This past weekend, the premiere East Coast hacker con, ShmooCon kicked off their 2024 conference with more than 40 sessions a range of security topics. This year, one talk that really impressed us was by Katie Nickels, cybersecurity expert and Director of Intelligence Operations at Red Canary. We were thrilled to hear her talk about zero-days and vulnerabilities. In this post, we summarize her session, titled “Why We Need to Stop Panicking about Zero-Days.”
The Zero-Day Hype Machine
In per presentation, Nickels notes that we’ve all seen headlines in some variation of “Zero-Day Vulnerability Exploited in the Wild!” These are typically followed by media and social media proclamations to “cancel your weekend plans” to deal with that zero-day.
These attention-grabbing pronouncements often trigger a mad scramble for patching and finger-pointing, but is this the most effective way to approach vulnerabilities? Nickels argues that it’s not. Read on to find out why.
Beyond the Binary: Understanding Vulnerability Nuance
There is no one-size-fits-all trait for vulnerabilities. Earlier in her presentation, Nickels defines a vulnerability as a “flaw or weakness in code that can cause it to behave in an unintended way.” While a zero-day is “a vulnerability that is discovered by adversaries or researchers before others know about it.”
Nickels goes on to emphasizes the importance of distinguishing between public or known and zero-day vulnerabilities. Public or known vulnerabilities, as the name suggests, are publicly disclosed flaws that security researchers and vendors are aware of. Oftentimes, these vulnerabilities have patches, mitigations, or other technical remediations to help eliminate the vulnerability or reduce its likelihood of exploitation.
Zero-day vulnerabilities, on the other hand, are like uninvited guests at a cybersecurity party – no one knows they’re there until they’ve already started causing trouble. These unknown vulnerabilities can be exploited by attackers before vendors or researchers have a chance to discover them, making them more challenging to defend against.
Why the Panic is Counterproductive
While zero-day vulnerabilities deserve serious attention, Nickels argues that the current approach to panic is counterproductive. This frenzy can lead to wasted time and resources, as well as hinder efforts to address more pressing security concerns.
This is because “malicious cyber actors older software vulnerabilities more frequently than recently disclosed vulnerabilities,” per the Department of Homeland’s Cybersecurity and Infrastructure Security Agency (CISA). GreyNoise Intelligence, a cybersecurity company that analyzes internet scanning traffic, confirmed this, noting that “the vast majority are still vulnerabilities older than the current year.”
How to Approach Vulnerabilities, Including Zero-Days
So instead of worrying about zero-days, what can you do? Nickels proposes a more measured approach, starting with understanding common exploitation paths. She dives into examples of what this means in her slides, which you can download here. Finally, she suggests making advanced plans for vulnerabilities.
Because some vulnerabilities are more likely to be exploited than others, depending on factors like their severity and ease of execution, you should focus on the most exploitable vulnerabilities. This will yield the greatest security benefit. When finding and remediating vulnerabilities, if you can patch it, do it.
For zero-days, instead of panicking, Nickels lays out a clear, thoughtful process for addressing these:
- “Determine if you’re affected by the vulnerability.”
- “Analyze the type of vulnerability it is.”
- “Research if/how threats are exploiting the vulnerability.”
- “Assess how hard it is to fix or mitigate.”
- “Take action to improve your defenses.”
Moving Forward: A Proactive Approach
After finding and fixing hundreds of thousands of vulnerabilities for enterprises all over the world, we at Syxsense agree that a more comprehensive approach to vulnerability management is necessary, just as Nickels suggests.
While zero-days get all the news, bolstering your enterprise’s cyber hygiene with regular patch and vulnerability scanning and remediation, along with ensuring endpoint control and configuration hardening, is the real key to staying ahead of attackers. This involves focusing on the vulnerabilities most likely to be exploited, utilizing threat intelligence to prioritize patching efforts, and monitoring for common exploit patterns.
Instead of panicking with every new headline, we encourage you to shift towards proactive, informed vulnerability management.
Trying to figure out how to do that? Syxsense takes the guesswork out of vulnerability management with our unified platform. It automatically scans all endpoints for vulnerabilities, prioritizes them based on exploitability and risk, and provides automated patching and remediation options. Book a demo to find out how we can help you.
