If you’re not in IT, you probably don’t know what a Zero-Day exploit is – but don’t click away. Now we are living in a increasingly-digital and connected world, we all need to understand what the cyber criminals are capable of and what it looks like when you see it.
A Zero-Day exploit is as cyberattack that leverages a previously unknown vulnerability. It gets the snappy name because there are ‘zero days’ to fix the flaw before it can be exploited by malicious actors – you have no time to act because you didn’t know.
These exploits are particularly dangerous because they’re often used before a patch (fix) or mitigation can be implemented, making them highly effective for attackers. It turns into a race for the good guys to secure their systems, before the bad guys (an attacker) finds your vulnerability and exploits it.
So, what does this look like in the real world? And what role does a good managed security service play? Let’s take a look at a real-world example…
The Problem
A zero-day attack was communicated by Check Point (CP). They’d identified several clients that had been compromised; all of these involved instances of Remote Access having been enabled using username and password only.
CP uncovered a weakness that allowed attackers to exfiltrate a copy of the firewall configurations, including the remote access users’ credentials. Fortunately, if users had two-factor authentication (2FA) enabled, then the account could not be exploited (another good example to show why 2FA is a smart choice).
What happened next?
The vulnerability was published through a standard process, known as a CVE. This includes (when available) recommendations on what clients should do to resolve the issue. Security professionals monitor CVE’s to identify and mitigate against new threats.
In this case, there were two separate issues that needed to be resolved as part of this one vulnerability:
- Stop attackers being able to log in with the compromised non MFA account credentials
- Stop attackers exfiltrating the firewall configuration and gaining user credentials
The guidance was clear:
- Immediately disable the username and password-only remote access methods
- Apply a patch to all affected firewalls as soon as possible
Where was Criticalis in all of this?
Criticalis has long advocated the use of multi-factor authentication (MFA) where possible, as you never know when a zero-day will pop up.
For most of our clients, they continued with their current method of authentication unimpacted. Once the patch was published, we contacted each client to identify a window in their operations to implement the fix. These were mainly during early morning, late evening, or weekend slots to avoid disruption to the business.
For those clients who had been impacted – those using only username and password credentials – we ceased remote access as soon as they gave us approval to do so. We then worked with the client to implement a second factor for authentication for their users.
To speed this process of implementation, we provisioned the mechanism and as much of the process as we could, then sent instructions to our clients on how to complete the enrollments on the end user machines. Where some clients are in different regions, such as Asia, with a notable time difference, we ensured that we were online at appropriate times of the day to support them with any challenges that they might experience.
Once further information was published on the threat actors, we conducted the checks we could for any Indicators of Compromise (IoCs) and reported back to client on our findings.
After that, we caught up on a bunch of sleep and picked back up all the other to-do list items. It’s a hard life being a cyber security consultant!