A zero-day alone does not make an attack. It is one element of many – and there’s much more we can do to increase the odds these attacks are defeated.
I recently participated in The Cipher Brief’s Cyber Advisory Board discussion on zero-day vulnerabilities and the extent to which, if any, the US Government (USG) and Intelligence Community should disclose them to enable private sector defenses. As detailed in this summary, the arguments for and against zero-day disclosure are valid; however, to safeguard their cyber intelligence operations that inform the US’ policies, military, and other intelligence operations, it’s fair to assume that the USG is going to default to non-disclosure. But focusing the discussion on zero-day vulnerabilities creates a narrow optic that fails to recognize there are other important aspects of malicious actors’ operations that both the US and private sector can more readily disclose to enable defenses.
Zero-day vulnerabilities do play a significant part as a capability in malicious actors’ operations, but it is not the only aspect of their operations and is often only employed against higher value targets. In many instances, malicious actors don’t need to employ zero-days against private sector organizations as they exploit the weakest link in the security chain — the uninformed human (or unwitting insider). To that end, cyber threat intelligence on the other capabilities (tools and malware), infrastructure (IPs and domains), and motivations (targets) of a malicious actor’s operations can do far more to enable an organization’s defenses than knowledge of a single zero-day. If we can’t get the information on the zero-day, then we need to focus on how the actor uses it.
Sharing Intelligence to Bolster Defense and Impact the Adversary
Of course this opens up the sharing/disclosure discussion to organizations outside of the USG and private zero-day vulnerability researchers. All organizations can share intelligence speaking to these actors’ operations, tools, infrastructure, and motivations based on the activity that they encounter on a daily basis. Even though this might not be the big fish zero-day vulnerability, it still enables other organizations to defend against the process by which actors ultimately exploit those vulnerabilities.
In an ideal environment, the USG and private sector organizations would freely share such information so that organizations have the intelligence needed to bolster their defenses against attackers, while still ensuring the continuity and effectiveness of the USG’s own operations. This environment offers two major benefits with respect to the adversary: first, by getting to a point where we understand how the adversary operates, we enable defenses against their activity, (potentially) irrespective of their present or future zero-day arsenal.
Second, one of the overlooked components of advanced persistent threat (APT) operations are the humans that actually carry out the attacks. Whereas most defensive methods and tools focus on blocking or otherwise mitigating the digital assets they employ, organizations often fail to incorporate their human adversaries in their preventive defensive strategies.
Denying the human adversary any degree of success and punishing him for each intrusion attempt, through exposure and information sharing, presents the adversary with a cost/benefit decision point. As more of an APT’s infrastructure, capabilities, and tactics are identified and exposed or shared, the more the humans behind the operations are impacted. As these individuals are bogged down by having to register new domains, procure new infrastructure, recompile malware, or institute new tactics whenever they are exposed, the greater the effect on their psyche. This can lead to a point where an organization can get on their threats’ nerves, impact the humans behind them, hinder their daily efforts, and ultimately become a factor in their cost/benefit analysis.
From Reactive to Proactive
As these zero-day disclosure discussions inevitably continue, we need to bear in mind that the vulnerability alone is not the whole of the operation. Remote malicious actors still have to identify their targets, employ an attack vector to gain access to an organization, use an exploit to take advantage of the zero-day, control the compromised host or move around the network using malware or other tools, and exfiltrate data via command and control infrastructure. By researching, identifying, and sharing intelligence on these steps of actors’ operations, we can become more knowledgeable about the actors themselves; and more readily monitor for, defend against, and publicly disclose their operations. In consistently doing so, we move ourselves from a reactive to a proactive defensive state that may ultimately impact the adversaries themselves.