Why there needs to be zero tolerance for zero-day cybersecurity risks

By Danny Lopez, CEO of Glasswall.

  • 1 month ago Posted in

Zero-day cybersecurity vulnerabilities are among the most dangerous risks faced by organisations today because – until they are patched – they remain unknown to technology vendors and users. The scope of the threat is also alarming because weaknesses can exist within operating systems, applications or devices and can go undetected for days, weeks or even years before being found.

 

When exploited by threat actors, zero-day vulnerabilities can be used to gain unauthorised access to networks, steal sensitive data or as a way to cause major disruption to technology services and even critical infrastructure. But how widespread is the threat and what can organisations do to better protect themselves?

 

According to research published by Google earlier this year, nearly 100 zero-day vulnerabilities were spread across unprotected devices and users in 2023 – that’s an increase of 50% compared to 2022. This seems tiny compared to the level of ransomware attacks taking place every year (there are estimated to have been over 317 million last year), but a single zero-day exploit can impact thousands of organisations at a time. A case in point is the MOVEit breach last year, which was described as “the biggest hack of 2023” and is thought to have impacted well over 2,000 different organisations.

 

Among the other notorious examples of zero-day attacks is 2017’s Petya and NotPetya exploit. Described as “the attack that shook the world,” it had an estimated financial impact of up to $10 billion. Also in 2017 was the WannaCry attack, which infected between 200,000 and 300,000 devices worldwide, including those operated by the NHS, resulting in a collective bill of around $4 billion.

 

Looking ahead, the risks are expected to increase. As the Google report points out, “zero-day exploitation is no longer just a niche capability accessible to only a handful of actors, and we anticipate that the growth we have seen across the last few years will likely continue.”

 

The cybersecurity calendar

 

Technology vendors and the cybersecurity community are well aware of the risks presented by zero-day threats. For nearly two decades, on the second Tuesday of every month, ‘Patch Tuesday’ has been the day when Microsoft and various other software vendors typically release a range of software fixes, some of which deal with emerging and critical zero-day vulnerabilities.

 

While this is an important recurring event, unfortunately, it has also spawned ‘Exploit Wednesday’, which has become the day when cybercriminals attempt to identify and use further exploits for systems that have yet to be updated. This underlines the ongoing difficulties faced by security and IT teams, who quite often also need to deal with performance issues created by newly installed patches. Known as ‘Uninstall Thursday’, this is when software components have to be removed to get systems running normally again. Patches can also be released outside of this regular schedule, and these are often to address the most serious emerging risks and will be accompanied by advice for users to take immediate action to prevent their systems or data from being compromised.

 

The limitations of reactive security technologies

 

But what about the various cybersecurity technologies used by organisations to prevent and mitigate zero-day threats? While there are a variety of approaches available, part of the challenge is that many are built to react to cybersecurity issues, rather than proactively prevent them. In the context of zero-day vulnerabilities, this does little to remove the risks posed by zero-day attacks.

 

For example, “next-generation” AV and firewalls use detection-based solutions that can only protect against risks already known to them. This leaves organisations at risk, as threat actors constantly evolve their techniques and find new vulnerabilities to exploit. Sandbox solutions, another widely used security technology, can offer some level of protection, but cybercriminals increasingly use advanced tactics such as delayed detonation, whereby malware lays dormant and undetected by the sandbox, only activating once it has passed through.

 

Then there’s machine learning and AI technologies, which use advanced algorithms to detect known indicators of malicious content. While offering a more effective approach than traditional solutions, machine learning and AI on their own cannot offer complete protection from zero-day threats.

 

Add to this the fact that two-thirds of malware is currently delivered via PDF files as malicious email attachments and zero-day vulnerabilities are effectively invisible to reactive cybersecurity technologies.

 

Proactive protection

 

So, where does that leave organisations trying to minimise the potentially damaging impact of zero-day exploits? Increasingly, security teams are relying on a layered approach that builds proactive protection around their AV, firewall and sandboxing infrastructure to address the risks posed by file-based threats.

 

In these circumstances, the adoption of technologies such as Content Disarm and Reconstruction (CDR) helps deliver the kind of protection required by treating all files as untrusted before validating, rebuilding and cleaning each one against their manufacturer’s ‘known-good’ specification.

 

Ultimately, whatever approach is taken, unless organisations can establish a zero tolerance approach to zero-trust, they will remain vulnerable to some of the most severe risks that exist in the current cybersecurity ecosystem.

By Graham Jarvis, Freelance Business and Technology Journalist, Lead Journalist – Business and...
Frank Horenberg, Zivver’s Head of IT, and Simon Newman, Co-Founder of Cyber London, do a deep...
By Suraj Tiwari, Global Head – Information Security, VFS Global.
By Brandon Green, Senior Solutions Architect & Threat Modeling SME, IriusRisk.
By Steve Durbin, Chief Executive, Information Security Forum.