.

Finally, one of the biggest challenges for enterprises trying to effectively mitigate zero-day attack risks and hunt down potential threats in their environment is the lack of cybersecurity professionals skilled in these areas. "This is why we've seen this boom toward service providers, especially managed threat detection and security operations center as a service," says Crawford.

"With all of the zero-day activity and the increase in sophisticated attacks, threat detection designed to identify potentially malicious activity surrounding these events is going to grow in importance," says Crawford. "Enterprises need to be better aware of what is going on in their environments."