Defenseless Vulnerabilities: The Ultimate Incident Response Challenge

You can’t find them with any vulnerability scanners. They exist somewhere within the realm of the unknown, waiting to be uncovered, and what’s worse is that there are no bug fixes or patches.


This means the affected systems are defenseless against its discovery and exploitation and consequently remain that way until the flaw is realized by the vendor or developer and have “zero days” to repair the system from the vulnerability. This makes them one of the most dangerous security threats in existence.


In a nutshell, a zero-day exploit is a previously unknown vulnerability, an attack vector that ostensibly becomes the most valuable discovery in a hacker’s arsenal. When there’s a juicy target involved, these exploits can oftentimes be very lucrative on the open market, as they can hold the knowledge of their findings hostage, soliciting the information to the highest bidder, some of which have been priced at more than $1 million dollars.


This is a harrowing problem for Incident Response teams. They have honed their responses around simulated attacks and campaigns, almost like choreographing a dance, but the real fact about zero-day exploits is that the response to the particular incident has yet to be realized. Who finds the vulnerabilities first can determine the outcome of the damage caused by a threat actor.


Record-Breaking Year For Zero-Day Attacks


This year has seen the highest volume of zero-day attacks, according to researchers and cybersecurity companies who discussed the issue for MIT’s Technology Review, which disclosed that there has been a significant increase in zero-day attacks.


At least 66 zero-day vulnerabilities have been discovered this year so far, according to 0-day tracking project. These figures have doubled since 2020, proliferating more than any year to date.


“An increase is for sure what we’re seeing,”

said Eric Doerr, Microsoft’s vice president for cloud security.


“The interesting question is what does it mean? Is the sky falling? I’m in the camp of ‘Well, it’s nuanced.’”

In other words, industry specialists aren’t certain how to articulate why there is a significant increase in zero-day exploits being weaponized by threat actors or what this means in the grand scheme of things.


Ultimately, this leaves more questions without any reliable or concise answers. Though it is certainly possible that the escalation of hacking tools that are widely available to anyone could be a contributing factor.


Additionally, state-sponsored government hacking units are prevalently behind many cyberattacks involving zero-day vulnerabilities. China has prominently been suspected of being behind nine zero-day attacks this year alone, according to Jared Semrau, director of vulnerability and exploitation at FireEye Mandiant. Semrau said:

“We have this top tier of sophisticated espionage actors who are definitely operating at full tilt in a way we hadn’t seen in past years.”

Common Tactics For Incident Response Playbooks


It is well known that performing frequent large-scale network vulnerability scans is a crucial aspect of an everyday cybersecurity strategy, but such persistent reconnaissance can do very little in preventing a zero-day attack. While it is true that vulnerability scanning is able to detect some zero-day bugs, they can’t detect them all.


When they are uncovered, it is even more critical for Incident Response teams to jump to action and immediately begin to perform code analysis in order to sanitize their code. The reason why incidents like these require a quick action response is being threat actors can operate faster than a company can organize their IT team. Once the threat is detected, it’s usually too late because the zero-day has already been exploited.


One of the problems with zero-day exploits is the fact they are often capable of slipping past firewalls. They can exploit trusted applications, which insulate their intrusion from being flagged or detected. However, the buck doesn’t stop here, because one of the most viable defenses against this attack vector is utilizing a strong web application firewall (WAF).


When analyzing the TCP/IP behaviors of web applications and how they communicate over the internet with different services or how they interact with end-users creates behavior patterns that we all come to recognize. Predictable patterns are good.

However, by analyzing all inbound outside traffic to web applications, a WAF will filter out abnormal and malicious traffic, preventing the exploitation of bugs.


In other words, while a trusted application can be configured to allow a safe and cautious flow of TCP activity, if a threat actor manages to exploit a trusted application to try and slip past your defenses, the suspicious or malicious traffic can be stopped before any real damage takes place.


Racing to deploy patches takes precious time. But stopping malicious traffic is a quick no-brainer and should be included in any Incident Response plan.


Actionable Incident Response Techniques


Don’t scratch your heads if your Incident Response team suddenly starts seeing suspicious outbound traffic while focused on the initial malicious incoming traffic. This could mean that the bad actor has established residence on the affected server and no longer requires the zero-day for gaining illicit access.


After all, what happens if your company has just fallen prey to a zero-day attack by a threat actor and all of a sudden the malicious incoming TCP/IP packet requests suddenly stop? Your first reaction could be to assume that the attacker has stopped or their access has been thwarted.


I used to operate as a threat actor. With that being said, one of the first and foremost activities pursued by a threat actor after gaining unauthorized access to a protected computer system is to maintain access by any means necessary.

My first order of the day after gaining access simply was to quickly access the Event Viewer and see who was logged in. I wanted to avoid running into any system administrator. Next, I modified or erased any evidence of my illicit access.


The last phase was to maintain my access through the use of multiple remote access trojans. I closed the door I used to enter the system, so I could open my own. Therefore, any competent network admin would have been able to monitor the outbound traffic leaving their network, as I sent instructions to other remote systems and uploaded my toolkit to the systems I had hijacked.


This is why monitoring outbound traffic is essential and very useful in mitigating zero-day attacks.


Analyzing the activity logs from the router is also an essential tool in the tool belt of the Incident Responders. This will help determine what is occurring behind the scenes, which might not have been perceived visually during the monitoring process. This is also where permissions can be set for any outbound and inbound traffic. Anything that doesn’t seem to belong can and should absolutely be restricted by the router.


It is equally important to rely on the power of Threat Intelligence platforms, many of which are capable of leveraging artificial intelligence threat intelligence databases, which in turn can provide critical insights in mitigating and deterring cyber threats.


It’s never a question if an intrusion will take place, but when. Therefore, it’s important to keep a level head, stay ready to go at a moment’s notice and be ready to deploy your Incident Response team in the unfortunate event of an intrusion.


Most hackers aren’t ready to go toe-to-toe against a competent Incident response team. Cybercriminals typically prefer a more quiet scenario, where they can work at a comfortable pace and cover their tracks.


An article by

Jesse McGraw


Edited by

Ana Alexandre


Like this content? Subscribe to our newsletter to get weekly cybersecurity insights and top news - straight to your mailbox!

37 views0 comments

Recent Posts

See All