Confronting

Zero-Day Attacks

How companies can combat undetected and unexpected attacks on their cloud systems through expertise, smart preparation and proper responses

How companies can combat undetected and unexpected attacks on their cloud systems through expertise, smart preparation and proper responses

scroll

Three months ago, William Dixon stumbled into a confrontation with an adversary virtually face-to-face. It wasn’t in a dark alley or outside a bar, but inside a client’s computer network.

Dixon, a cybersecurity director at the Kroll consultancy, had hacked into the network with a colleague to uncover—and ultimately, fix—software vulnerabilities. The hacker was also looking for vulnerabilities, but with very different intentions in mind.

Thanks to experience and pre-planning for exactly this type of scenario, Dixon and his colleague knew how to respond. Instead of spooking the intruder, they posed as fellow cyber thieves and managed to gather crucial information via two-way chat. Simultaneously, they alerted their customer and, after determining that no serious damage had been done, ejected the unwelcome guest and secured the opening from further breaches.

Dixon’s encounter highlights an important aspect of today’s cyber landscape: most confrontations are human-to-human interactions, and the best way to come out ahead is through preparation, training and experience.

“You’re not going to get everything perfect in a mock exercise,” said Dixon. “But at least you understand who’s going to be the one that gets a phone call when, and who’s going to be doing what. Time is of the essence.”

The nature of Dixon’s surprise meeting also highlights part of what makes cyberattacks so hard to combat: you can’t always see them. With undetected breaches—often referred to as “zero-day attacks”—companies have no time to prepare. These attacks can have the largest potential impact on both the organization and the people charged with protecting it.

To help mitigate the risk, companies need a mix of the right prevention and response tools, trusted partners who can supplement their defense, and realistic preparation that mimics a real threat scenario. Without a well-rehearsed and coordinated response plan, a zero-day attack can throw an entire company into a tailspin.

Quiz

Select your answer choice below

What is the biggest contributor to bad decision making during a cyberattack?

A. The threat of being fired

B. Lawsuits

C. The shock factor

D. Inadequate resources

What is a zero-day attack?

A. An attack that lasts less than a day

B. An attack that takes place on a holiday or a notable hacker anniversary

C. An attack that exploits a vulnerability before a company was aware of the vulnerability

D. An attack during a shift change

What represents the biggest cyber threat to organizations today?

A. Readily available hacking tools

B. Undertrained employees

C. Constantly evolving software and technology

D. Intelligent, persistent adversaries

Deterrence requires planning

 

 

It’s an unfortunate truth in today’s IT world that cyberattacks are unavoidable. And even the best laid plans won’t keep advanced, persistent threats from poking holes in security.

“Nothing is 100 percent secure,” said Ron Victor, CEO of secure industrial networking company IoTium. “Absolutely nothing. There's always some vulnerability there. What you have to protect against is not the vulnerability but the impact of the vulnerability.”

In other words, even though vulnerabilities are unavoidable, organizations still need to invest time and resources in preparation to help mitigate the potential impact of a breach. To that end, patches should be seen as a first line of defense, as long as they are part of a layered approach that does not depend on them alone.

But manual patch development won’t suffice in today’s climate. Daniel Clayton, director of global customer security operations for Rackspace, recommends deploying automation to install patches behind the scenes so that this activity won’t be subject to the vagaries of individual schedules and approvals. While it won’t single-handedly provide robust cybersecurity, automated patching can put an organization in a stronger position than most. “Ninety-nine percent of organizations don’t have that,” said Clayton.

Complicating the picture, such automation must take into account business needs along with security best practices. Some IT systems are business-critical, making downtime for maintenance challenging. It’s partly for this reason that patching everything is practically impossible. Legacy systems, including older operating systems that are no longer supported by their vendors, are another source of vulnerabilities that are difficult to address.

Scenario 01
click here
press here

Clayton also advises turning to trusted partners to help. An outside perspective can help a company understand its security stance both as it exists currently, and where it can improve. As with automated patching, understanding potential issues will put an organization ahead of the game.

Vulnerability scans and penetration tests are other critical components of a sound defense, but ultimately all these tactics can only get an organization so far.

“Prevention is a term that I don’t fully believe in,” said Rackspace Customer Security Operations Center (CSOC) director Travis Mercier, who works under Clayton in San Antonio, Texas. “I believe in deterrence.”

Mercier explains that there are strong business incentives on both sides of a cyber battle. If an organization can deter a potential threat enough to drive up the cost of a successful attack, that reduces the incentive and the threat will be more likely to seek opportunities elsewhere.

The Human ELement

The Human ELement

If patches, scans and tests aren’t enough, what is? The key to staying out of headlines today lies in the people on the wall more than the wall itself. In other words, it’s the human element that will give an organization the edge.

That’s because cyberattacks are battles between people, not just software, and even the best tools and automation won’t stop sufficiently trained, committed, well-funded attackers, said Mercier.

What’s needed is a way to prepare everyone within an organization who will be included in threat response, before hackers actually strike. The only effective way to do that is through mock exercises, or “war games,” during which good decisions become trained reflexes.

Scenario 02
click here
press here

As part of their partnership with EY, Rackspace conducts annual cyber war games designed to probe customers’ potential vulnerabilities before hackers find them. Equally important, the war games prepare everyone from corporate communications to senior leadership—not just security teams—for the inevitable attack.

“Processes can be well-known, but whether the team can follow those processes is a different thing entirely,” Clayton said. “We keep a manager up for 36 hours to see how he responds—it’s really that level of preparation at the enterprise level.”

When a cyberattack hits a major organization, those monitoring the unfolding events can be impacted by the gravity of the situation and the associated stress, just like soldiers experiencing combat for the first time. Clayton, himself a 23-year veteran of the British armed forces who led cyber teams in hot spots around the world, calls it the “fog of war.” Between lawsuits, firings of senior executives, and reputations lost in the aftermath of major attacks, it’s no wonder that security personnel feel the pressure.

“These incidents can be Armageddon events for companies,” Clayton said. “Immediately you’ve got this kind of shock factor that sets in within the security team. That’s when bad decisions get made.”

It’s every company’s worst nightmare: zero day. In this scenario, attackers get in and critical systems and sensitive data are compromised before a company is aware of a vulnerability. And zero-day attacks can be even worse if the exploit was active for a long time before discovery.

To help counter this type of attack, Rackspace uses advanced analytics to detect unknown threats through behavioral patterns and anomaly detection. Mercier also recommends being prepared for rapid and decisive action to contain damage. His team at the CSOC responds within 15 minutes of detecting an attack, and then it’s all hands on-deck, with everyone from security analysts to public relations and senior management brought in to regain control.

Scenario 03
click here
press here

It’s during these scenarios that war game preparation pays off: enterprise-wide coordination is finely tuned and individual actors are ready to play their part.

Afterwards, assessments need to be made, procedures adjusted, and reactions honed for the next time. This can spell the difference between a breach that is well-managed and contained, and one that becomes a disaster.

“You have to be able to protect the business, respond with one voice, one operation,” Clayton said. “If you can’t, you end up on the 6 o’clock news.”