Why a response to zero-day attacks starts right now

An abstract image of digital security.
(Image credit: Shutterstock) (Image credit: Shutterstock)

When it comes to cybersecurity, it can be the most mundane things that catch a business out and not the glaring, big ticket items that you would suspect are the cause of a data breach. Maybe access credentials that are being shared through unprotected channels, or outdated networking hardware still connected that nobody has noticed, or even a poorly configured operating system.

Simple issues can all be ticking timebombs just waiting for a malicious actor to notice them. Cyber attackers are constantly updating and evolving in how they compromise systems, and while businesses have to increase the levels of sophisticated defenses they have in place, they cannot ignore the simple things they can do to protect themselves.

Eamon Keane

Eamonn Keane is Global Director of Digital Forensics & Incident Response at Systal.

Zero-day attack

The revelation in May that Barracuda, a major security vendor with over 200,000 business customers, suffered a significant zero-day attack is just the latest example of this truth. A zero-day vulnerability is in many ways the golden egg of the cybercriminal community: the term describing a flaw which the software vendor is unaware of, which can be used to access systems and exfiltrate data with relatively little resistance. In the worst case (or, for an attacker, the best case) such vulnerabilities can be exploited for months or even years before the problem is identified and remedied.

In this instance, the zero-day vulnerability identified directly impacted the vendor’s Email Security Gateway product, raising questions about an organization's wider risk profile which should concern Barracuda customers further down the line. Businesses do not, and should not, just sit back and think that it is a given that they will someday be the victim of a zero-day attack. Being ready with your defenses battle tested and everyone knowing their roles and responsibilities is crucial. Response preparedness, strategic security design, and employee support all have important roles to play in terms of mitigating the damage that a zero-day attack can do.

You will never know when a zero-day attack will happen. It could be at 9pm on a Friday night when all the senior people are on a plane for the next six hours or the middle of the night – hence the need to know who does what and when. Organizational security teams should have clearly defined processes and platforms in place which specify responsible individuals as points of contact who will follow a methodology for isolating affected systems, conducting forensic analysis to understand the extent of the breach, and ultimately remediate the vulnerability, ideally in real time.

Once an attack starts, you cannot waste valuable time deciding who should be where and when or what partner should be called first. A modern, well-equipped security operations should be concerned with deepening its insight into holistic network traffic as well as hardening specific potential points of vulnerability. AI-informed analytics probes deployed at the edge of the public network can monitor and flag traffic flow to analysts and automate the first steps towards identifying a breach, ultimately neutralizing damage faster.

The work the security team has to do will be easier, and faster, if the extent of the breach is smaller – which is usually the case when the business has done all the checks and balances mentioned above. But when it comes to business email compromise, that may involve additional security solutions that detect and block suspicious emails with email authentication protocols and more specialized tools that scan for threats like phishing.

Security posture

Businesses can think about identifying and protecting the likely entry points attackers may take when your email is successfully compromised. Strong internal controls over financial transactions, for example, will stipulate multiple levels of internal approval, making it significantly harder for fund transfers to be executed without someone intervening.

User training can also be crucial when it comes to spotting something that is ‘just not right’. It is a huge resource and the importance of teaching staff to identify issues early on and escalate them to the security team as soon as possible cannot be overestimated.

The risk of zero-day vulnerabilities is not going anywhere and, in fact, as digitalization continues and IT, IoT, and OT infrastructure grows more extensive, it is likely they will make bigger headlines in the future. But that does not mean the fight against cyber threats is lost; no, updating your systems regularly can keep you ahead of the evolving threats out there.

As I’ve mentioned, a well-maintained security posture, with everyone knowing their role and partners ready to respond remains one of the best defenses even when the issue at hand is a zero-day attack. A zero-day vulnerability, while it might potentially lead to damage and loss, is rarely a skeleton key for the whole IT infrastructure, and the more hardened other systems are, the harder attackers will find it to fully press their advantage.

The lesson of events like the Barracuda zero-day vulnerability is that we can all do more to seek improvement and prepare for the inevitable attacks and likely breaches. With cybersecurity, you can never feel confident that you will be able to repel any and all attacks, but you can do all you can to try and keep ahead of those intending to do you harm.

We've featured the best encryption software.

Eamonn Keane is Global Director of Digital Forensics & Incident Response at Systal.