“On any given day, nation-states and criminal hackers have access to an entire arsenal of zero-day vulnerabilities — undocumented and unpatched software flaws that can be used to silently slip past most organizations’ digital defenses…”
Brian Krebs, How Many Zero-Days Hit You Today?
It’s no secret, nor has it been for quite some time – most national governments and criminal organizations have a full inventory of zero day attacks at their disposal.
This means that powerful entities can readily access your systems – without your approval, and without leaving a trail. But even if they are somehow discovered, the hackers can just move on to the next zero day attack. They’re expensive, but they’re also plentiful.
Besides, by the time they’ve been detected, the intruders will likely already have everything they need. It may be intellectual property, credit card data, healthcare records, or any other sensitive information you’re trying to protect.
The Goal of the Zero Day Attack
So if it’s understood that zero day attacks are ubiquitous, and your organization is likely to be an eventual target, the question becomes – once a zero day attack is executed, what happens next?
The first thing the attackers do is look for ways to expand their access. Usually remote access kits, routers and key loggers are installed. Their goal is to extract credentials to achieve lateral motion throughout the network.
To accomplish this, the hackers search for SSH keys, passwords, certificates, Kerberos tickets, and the hashes of domain administrators that can be found on compromised machines. Pass the hash attacks are often used to gain access. Often the attackers will quietly monitor and record activity on the systems. Then they use the information to expand their control of the IT environment.
It’s called the “land and expand” cyber attack for a reason. The entire activity can be completed in only about 15 minutes.
However, that’s just the attack phase. The intruders will nest on the network for a much longer period of time. According to Symantec Research Labs, zero day exploits persist for an average of 312 days before being discovered. Obviously more than enough time to map the network and extract valuable data at will.
Can Zero Day Attacks be Defended?
It seems daunting. Powerful, well-funded adversaries are attacking your network, and exploiting unknown vulnerabilities to access and steal your organization’s most valuable information.
Can it be stopped? Probably not… but it can be significantly mitigated.
If your organization is manually changing credentials on typical 30 to 90 day cycles (or longer), you’re probably already owned. You need to automate the process of managing your privileged credentials. Remember, the hackers are looking for passwords that let them jump from system to system until they find what they want.
If you’re providing each privileged account on your network with its own unique and complex password, and then changing these passwords very frequently, you’ve blocked an intruder from moving laterally. Even though a zero day attack can still compromise one of your machines, the attack can’t expand.
To paraphrase Dave Dewalt’s comments during his recent interview on 60 Minutes, it’s better to lose one machine and a couple dozen credit cards than to lose 54 million of them.
Your goal should be limiting the lives of your privileged credentials to 24 hours. In fact, some Lieberman Software customers use our privileged identity management platform to change all of their credentials every two hours.
And rather than letting anyone maintain persistent elevated access, you should time-limit administrator access to audited individuals only.
It’s all about continuous remediation. If you can be broken into and taken over in only 15 minutes, you better be able to move a lot faster if you want to stop the attack.
By Philip Lieberman, President and CEO, Lieberman Software
Mr. Lieberman is an astute entrepreneur able to perceive shortcomings in the cyber security market, and fill those gaps with innovative solutions. He developed the first products for the privileged identity management space, and continues to introduce new solutions for this burgeoning security field.