What to Know About Zero-day Threats Before They Threaten Your Business

mitigating-zero-day-blog

Making headlines lately have been well publicized, large cyberattacks including the Sunburst exploit of SolarWinds Orion Platform and most recently the Hafnium exploit of Microsoft Exchange server. Both of these attacks came from zero-day threats and have impacted organizations globally.

Zero-day is a term that applies to both the vulnerability and the threat. A zero-day vulnerability refers to a software security flaw that is unknown to the developer or one that is known to the developer but doesn’t have a patch in place to fix the flaw. A zero-day threat, or attack, is an attack that hasn’t been seen before and exploits this vulnerability.

In December 2020, FireEye publicly reported that malicious malware (named Sunburst) had been installed on internal systems through trojanized SolarWinds Orion software updates. However, it was quickly discovered that the malware was much more widespread than FireEye. The Sunburst attack caused a breach of approximately 18,000 systems across the globe, with many of those affected still not sure what the final impact will be.

This highly publicized event affected such prominent agencies as the Department of Homeland Security and parts of the Pentagon. Attackers also gained access to fundamental systems of more than 425 companies in the Fortune 500, all of the top 10 US telecommunications companies, and five branches of the US military.

More recently, Microsoft was the target of four zero-day attacks that are estimated to have affected at least 30,000 businesses and government agencies. The attack targeted vulnerabilities in versions of on-premises Microsoft Exchange Servers across the US and was likely orchestrated by the highly skilled and sophisticated actor Hafnium, a state-sponsored advanced persistent threat (APT) group from China.

On March 2, Microsoft released patches to address the four vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065), however, there is concern that companies are not applying them fast enough and that the number of victims will continue to grow.

mitigating-zero-day-blog

Prevention and Security Best Practices

As these types of attacks become more common, prevention becomes more crucial and companies must take proactive measures to ensure their business, employees and critical data are protected. By following the prevention and security best practices listed below, you can increase your network security

Keep systems up to date

Cyberattacks are always evolving, therefore, the solutions not only need to keep evolving, they also need to stay ahead of bad actors. That is why it is imperative to keep systems such as antivirus software up to date. Yesterday’s version may not protect against tomorrow’s threats.

Subscribe to principles of Zero-trust Networking

Zero-trust strategies are an initiative to protect digital environments based on the key principle that no access is granted at all unless it is specifically and deliberately given. This principal is applied to users and devices.

At its core, zero-trust uses micro-segmentation to break up security perimeters into small zones to create separate access points for separate parts of the network. While access may be granted to one zone, access to other zones will require separate authorization. Policies are often set to give users the least amount of access needed to complete a task.

Train employees on how to detect phishing attempts

All it takes is one wrong click from a well-meaning employee to compromise company data. Cybersecurity training should start on Day 1 as part of the onboarding process and include detailed information on how to spot a phishing scam. Train employees to feel more knowledgeable and secure with the practical skills needed to identify possible attacks and how to report them to Network Administrators. Data breach protection requires all employees across all departments to be fully prepared. Having an unprepared employee will certainly be a weak link.

Enforce multi-factor authentication whenever possible

As cyberattacks evolve and become more complex, using multi-factor authentication (MFA) will add an additional layer of security. MFA combats human error by requiring more than one piece of evidence that the user is who they appear to be. A common form of multi-factor authentication is to require a username and password, and additionally ask for a temporary code sent to a trusted device as a further confirmation of identity. MFA combats human error by preventing cybercriminals from logging into accounts with stolen usernames and passwords.

What to do if you fall victim to an attack

While companies can plan and prepare to prevent a cyberattack, it can still happen. Once a breach has been discovered, it is important to follow these steps to mitigate the impact:

  1. Follow guidance of the impacted vendor: for example, Microsoft put out detailed information regarding the breach and deploying the patches.
  2. Enable threat prevention to block suspicious traffic from entering or exiting the network. This will help to prevent attacks to your servers as well as data loss if users mistakenly try to connect to a phishing scheme or other malicious host.
  3. Configure Geo-blocking for extra protection from attacks that may come from specific countries that are known for high rates of hackers. Blocking those countries can reduce the potential for an attack on your business.
  4. Enable intrusion prevention systems (IPS) to analyze and filter all traffic flows through the network and block harmful activities before they affect internal systems. IPS can also report events as well to notify you of suspicious activity and a potentially exploited system.
  5. Use VPN so services aren’t exposed on the Internet and to protect your mobile and remote workers by applying the same protections they would get if they were in the office.

Large data breaches covered by the media can make cyberattacks seem scary. However, by knowing what to do before a breach occurs and having a plan in case you are attacked will position your company to survive with the minimal impact.