Detection & Response of Zero Day Threats in the Cloud

•

There's one cloud security threat that remains relevant to organizations year over year; it is as ancient as the practice of cybersecurity itself. It's the Zero-Day threat; today's 🧵 will dig into 0-days & how better detection & response models can be implemented for them!

What is a Zero-Day Attack? A zero-day attack is an unknown vulnerability in your computer's software or hardware. The term is derived from the age of the exploit, which takes place before or on the first (or “zeroth”) day of a security vendors' awareness of the exploit.

Next, some stats about zero-days: a. In 2021, 40% of the zero-days in the last decade occurred - zero-days are exponentially ⬆️ b. In Q4 2021, 66% of malware incidents involved 0-days c. 50% of 2022s zero-days were variants of previous vulnerabilities that weren't addressed

0-days will continue to remain a threat as long as the pace of innovation in compute technologies, particularly in the cloud happens at break neck speed. So organizations need to move from a methodology of prevention to detection and response frameworks based on risk analysis!

How should companies approach detection? Trad intelligence-based detection models are ineffective in a 0-day by their vary nature. a. Orgs should rely on risk-based vulnerability detection that evaluates vuln for exploitability, not just severity. For more, read our prev 🧵 twitter.com/deepfence/status/1605603619956412419

Detection of zero-days (cont)... b. Orgs should introduce anomaly detection in the cloud. Anomalies look for abnormal behavior against an environment's baseline to identify potential threat actor behavior.

Detection of zero-days (cont)... c. Look at attack chains & MITRE TTPs threat actors use to exploit vulns & identify attack graphs utilizing runtime information about the app & network traffic. This gives a holistic picture of all threat actor activity against a specific vuln

Detection of 0-days (cont) This approach allows orgs to ID attack paths w/ the greatest impact in their environment and prioritize their resources for remediation allowing for a more pro-active approach. It also will better identify threat actor movement in event of a 0-day.

Remediation & Response of Zero-Days Armed with this information, orgs can write security pro-active security policy in a way that takes blocking action at the host or network level based on threat actor activity (TTPs) & not just known bad behavior in threat intelligence!

Remediation & Response of Zero-Days (Cont)... Orgs can remediate vulnerabilities based on their exploitability & impact to the environment. It allows them to remediate choke points in their environment that have access to other critical systems and data!

Remediation & Response of Zero-Days (Cont)... If already infected with 0-days, companies can respond quicker due to the better detection methods identified above to quarantine that machine and prevent lateral spread of things such as malware within the environment.

While Zero-Day Attacks will never be eliminated completely, we can implement better approaches to risk, detection & response in the ☁️ by adopting some of the methods mentioned in the 🧵 ⬆️! If you like this content - like/retweet this 🧵 & give us a follow @deepfence.

Want to take the @deepfence platform for a spin? Schedule a quick call with our head of product and solutions @ryancsmith2222 and he'll give you a personal tour before handing over the keys. go.deepfence.io/15-minute-demo