Organizations should start by only focusing on the bugs relevant to the application systems they use in-house. From that point, security teams can work to identify which of those bugs are being actively exploited and which are part of the business’s critical infrastructure. These are the key vulnerabilities to hone in on – the ones that could pose significant harm to your organization.
The next is to identify those applications and/or operating systems that have actively exploited vulnerabilities in-the-wild. A good resource is the CISA Known Exploited Vulnerability catalog that lists out these vulnerabilities. Also, any vulnerabilities that have a public proof of concept (POC) which we’ve seen weaponized by malicious actors.
An important part of this stage is gaining full visibility into an organization’s entire footprint. With businesses of any size, old applications, networks, systems, devices, and servers can go undetected. This opens a range of possibilities for malicious actors to exploit vulnerabilities that organizations didn’t even know applied to them.
2. Make A Zero-Day Plan for When, Not If
Eighteen zero-day exploits have already been used in the first half of 2022 and half of these zero-day exploits are variants of bugs that were previously identified. Today’s malicious actors are growing more innovative, with many now analyzing recommended patches and finding vulnerabilities within these patches themselves.
Moreover, zero-day exploits are extremely lucrative for threat actors. Investigative journalist Brian Krebs recently reported that a Google Chrome zero-day exploit sold for a staggering $2M. As such, zero-day vulnerabilities will always be a matter of when not if.
Zero-days are difficult to defend against due to their very nature; they’re new vulnerabilities that can shift and evolve at any time. As a result, organizations may have an exploitable bug in their network without even knowing it.
Consistent monitoring for suspicious activity inside of networks is a must for defense against zero-day exploits. Staying up-to-date with bug bounty programs that leverage global threat intelligence, such as the Zero Day Initiative, is an ideal way to monitor these bugs and gain insight into public patches to fix vulnerabilities.
3. Communicate with Vendors
Today, organizations can invest in SaaS versions of applications, meaning vendors can automatically apply patches and updates to software without needing action or authorization. But patches are made by people, and people are subject to human error. Sometimes, even a good patch can temporarily take a system down. For businesses that operate on a 24/7 basis, this can incur huge opportunity costs.
To prevent potential issues with automated patching, organizations should communicate with their vendors about the possibility of rollbacks to previous versions of software. Rollbacks can also be useful in situations similar to the 2021 SolarWinds breach, where new updates are rolled out but infected. Additionally, businesses should ask if these rollbacks can be done in an automated way or if they will need to roll-back a real patch manually.
4. Utilize Virtual Patching
Unlike manual patching, virtual patching is a short-term implementation of actual patches made for known vulnerabilities. Virtual patches can be applied without having to reboot systems, making them great interim substitutes while waiting for a vendor patch to be released. Think of it like applying heavy-duty plumbing tape to a leaky pipe while waiting for the plumber to replace it entirely.
Read More HERE