The Unknown Threats
According to data from Google Project Zero, we appear to have been trending up since 2014-07-15 when they began tracking zero-days. As expected, the largest portions of these zero-days belong to the likes of Microsoft, Apple, Google, Adobe, etc. as these are the most targeted due to the wide installed base of their products.
As always, when utilizing a single source for data, there may be errors or further data which was missed or excluded by the source
| Year | Discovered | Unknown Patched | Total Patched |
|---|---|---|---|
| Unknown | 177 | ||
| 2014 | 11 | 11 | |
| 2015 | 16 | 13 | 28 |
| 2016 | 13 | 11 | 25 |
| 2017 | 2 | 20 | 22 |
| 2018 | 5 | 7 | 12 |
| 2019 | 5 | 15 | 20 |
| 2020 | 28 | 8 | 25 |
| 2021 | 23 | 36 | 69 |
| 2022 | 11 | 28 | 40 |
| 2023 | 17 | 28 | 44 |
To summarize the above chart, the only real outlier was 11 vulnerabilities that carried over from 2020 -> 2021, with 10 of those 11 vulnerabilities being discovered in November or December. The one remaining vulnerability, CVE-2020-11261, was discovered in late July and involved an issue affecting Android devices with Qualcomm chipsets and was subsequently patched on 2021-01-04.
How do you defend yourself from something you don't know is coming?
Some of the best things you can do to defend yourself include:
- Having a robust and documented vulnerability and patch management process for rapid remediation when the fix for a zero-day is released
- Implementing/Expanding on detection capabilities - logs are there for a reason, be sure to use them
- Limiting of permissions for user accounts to the bare minimum required to do their job
- Minimizing your attack surface through standardization
- Continually improve asset visibility to simplify the other aspects of this strategy
To bring this back to a relevant incident which most have likely heard of, MOVEit... what could be done by a company to limit their impact from something like the MOVEit zero-day that impacted thousands of businesses across every sector?
Limit retention timeframes and institute purging policies with automation where possible to ensure the policies you have on paper are performed. Be sure to keep in mind the type of data which you are transferring via this tool. There's likely no need for data to be available past 1-2 weeks in a tool like this, with even shorter timeframes for sensitive data. Limit it down as tightly as you can and in an instance where the person you are sharing the data with does not retrieve the data within that timeframe, share it again and let them know the retention and purging policies.
Many of the PHI/PII spills attributed to MOVEit likely could have been minimized with these two simple changes.
Closing Remarks
As always, cybersecurity continues evolving so be continually analyzing and improving on your TTPs because we know the bad guys are.