If I knew then what I know now -- Zero Day Vulnerabilities and why we should confine the unknown
When Donald Rumsfeld gave a briefing about the Iraq WMD program in 2002 (Iraqi Weapons of Mass Destruction were a major justification for the second invasion) he said "There are known knowns. There are things we know we know. We also know there are known unknowns. That is to say, we know there are some things we do not know. But there are also unknown unknowns, the ones we don't know we don't know."
At the time, many mocked this word-salad as the Secretary of State for Defense delivering an over-complicated and evasive way of admitting that they had no evidence of WMDs in Iraq -- not yet at least. Even so, there is some undeniable logic in accepting that there can be unknown unknowns, and not just in the field of counter intelligence but in cyber security too.
One WMD we do have evidence of was unleashed on the world last week, but this one came from China, not Iraq. The Hafnium threat actor targets Microsoft Exchange email servers using a number of Zero Day vulnerabilities, allowing the attackers to steal emails and sensitive data. The extent of the attack won’t be clear for weeks yet, but estimates range from hundreds, to tens of thousands, of servers being compromised, with incalculable damage from data lost. At least the sheer size of potential targets goes up to about 300,000 on-prem installations of MS Exchange.
The timeline is typical for a zero day threat like this, and as ever, trying to work out when Day Zero was is a slightly inexact process to go through. What we know is that patches were released on March 2, and Microsoft report that they have been working on compromised servers since February 28 -- was this Day Zero? However, in this instance, it’s what was going on before Day Zero that’s the real concern. How long has the exploit of these vulnerabilities been going on? It’s a deeply troubling 'known unknown'.
What’s even more troubling though are the 'unknown unknowns'. Just how many other vulnerabilities are still waiting to be discovered and, as in the case of Hafnium, will end up in the wrong hands before the cyber security industry knows about them, let alone do anything to provide any mitigation or remediation action?
Which is why there needs to be a significant shift in cyber security philosophy, to really embrace the 'unknown unknowns' and do something about them. There are some signs that thinking is shifting, with more emphasis on terms like 'cyber resilience', the premise being to accept that a cyber-attack is likely and to focus more on your ability to survive a breach. Prevention is always better than cure, but is simply not realistic in our world of Zero, and pre-Zero, Day exploits.
One solution -- or at least partial solution -- to the Zero Day threat is Change Control and its police force of Integrity Monitoring. Partial, because our new philosophy accepts that, just as with Breach Prevention, there will never be 100 percent security or a comprehensive answer to Zero Day protection, but what we can do is massively reduce the likelihood. We have changed our mindset to acknowledge that a breach is always possible, so we now focus our resources as much on defending as on our breach detection capabilities and our ability to survive an attack.
In the case of Hafnium as with virtually every other breach, there were clear indicators of compromise, clues that a well-managed change control process would expose as suspicious, or at least unusual. Integrity Monitoring provides complete visibility of all changes, for breach activity as well as the everyday, expected legitimate changes like patching. Change Control makes sense of it all, correlating events with planned and expected changes. It can even go further, automatically analyzing changes and reconciling these with known patterns of change, even for millions of events covering thousands of devices in a busy IT estate. What you’re left with is a subset of 'known unknowns', changes that have been reported but without any lineage. In this way, you at least stand a chance of an early warning that a breach has been successful to allow remediation work to be invoked before data loss.
And before we get too far into a debate on the value of investing resources into a solution that still requires some human intervention and analysis, the question to ask before that is 'What’s the alternative?' If we know that AV, next gen firewalls, SIEM and vulnerability scanners are all 'partial solutions' too -- all flawed, all blind to zero day threats -- then layering in an additional, proven security control is the only way to go? If we already know that our existing solutions have gaps, then surely the reaction must be to try and cover those gaps with alternative technologies, providing an additional perspective on security via overlapping monitoring capabilities?
Using the Solarwinds example as role model, cyber security is riddled with 'unknown unknowns', threats that we don’t even know exist today, not to mention all the new vulnerabilities that we have yet to welcome in but will do so when we next update or deploy new systems. In the meantime, we should be embracing the 'known knowns' we have to hand, the proven cyber security controls of integrity monitoring and change control.
Mark Kedgley is CTO, New Net Technologies (NNT).