A zero-day, meaning a tool used to exploit a newly discovered computer vulnerability, alone does not make an attack. It is but one element of many in an attack, chain and there’s much more we can do to increase the odds attacks are defeated.
I recently participated in The Cipher Brief’s Cyber Advisory Board discussion on zero-day vulnerabilities and the extent to which, if any, the U.S. government and Intelligence Community should quietly disclose them to enable private sector defenses. As detailed in this summary, the arguments for and against zero-day disclosure are valid; however, to safeguard U.S cyber intelligence collection efforts that inform U.S. policies, military operations, and other intelligence operations, it’s fair to assume that the U.S government is going to default to nondisclosure. However, focusing the discussion on zero-day vulnerabilities creates a narrow optic that fails to recognize that there are other important aspects of malicious cyber operations that both the U.S. government and private sector can more readily disclose to enable defenses.
Zero-day vulnerabilities do play a significant part as a capability in malicious cyber operations, but it is not the only aspect of their operations and such tools are often only leveraged against higher-value targets. In many instances, malicious actors don’t need to employ zero-days against the private sector, as they can simply exploit the weakest link in the security chain – the uninformed human, commonly referred to as an unwitting insider.
Therefore, sharing cyber threat intelligence – such as known tools and malware, IP addresses and domain names, and the motivations behind the malicious actors’ target selection – can do far more to enable an organization’s defenses than knowledge of a single zero-day. If organizations can’t obtain the information on the zero-day itself, they need to focus on how the actor will use it.
Sharing Intelligence to Bolster Defense and Impact the Adversary
This opens up the discussion on vulnerability disclosure to organizations outside of government and private zero-day vulnerability researchers. All organizations can share intelligence on the tools, infrastructure, and motivations they encounter daily. Even though this might not be the “big fish” zero-day vulnerability, it still enables other organizations to defend against the process by which actors might ultimately exploit those vulnerabilities.
In an ideal environment, the government and private sector organizations would freely share such information so that organizations have the intelligence needed to bolster their defenses against attackers while ensuring the continuity and effectiveness of the intelligence community’s own operations. This environment offers two major benefits with respect to the adversary. First, by getting to a point where we understand how the adversary operates, we enable defenses against its activity, potentially even irrespective of its present or future zero-day arsenal.
Second, one of the overlooked components of advanced persistent threat (APT) operations, commonly thought to be the work of state or state-sponsored groups, are the humans that actually carry out the attacks. Whereas most defensive methods and tools focus on blocking or otherwise mitigating the digital assets they employ, organizations often fail to incorporate their human adversaries in their preventive defensive strategies.
Denying the human adversary any degree of success and punishing him or her for each intrusion attempt, through exposure and information sharing, raises the risks to the adversary and alters its cost-benefit analysis. As more information on a specific APT’s infrastructure, capabilities, and tactics are identified and shared, the more the humans behind the operations are affected. This forces these individuals to be bogged down having to register new domains, procure new infrastructure, recompile new malware, or institute new tactics whenever they are exposed. This can lead to a point where an organization can have a psychological impact on the humans behind the APT operations, hinder their daily efforts, and ultimately affect in their cost-benefit analysis.
From Reactive to Proactive
As these zero-day disclosure discussions inevitably continue, we need to bear in mind that the vulnerability alone is not the whole of the operation. Malicious cyber actors still have to identify their targets, employ an attack vector to gain access to an organization, use an exploit to take advantage of the zero-day vulnerability, control the compromised host or move around their network using malware or other tools, and eventually extract data using established command and control infrastructure. By researching, identifying, and sharing intelligence on these steps malicious actors must take, we can become more knowledgeable about the actors themselves and more readily monitor for, defend against, and publicly disclose their operations. In consistently doing so, we move ourselves from a reactive to a proactive defensive state that will ultimately affect the adversaries themselves.