How to prepare your business to survive the next zero-day attack

Nikhil Gupta is a cybersecurity expert and founder and CEO of ArmorCode, an award-winning DevSecOps platform.

How do you protect your business from zero-day cyber attacks? As a clearly emerging threat, it is important that businesses do what they can to prepare. Previously we had seen these attacks occur maybe once every five years, but now we are seeing a flood of them. We learned of the attack involving SolarWinds in December 2020, Log4j in December 2021 and then SpringShell in March 2022.

The problem is, if you’re not in the security industry, the term “zero days” may sound like a buzzword with little or no meaning. So how is it different from the multitude of other security threats out there? And shouldn’t one of your many security solutions protect you?

What is a zero-day attack?

A “zero-day attack” refers to an attack that exploits an existing, but previously unknown, vulnerability. This vulnerability has potentially been in the code or application since its inception, and until an organization learns about it, it is highly unlikely that any security tool will be able to prevent it from being exploited. Thus, the term “zero days” was coined because the organization has no runway to fix the problem. In fact, there is real concern that malicious actors have or are actively exploiting this weakness without the business having any idea. What makes these vulnerabilities so dangerous is that they can be found in code or applications you’ve used for years.

Further complicating matters is how widespread these vulnerabilities can be. The Log4j vulnerability is a good example because it affected so many companies without their knowledge. The vulnerability was not only included in the software and applications that companies developed themselves, but also in software solutions that they purchased from third parties. Because software is so complex, there is almost never a single author or team that writes all the code. Instead, the code is built by teams of people who reuse existing code from software libraries to avoid the software equivalent of “reinventing the wheel.” One of the common reuse tools was Log4j, which tracks or “logs” the activity of a system or application, allowing the developer to monitor what is happening so bugs or errors can be fixed. The challenge for companies is that they didn’t necessarily track every application in which Log4j was used, nor would it be practical to do so – Log4j was just a building block for one application and seemingly insignificant in the wider business.

What happens after a zero-day vulnerability is discovered?

If you discover that your organization has discovered a zero-day vulnerability, what should you do? If you don’t already have the proper failsafes and tools in place, the only real answer is to go through the repositories manually and audit everything. This involves a significant time investment to sift through all the code repositories and libraries – and it is not a process that is done in one go. Once the first pass is complete, teams must update them and then rescan them all. Many organizations will enter this information into multiple spreadsheets and then manually correlate the information to create visibility into the main issues, thereby creating tickets for each issue. Based on my experience, there have even been circumstances where organizations have scanned for three months and found thousands of instances of Log4j, for example.

As mentioned, the malicious code can be used in everything from how your business invoices customers to your internal HR administration and everything in between. Additionally, the vulnerability may reside in products and services you provide to customers, further complicating matters as you must work to fix these issues while asking questions about how you plan to fix the breach. The simple point is that it’s a mess. It requires your team to sort through proverbial haystack after haystack to find each and every needle. The problem is that we’re seeing these attacks happen at an increasing pace, so it’s very possible that the process will start over even before you’ve cleaned up the initial mess, which is unsustainable.

How should you prepare?

There is only one way to effectively filter through zero-day attacks – automation. With the right automation, the number of elements humans must handle can be reduced from the thousands listed above by a factor of 100 or more. This is achieved in part because when organizations scan their repositories, they often do not realize that the repositories are created in software but not deleted. This is similar to how many people keep saving more and more photos to their phone camera rolls and never go back and delete their old photos. As a result, it appears that there is a lot to scan, but a large percentage of the repository is inactive and can be ignored.

However, automation is not only important for finding the malicious code – it should also be used to automate workflows to avoid bad handoffs between tickets. This can be achieved by using intelligent security operations to find the active repositories, identify the right tools, categorize the priority, create tickets and automatically assign it to the corresponding developers. Zero-day vulnerabilities aren’t usually a challenge to patch once you’re aware they exist—the challenge exists in the sheer number of cases. The danger is that something will get lost in the shuffle and the vulnerability will persist unpatched. Successfully combating and remediating the problem requires the application, security, and operations teams to work together.

There’s only so much people can do on their own, and if attacks theoretically happen once a quarter, organizations don’t have months to recover from one attack, only to jump straight into dealing with its impact next. The only effective way to combat this is to strengthen application, security and operational coherence and leverage automation.

The Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology leaders. Am I eligible?

Leave a Reply

Your email address will not be published.