The Biggest Misconception About Zero-Day Attacks
While security researchers constantly try to identify and report zero-day vulnerabilities, if those vulnerabilities are not patched and if security controls are not updated, the threat remains real. Cato Networks MDR team investigated patching adoption rates and how to mitigate the risk of vulnerable systems in your network.
Not every software is vulnerable, not every vulnerability is exploitable, and not every exploit is usable – but when everything aligns and a patch has yet to be released, you have a zero-day attack in the making. A lot has been written about zero-day attacks and their potentially devastating outcome, from attacks targeting critical infrastructure to telcos to operating systems. However, a common misconception about zero-day attacks is that once they are disclosed and a patch is made available – the problem is solved, and we can move on. Unfortunately, that is not true.
The MDR team at Cato Networks recently investigated browser patching by pulling stats from our customers’ traffic flows. Based on data from more than 8,000 customers the team noticed that 38% of all Firefox users are not using the latest version. Even more interesting, 20% of Chrome users (which is hands down the most popular browser) have yet to patch the recent Chrome zero-day exploit. This exploit, which was likely used to target security researchers by the North Korean Lazarus group, has been identified and a patch was released almost two weeks ago. Yet, it remains an attack vector since some have not updated their browser to the latest version.
Frank Abagnale, who’s life story was portrayed in the movie ‘Catch Me If You Can’ and who is an FBI agent investigating cyber breaches, has said in one of his talks that “Every breach occurs because somebody in that company did something they weren’t supposed to do or somebody in that company failed to do something they were supposed to do.” Companies still fail at updating and patching systems.
To make things worse, attackers don’t need the resources of a nation state actor to identify vulnerable systems. In my last blog, I showed examples of vulnerable systems found through Shodan, a great search engine for connected devices. And Shodan isn’t the only tool attackers can use to easily identify vulnerable systems. With Censys, for example, even simple queries can show attackers systems vulnerable to attack exploiting POODLE, for example, a 6-year-old TLS vulnerability. With six-years under our collective belts, one would expect POODLE to be long gone, but alas below are just some of the POODLE vulnerable systems found on Censys:
While some systems patching and updating processes are solely controlled by the IT team, in some cases operating systems and browsers rely on user’s actions. Patching can be a tough, lengthy process and so security teams do not rely on it alone.
This is where Cato’s Managed Detection and Response (MDR) service comes into play. Attackers have multiple advantages today, the most obvious one is they have the initiative; they make the first move. As complete prevention is impossible, security teams have come to rely on fast (as in minutes and hours, not days and months) detection and response once IOCs of a new attack become available.
Within hours, if not minutes, of learning about a threat Cato updates all customer defenses. Think about that for a moment. Even if the threat is discovered by assisting a different customer, your network would be updated and protected. One recent such example is the case of Sunburst, where customer defenses were updated within a couple of hours of the IOCs release. Contrast that with industry expectations that Sunburst vulnerabilities will linger for months and years in enterprise defenses. This means that even if an enterprise fails to patch a system, the system would still be protected against a Sunburst exploit by Cato defenses.
As we encounter more attacks, some in the form of supply chain attacks, others in the form of nation state zero-day vulnerabilities, we need to remember that knowing about the vulnerability isn’t enough. We must patch our systems — ASAP.
But given the impossibility of ever getting patching perfect, we need to ensure our security stacks can detect and prevent attacks on our connected systems. Failure to do so is, in Mr. Abagnale’s words, becoming the “somebody” who “failed to do something they were supposed to do” and we all know how that ends.