For obvious reasons, the consequences of zero-day attacks can be severely damaging to businesses: they frequently result in material harm, costing companies millions of dollars, and exposing customers to additional cybersecurity threats.
At Capsule8, we’ve identified 4 major risks that zero-day attacks pose to our customers:
1. SCALE AND FREQUENCY
The threat landscape is evolving, as global IT infrastructure scales rapidly across hybrid production environments. According to the “2017 Application Security Report” by Cybersecurity Ventures, there are 111 billion new lines of software code created every year. As the attack surface expands, it’s no longer feasible for security teams and organizations to keep up with the sheer volume and frequency of threat vectors. Static Application Security Testing (SAST) alone is no longer a sufficient deterrent against the often daily attacks that systems are being exposed to. A hybrid approach that focuses on dynamic testing and protecting applications in real time needs to be prioritized. A DevOps approach to security, is also critical. Studies have shown teams that build and test their code daily fix vulnerabilities faster than average teams that only build and test 7-8 times a year.
2. Asymmetric Complexity
An asymmetric relationship exists between the attacker and defender. For starters, the defender (i.e. the security practitioner) must try to defend against all potential vulnerabilities, while the attacker only has to find and attack a single vulnerability. What’s worse, it’s getting easier to find and launch an attack. For example, ‘fuzz testing’ for a vulnerability involves simple trial-and-error, requiring minimal specialized knowledge of the target system; some exploits are also readily available on the black market. In some cases, attacks are being launched based on proofs-of-concepts shared publicly by hacker groups. Meanwhile, the deep security expertise required to defend against these threats is expensive, scarce, and at risk of being overwhelmed by security alerts. Security organizations based on the traditional security operation center (SOC) have proven to be less effective without the proper detection and automation tools at their disposal.
3. Long Tail to Remediation
The window of vulnerability from the time the security team discovers the zero-day attack, routes the alert, runs their risk analysis, and installs the patch can be extremely costly, in terms of budget, time, and risk. What’s more, remediation could turn out to be just as disruptive as the original attack, as certain updates and patches could render some systems unbootable. In some cases, it can take months or even years to remediate the known security issues (think Oracle and the multi-year Java attack campaign in 2015). The 2018 Drupal vulnerability was a more recent case, in which a ‘highly critical’ bug was discovered in the popular open-source content management system (CMS), affecting over one million websites. Despite the fact that a zero-day exploit could be developed “within hours or days,” developers often needed weeks or months to reserve time for core security updates.
4. Cloud-Native and Hybrid Cloud Risks
Traditional enterprise security focused on securing endpoints, segmenting the network, and protecting the perimeter. These concepts may no longer apply to cloud-native and hybrid cloud production environments. According to ESG Research, 42 percent of organizations reported an attack in their hybrid and containerized environments last year, with 28 percent pointing to a zero-day exploit as the origin. As companies move towards deploying more cloud-native workloads to meet customer demand, the challenge of finding new ways to secure these applications becomes critical.