Of all the types of security threat faced by businesses today, perhaps the most ominous are 'zero-day attacks’, so-called because when they strike, no known or comprehensive solution exists to counter the vulnerabilities they exploit. As such, time is not going to be on the target organisation’s side. With such a dramatic rise in such attacks, chances are something will get through, so it's no longer a question of 'if', its 'when', so how can you reduce the risk and limit the impact.
So how can organisations best set itself up to mitigate the risk against such attacks? We believe the answer is to consider them in terms of our four pillars of security protection: planning and preparation, prevention, detection and response, recovery and resolution. Let’s take a look at how these apply, across the stages of a zero-day attack.
First, even if the exact scope and scale of an attack isn’t known about in advance, its chances of success can still be reduced through planning and preparation. Ensuring the security of the organisation is up to date and effective covers many areas of traditional good practice, such as ensuring security policies are up to date, systems are securely architected, detection capabilities are comprehensively deployed, users are provisioned correctly, systems are patched, data is backed up and so on.
Equally, those tasked with keeping a business secure can keep one eye on the horizon, maintaining a view on the security risk landscape and ensuring any weaknesses are addressed as best as possible, as soon as they are discovered - which brings us to prevention. By their nature, zero-day vulnerabilities cannot be completely resolved; however they can be mitigated - not least by assuring the security of the systems and software in use.
Even if a zero-day vulnerability exists, it does not have to go unprotected. For example, while a patch may not yet be available for a recently discovered security hole in an enterprise software package, perhaps access to the package could be restricted in some way until such a patch is issued, by only allowing terminal-based or LAN-based access. While this might be inconvenient, the overall productivity cost could be less expensive than the security gain.
In many cases, zero-day vulnerabilities only become known at the time of an attack - leading us to detection and response. Even so it is to be hoped that careful preparation and more general prevention will limit their impact when such an attack takes place. As soon as it is detected, within the organisation, via an external service or a news report, the security team can set about defining and implementing a response.
Speed is of the absolute essence - a delay in isolating the problem, identifying the vulnerabilities it exploits and preventing its spread, could result in widespread damage. This requires established communications paths - for example a ‘security incident breach response' procedure, incorporating board members to sign off any necessary remediation, may be the difference between a smooth response and one which drags on for dangerous hours. In addition, having an expert third party security response team on retainer can help flex to meet the additional workload required in an emergency, the last thing you want to be doing during an attack is negotiating contract terms with a vendor.
The final stage is recovery - returning the organisation to normal. As with initial planning, a well-prepared organisation can also benefit from faster recovery times, as systems, services and data are returned to normal. This means keeping a clear picture of the IT architecture as a whole, so that any damage (on desktops, servers or elsewhere) can be dealt with without impacting the broader environment.
The bottom line is, while zero-day attacks might be the great unknown, they do not have to be treated as ‘unprotectable' - there is still plenty organisations can do to ensure they do not bring down the enterprise.
Our Security Response team shares regular information and analysis of and protection from malware, security risks, vulnerabilities, and spam on its blog on Symantec Connect: Security Response Blog