I Worry About Zero Day

We are often faced with client situations where we need to improve cyber security on systems that have not been patched, that are old and vulnerable or present a significant risk to the business if they are altered.  That means for example, we have clients that are using old versions on Windows Server and SQL, Microsoft Exchange and other infrastructure that is no longer maintainable (no more security patches).  In some cases, clients just can’t afford to change.

We also often find that “zero day” attacks are hard to mitigate against affordably. A zero day vulnerability is a weakness that a vendor (software/firmware/hardware) is unaware of and is exploited by attackers who learn of the weakness before anyone else. As more people and organisations participate in the digital revolution, there are more instances of this vulnerability than several years ago.

We often discover vulnerabilities after the attack has occurred or when researchers find it and make every one aware.  The challenge is that when researchers or authorities discover vulnerabilities, they tell everyone! So that turns into an instruction set for hackers while in some cases the vendor has to work out a solution which can take some time. So this starts a race.

Many attackers use their Shodan type search engines to find out who or what IP address has what applications. Then off they go armed with their new instruction set. Quite often, organisations won’t be aware of the alerts provided by researchers and authorities, especially while they are sleeping at night. Hence this is a worrying exposure and many organisations don’t have the staff, tools or discipline to constantly react.

A classic example of a zero day event? The Solarwinds attack in December 7th, 2020. In this case, the attackers were able to gain access and stay dormant in the SolarWinds infrastructure 12-14 months beforehand.

Products like the Laminar SIEM may alert you to unusual behaviour, but it can be too late if the attacker is very sophisticated and we don’t know what to look for. We may be able to create highly protected infrastructure but sometimes a simple mistake by an employee can allow an attacker to gain a foot hold. With endpoint detection solution (EDR/Antivirus) they often report or alert you to something once something has already started (with a sophisticated attack).

So we have always been exposed in protecting IT infrastructure when it is compromised. It’s also very expensive to totally mitigate the risk of a ”zero day” threat with server based systems – until now!

Late last year we discovered a product from the US that we felt would help us and our clients deal with this risk. It’s from a company called Virsec. They have a product that originated from a requirement to secure computer platforms that operate in an “Airgapped” environment (not connected to the outside world such as the internet) and in military applications.

We decided to try the product in our own infrastructure and saw how effective it was and the great reporting we get out of it. We are now offering it to our clients and have built a connection to our SIEM so that if any of our clients use it we can integrate the reporting and alerts to the SIEM dashboard.

How does it work? One of the interesting aspects of this technology is that it does not use traditional signatures downloaded from analyst organisations and does not need to refer to things elsewhere for it to work. When loaded onto a server, the software maps out the characteristics of the server and the applications that are running on it or that it will load.  It creates its own view or map of normal operations including how run time memory is used, disk read/write, libraries, networking and sequences.

If the software detects an unusual behaviour, that is, something different than the normal view or does not follow the right map, the Virsec software stops the server or computer or the affected application. Virsec boast that they can protect applications even if the attackers code is on the server!

At the end of last year there was a vulnerability exposed called Log4J. It was and still is hard for some organisations to deal with. If you were operating Virsec DPP you would not have to worry or even patch. If you are running Windows Exchange and can’t afford to change, the Virsec can provide you some peace of mind and even help you comply with the Essential 8.

Interested in trialling the software for yourself? Please let us know, we can help you with it.

- By Alan Kepper