The perpetual challenge of keeping endpoints patched only gets more complicated when zero-days are added into the mix. According to the 2023 Data Breach Investigations Report, the top three methods attackers use are stolen credentials, phishing, and the exploitation of vulnerabilities. Additionally, Google’s Threat Analysis Group noted that 40 percent of in-the-wild zero-days were variants of previously reported vulnerabilities.
Clearly, patching endpoints and their vulnerabilities is a crucial practice to have in place to safeguard against breaches. It bears mentioning that the time, resources, and energy to keep endpoints updated from regular patches can already be a grind, and guarding against zero-day vulnerabilities can and will further stretch IT team bandwidth. But, at the end of the day, the question isn’t if a zero-day vulnerability will present itself, but when. This necessitates a proactive approach to patch management, and a plan in place for the inevitable event of needed zero-day patching.
What is at stake?
The cost of a ransomware attack through a zero-day vulnerability is much more than just a ransom. There is the lost revenue from downtime, remediation costs, audit fees and legal fees. Publicly traded companies are also at risk of losing—on average—7.5 percent of stock value from an exploit.
On top of financial losses, attackers are increasingly using triple extortion: threatening to release sensitive information publicly, disrupting access to internet or data, or informing suppliers, shareholders, or partners of the breach.
The differences between a zero-day attack, zero-day vulnerability, zero-day exploit and a zero-day patch
There are typically a few key terms necessary to understand when discussing zero-days.
- Zero-day vulnerability – A flaw in hardware or software that has not been patched or fixed. To put it simply, a vulnerability is a defect in a system that bad actors can use to create tools or exploits to then attack said system.
- Zero-day exploit – A technique or malware that takes advantage of a vulnerability to access or control a system.
- Zero-day attack – An exploit actively being used for ill purposes. An attack that exploits a previously unknown hardware, firmware or software vulnerability.
- Zero-day patch – An update released to fix a previously unknown vulnerability.
Setting up for success against zero-day vulnerabilities
Have an active inventory of devices and endpoints
An active inventory system for tracking devices and software is crucial so you know what has or has not been updated. Additionally, regular scans to find devices and software that have reached end of life and are no longer receiving updates are also important. Patching will not help if the system or software has no new patches to apply.
Insight into every device is key to finding and patching rogue endpoints and avoiding weak areas in your systems.
Protect systems and data at multiple levels
Many times, successful attacks are accomplished by a chain or multiple types of attacks. To break this chain of attack, defense in depth is required. This means protecting your systems and data at multiple levels, not just one. For instance, a critical server may have a zero-day vulnerability, but if your network and firewalls keep the attacker out, they cannot leverage that zero-day exploit.
Endpoint security tools, employee training and behavioral detection are key components to include as part of your defense in depth layers.
On top of that, implementing zero trust where users must be authenticated and are governed by a least privilege framework offers an additional layer of security.
Defense in depth is a key strategy to help organizations resist attacks, as many exploits use different tools or exploits to reach their target. Disrupting that chain lessens the chances of a successful attack.
A regular cadence of patching operating systems, applications and firmware is absolutely crucial. Not all attacks are zero-day, but many are built on known vulnerabilities. The least expensive and easiest way to stay protected is patching regularly.
Have backups in place
Preparation planning and prevention are key to navigating an ever-changing threat landscape. While managing backups is a bit outside the scope of patch management, backups are a safety net. Reliable backup strategies in place allow teams to protect and restore data in the event an update goes wrong. Immutable backups paired with the 3-2-1 rule is a great place to start.
Have a zero-day patching process
When a zero-day vulnerability is discovered and vendors are made aware of it, they can quickly work to produce a patch to mediate or fix it. The clock is ticking though, and the goal is to patch that system as soon as a patch is available.
If a patch is not available, consider any temporary mediations available. Some of these temporary mediations may include adjusting select settings or temporarily disabling access to different systems. The system creator’s website may also suggest some possible remediating steps.
Once an emergency patch is issued, it’s crucial to have infrastructure that can quickly target the affected devices with specific patches needed. Ensure you have a validation or reporting mechanism to make sure all systems are updated. With a zero-day vulnerability, issuing a patch quickly is often more important than making sure the update is fully tested.
Continue to monitor the situation. Even though patching the vulnerability is more important than the minor issues that may arise in integrating the emergency patch, the ability to roll back an update can be a critical capability in the unlikely—but not unheard of—event that a patch does more harm than good.
Establish a plan for zero-day attacks
One of the biggest mistakes organizations make when it comes to handling zero-day attacks is not having a plan in place. Steps should be documented ahead of time for before, during and after an attack. Make sure people are trained and ready to respond. Keep an offline copy of your plan in a binder, in case you lose all network access. A great resource to get started is CISA’s Incident Response Plan Basics guide.
In any organization, patches should be issued on a regular basis to update software, operating systems and firmware. Zero-day vulnerabilities will be discovered, and emergency updates will need to be issued. These perpetual and ever-present challenges underscore the critical need for a proactive approach to patch management.
By taking steps to proactively develop a plan for zero-day vulnerabilities, the better equipped your organization is to respond to potential exploits and deploy zero-day patches.