In a recent online article, Jim Stickley and Tina Davis wrote about a Google report sharing the bad news that zero-day attacks continue to grow in number and impact Going UP! Zero-Day Attacks Spike 50%.
The authors provide a succinct description of the attacks and the traditional security response. At the heart of these unique attacks are attackers finding previously unknown weaknesses in software. Once discovered, they immediately exploit the flaw — the reason they’re called “zero-day” attacks. At that point, the hacker knows about the weakness, knows there is no fix available, and they continue to exploit it until it’s fixed. These fixes are released to the public as patch updates so they too can stop the vulnerability.
The authors also share the bad news that zero-day attackers are expanding their targets. Hackers are upping their zero-day efforts to include third-party and other outside software products. In some cases, they are shifting away from targeting consumer environments and instead focusing on business software. For attackers, expanding potential targets translates to more zero-day possibilities. In their findings, Google saw a 64% increase in business specific vulnerabilities last year, and an overall increase targeting third-party vendors going back to at least 2019.
After providing some common-sense suggestions for end-users, they share the ACTUAL BAD NEWS.
First, the suggestions … While developers will always be hoping to make their software immune to zero-day flaws, consumers can take steps to tackle their own exposure to these attacks until that happens. Since we know that might take a while, follow some basic advice: Always keep your device software up to date, keep phishing red flags top of mind, and use unique, strong passwords.
Now, the BAD NEWS … The tough truth about zero-day attacks is it takes days, months, or even years for a developer to discover the security flaw. It also takes time to create the update patch and distribute it to the public. The more time it takes to find and fix the flaw, the more opportunities there are to exploit it.
So, what do we do? We must deploy a zero-trust security model that demands hardened applications on all endpoints. I’ve written about this before, but the news from Google prompts me to say it again.
The zero-trust model posits devices should not be trusted by default, even if they are connected to a managed corporate network such as the corporate LAN, and even if they were previously verified. In most modern enterprise environments, networks consist of many interconnected segments, cloud services and infrastructure, connections to remote and mobile environments, and even connections to non-conventional IT, such as IoT devices. But this traditional approach of trusting devices within a corporate perimeter, or devices connected to it, makes less sense in highly diverse and distributed environments.
The zero-trust approach calls for mutual authentication, including checking the identity and integrity of devices at all locations, and providing access to applications and services based on the confidence of device identity and device health in combination with user authentication.
Zero trust, to me, is the answer to the real problem revealed by zero-day attacks, ransomware and other forms of malware. It is the answer to the problem posed by the question “how do I secure my environment from unauthorized users and processes?”
But zero-trust will not succeed fully if organizations do not demand hardened applications on endpoints, applications that will not allow unauthorized processes to run.
Remember, the most insidious forms of malware/ransomware are deployed against organizations via executable code that mimics or hides inside the application or applications they hijack to enter and move undetected within the network environment until it’s too late to stop the damage. If we don’t stop this behavior, we cannot fully embrace the zero-trust model, and we cannot fully focus on the problem ransomware reveals.
And, as Jim and Tina wrote, the tough truth about zero-day attacks is it takes days, months, or even years for a developer to discover the security flaw. It also takes time to create the update patch and distribute it to the public. The more time it takes to find and fix the flaw, the more opportunities there are to exploit it.
To work the problem, we must address unauthorized processes running on endpoints to insert malware into networks. We need a game changing solution for application hardening. We need a solution that can ensure applications DO NOT RUN unauthorized, unverified processes or we will never achieve the zero-trust security model necessary to ensure our networks can grow and evolve while protecting us from malware and the bad guys who create and deploy it.
There are, finally, solutions coming online. Ask me about them.