Best Practices for Protection Against Zero-Day Attacks

Zero day attacks are common within today’s technological environment. With everything moving to automation and the cloud it’s become difficult to defend against. However, there are many ways to prepare and reduce the effective threat to an organization. Here are four best practices that will help reduce or remove the threat posed by many, if not all, zero day attacks.

1. Preventative security

The number one way to mitigate the damage from any attack on your system is to prevent it from happening in the first place. Maintaining a good firewall and up-to-date antivirus is the best step you can take to ensure the security of your system. A firewall, monitoring traffic in and out of your network, reduces unauthorized entry over the network. Even without knowing the exact nature of the attack, suspicious activity traveling in and out of the system can be stopped. The same is true of modern Antivirus and Endpoint Detection and Response (EDR). Even when it can not identify the specific zero-day threat from its virus database; it can often identify malicious intent from learned behavior in the system.

2. A Locked Down Network

Should a zero-day threat make it into your network, your next goal should be to limit its effects. A defense-in-depth approach should always be taken by organizations to minimize potential damage to the company and its resources. Using security best practices across all software and hardware by enforcing compliance benchmarks where applicable. Benchmarking at the operating system layer, application layer and network layer will most assuredly prevent unauthorized access, lateral movement, and provide some level of alerting (if configured properly). By restricting user access to only essential files and systems we can limit the damage done to the smallest number of systems. A good security policy dictates that each account should only have full access to the systems needed to complete the user’s job. 

3. Implement Patch Management

It’s imperative that an organization should have a patch management policy and process, clearly communicated to all employees and coordinated with development, IT operations and security teams. As a part of that process there should be an emergency out of band patch process for zero day patches.  This should be an accelerated path to lessen the potential exploit window of zero day vulnerabilities.

In larger organizations, it is important to use automation to manage patches. You can use patch management solutions to automatically source patches from software vendors, identify systems that require updates, test the changes introduced by the patch, and automatically deploy the patch to production. This avoids delays in deployment or patches, and prevents the inevitable legacy system that is forgotten or left behind when systems are updated.

Patch management cannot prevent zero-day attacks, but it can significantly reduce the exposure window. In case of a severe vulnerability, software vendors might issue a patch within hours or days. Automated patch management can help you deploy it quickly, before attackers can identify the vulnerability in your systems and exploit it.

4. Have an Incident Response Plan Ready

Organizations of all sizes will benefit from having an incident response plan that provides an organized process for identifying and dealing with a cyberattack. Having a specific plan focused on zero-day attacks will give you a huge advantage in case of an attack, reduce confusion and increase your chances of avoiding or reducing damage.

When drafting your plan, follow the SANS Institute’s six stages of incident response. The plan should specify:

• Preparation – perform a risk assessment and identify which are the most sensitive assets the security team should focus on. Prepare documentation that states the roles, responsibilities and processes.
• Identification – define how to detect a potential zero-day attack (using tools and/or operational processes), validate it is really an attack, and which additional data needs to be collected to deal with the threat.
• Containment – once a security incident is identified, what are the immediate steps that can be taken to contain the incident and prevent further damage from occurring, and what longer-term steps can be taken to clean and restore affected systems.
• Eradication – how to identify the root cause of the attack and ensure steps are taken to prevent similar attacks.
• Recovery – how to bring production systems back online, test them, and how long to monitor systems to ensure they are back to normal.
• Lessons Learned – perform a retrospective no later than two weeks from the end of the incident, to review tooling and organizational processes, and see how to be better prepared for the next attack.

Here at Sicura, we specialize in working with organizations to securely lockdown their environment by using compliance policies applicable to their organization. Reach out to learn how we can help!