Cyber Security: Zero-Day Risk Management

Zero-Day Attacks: The Bane of the Cyber Security Industry

During a cyber security investigation or an event that is eventually declared to be an incident, it is often not possible to determine whether the event is a known attack (known to the industry or one that previously impacted the company) or a Zero-Day (Day-Zero, 0-day) attack. An attack can be categorized into one or more of the following four buckets: (1) Malware, (2) Exploit, (3) Unauthorized Data Access, or (4) Unauthorized Identity Access.

To re-iterate, during the early stages of an attack where security event monitoring identifies and profiles suspicious events and users, and activity, it is not possible to determine whether the event is part of, in part or whole, a known attack or something new that neither the industry or the target organization has seen before. Furthermore, it is not even straightforward to determine whether it is a real attack or rather the cause of the activity is an operational issue or system anomaly causing attack indicators (IoC / IoA) to trigger. 

When neither operational issues nor anomalies are identified (initially) to be the root cause, a suspected attack can continue to be investigated, however, it will not be immediately plausible to ascertain whether the attack is publicly known i.e. seen "in the wild" before, or is actually a novel Zero-day attack, one where there is no knowledge of an immediately known defense or remediation to thwart the attack. 

As SOC Teams gain further knowledge and insight into an attack, both the confidence in the novelty of an attack and a possible defense or remediation for the attack does increase over time.  In addition, and importantly, THE IMPACT of an attack is also an ongoing, continuous, dynammic real-time assessment, which is a real-time estimate of the verified or suspected damage currently being attributed to the attack.  

Hence, SOC Teams (must) treat all events as unknown “day-zero” attacks…

The time it takes from when a Tier I Analyst first starts to analyze a suspicious event or event of interest, to the esscalation of event to incident and declaration of an event as now a resolved incident with root cause analysis and lessons learned available (i.e. immediately becoming a now known attack, belonging to one or more of the four buckets of (1) malware, (2) exploit, unauthorized (3) data or (4) identity access)) is equivalent to the amount of time-effort expended in identifying the attack... with detection controls, this amount of time can be in the range of seconds or milliseconds (AV/IDS signature detection), or days, as in a Zero-day attack (multi-year permanence, multi-partite vector, advanced persistent threat), which may or may not be communicated to the industry and instead be kept confidential by the company (both nature and technical details of the attack).

The advantage of detection controls is to reduce the detection time to identify an event/attack/incident as something known. The other advantage is to reduce the amount of time an event is escalated to an incident. Behavioral-based controls can identify suspicious behavior, but often not, confirmed malicious behavior. Behavioral controls can exist as endpoint, network, or user activity (access control and system activity audit log) security controls.

Hence, only in retrospect or, at best, during response and recovery, can the attack be classified as being Known or Unknown (i.e. Day-Zero) (correspondingly, malware can be classified according to Yara family, an exploit/vulnerability can be identified as X-day or Zero-day, X representing the # of days that spanned from when a Mitre CVE/CWE # was initially registered).

Thus, all attacks during event/incident response can only be treated as Zero-day attacks (all best-in-class Security Operations and Incident Response teams behave this way anyway).

Ultimately, an attack can be classified as a Zero-day if the following remains true: No commercially available preventive or detective solution exists/existed to block or identify the (specific) attack.

The lesson?

Zero-Day attacks are in the 4th Quadrant of Risk / Decision-Making.

In this Quadrant, nothing is known about the probability of an attack.

In the 4th Quadrant:  Absence of Evidence is not Evidence of Absence (or the better:  Evidence of Absence (knowing nothing) is not Absence of Evidence (there could be (more) future evidences that spring up and present themselves i.e. events and attacks could manifest over time; and we can't predict the future in the 4th Quadrant).