Zero-day Attacks are on the Rise: Managed Detection & Response Providers Can Help

By Bill Thrash, Vice President of Customer Success

From 2016 through 2020, between 12 and 25 zero-day attacks were identified each year, about 21 per year on average, according to Google’s Project Zero. This year, that number has more than doubled, with 52 zero-days identified by mid-October. Which raises some questions, such as what’s going on here and how can you most effectively defend yourself against zero-day attacks?

I asked my colleague Callie Guenther, who heads up our Cyber Threat Intelligence (CTI) team, why this year has seen so many zero-day attacks. “Primarily the sophistication of the attacks is much higher,” she says. “Attackers are getting better.”

Involvement of nation states plays a role, as does the trend toward vertical-specific attacks. The manufacturing sector, for example, has been making significant strides towards automation and integrating the operational technology and IT sides of the house, which opens up more attack surface.

As for the best way to defend against zero-days, that’s a tricky question because by definition, there is no defense against a zero-day attack. They are, after all, attacks that take advantage of previously unknown vulnerabilities in software and networks. Should you be using a piece of software or a network device that has such a vulnerability, and an intruder finds it, you are out of luck.

The best defense, then, is to be sure you have a way to find out about zero-day attacks quickly once they surface, so you can take advantage of patches and other mitigation measures as vendors release them.

MDR role in zero-day threats

As a provider of managed detection and response (MDR) services, Critical Start plays a number of roles in identifying and disseminating information around zero-days.

One is when our penetration testing, research or incident response team (TEAMARES) discovers previously unknown vulnerabilities during the course of their work with clients. In that case, we report them to whatever vendor is involved so they can be remediated.

We also partner with the vendor in ensuring they understand the issue. That means getting Callie’s Cyber Threat Intelligence team involved. They will examine the threat, identify indicators of compromise (IOCs) or behaviors related to the attack, determine which customers it applies to, which products are involved, and determine the mitigations customers need to take, including both required and recommended mitigations.

In short, they come up with the context in which the threat exists. That includes what it means for customers, the threat landscape in which it exists, which threat actor groups are the source, and any specific verticals or toolsets it impacts.

Rapid investigation and advisories

If the CTI team determines the threat is applicable to even one customer, they will draft a security advisory and send it off toall potentially affected customers. Sometimes the team will send an informational advisory, just informing customers that they’ve learned of a threat and are investigating. Typically, that happens within hours of learning of the threat.

The CTI team then hands off all the intelligence it has gathered to the Detection Engineering group. They actually perform the coding to build a detection mechanism to identify any attempt to exploit the threat. Often, that code is then added to our Zero Trust Analytics Platform (ZTAP), which our security analysts use to resolve alerts.

Once we have a mitigation strategy in place, we will send an advisory to make sure customers understand the steps they need to take, how the threat impacts their security policy or strategy, and any other context we can provide to make sure they understand the threat and its potential impact. Usually, that happens within a day of us learning of the threat. (That’s on top of the weekly threat intelligence reports we send, by the way.)

What’s more, if we learn of a zero-day attack from a single customer, we can deliver our threat intelligence to all other relevant customers – so everyone benefits. You’ll be among the first to know what actions the affected vendor recommends – whether it’s patching, closing ports or the like – along with our own recommendations.

Crucial defenses: Speed and expertise

The battle against zero-day threats is real, as the Project Zero numbers make clear. And there’s a good chance we’ll see more zero-days in the months ahead, because Callie says they tend to increase in number around the holidays. That’s because there’s more people shopping and processing credit cards online, which increases the attack surface.

You can go it alone, scouring the landscape for news of zero-days and resulting fixes. Or you can rely on us. As an MDR provider, we’re constantly threat-hunting. We also have the resources and expertise to investigate threats, come up with sound remediation advice, and get it to you quickly. Speed and expertise – that’s the best defense there is against zero-day threats.

To learn more about zero-day threats, check out our webinar, “Impact of Zero-day Exploits on Breaches.” Or feel free to contact us with any questions.