A recent interview with CrowdStrike VP of Product Marketing Dan Larson, for the CyberWire Daily Podcast, focuses on “zero-day” attacks and how organizations can prepare for these stealthy and damaging events. Zero-day refers to attacks that occur when hackers are able to leverage vulnerabilities in software or hardware before the exploits are publicized and patches have been released. Sometimes these attacks occur before the vendor is even aware there’s a vulnerability in its product.
Larson begins by discussing the importance of having a plan in place well in advance of an attack and taking steps to ensure your plan is effective. He advised that hardening your environment is an important first step and explained, “What really moves the needle is doing exercises like penetration testing, red teaming and tabletop exercises. Doing an overall risk assessment, with basic steps like getting an IR (incident response) retainer in place, will help you understand your exposure, and minimize both the likelihood and the impact of an event.”
He stressed that when considering the point of attack and the fact that you may have software with vulnerabilities in your environment, it’s vital to have endpoint security in place that has anti-exploit capabilities. He said, “It’s important that you have those solutions and that you turn them on and keep them up-to-date.” Larson also emphasized the importance of being able to detect post-exploitation activities, which can minimize dwell time — the period between when a malicious attack enters your network and when it is discovered. He explained that the protracted dwell times resulting from an undetected zero-day attack can leave an organization vulnerable for days, weeks or even months.
A unified approach such as CrowdStrike® endpoint protection enables organizations to block more zero-day exploits at the point of attack, by using machine learning and behavioral analytics, but they also include automatic detection and prevention logic for post-exploitation activities so that security teams can have immediate visibility into attacks — even if they are able to bypass other defenses.
A New Reality
With The Shadow Brokers continuing to release monthly zero-day threats and inviting subscriptions to their services, the likelihood of eventually encountering a zero-day in your organization’s environment is high. Larson said organizations must ask themselves, “If we have this problem with stopping things at the point of attack, especially zero-days, how can we still end up in a secure state?” He answers that, “Working from the assumption that a breach is inevitable leads organizations to focus on how they can reduce the impact of such an event, or stop malicious activity before it becomes a full-blown breach or real damage is done.” He explained further, “That’s where new solutions — especially EDR (endpoint detection and response) with behavioral logic — come in. They are solutions that look for the telltale signs of attacker behavior.” Larson added that these signs are varied and can include credential theft, privilege escalation, lateral movement, or even evidence that someone is trying to encrypt, destroy, or leak files. “These are all criminal adversary behaviors that we can now understand as the attack is happening on the endpoint — and not only detect that malicious activity, but block it.”
Larson concluded by returning to the importance of preparedness before an attack, explaining that a cascading reduction of risk can result when you go through the process of being as prepared as possible and implementing the best prevention technology at the point of attack — while also having a plan for a worst case scenario, “You really have to think about what happens when the attacker is successful and gets on your network, and ask yourself if you have the tools, processes and technology in place to mitigate the event, before the real damage is done.“