It’s time to get proactive about zero-day vulnerabilities

Leveraging AI to turn the tables on bad actors.

As we look back at the first half of 2022, a total of 18 zero-day vulnerabilities were exploited in the wild. These are security weaknesses in computer software which have no currently available fix or patch, giving vendors ‘zero days’ to act and respond.

Asian businesses are not immune to the reputational and financial damages of these attacks. Last year, Singapore’s telecom giant Singtel fell victim to a zero-day attack which stemmed from security bugs in the Accellion legacy file-transfer platform, resulting in a personal information data breach of an estimated 129,000 users.

Estimated to be worth up to US$1 million on the darknet marketplace, these exploits are manipulated by attackers looking to wreak havoc on a large scale, explaining why advanced, often state-sponsored or state-aligned threat actors are pouring investment into developing and exploiting them. For proof of the ROI, we should look no further than the Kaseya ransomware campaign in 2021, when a zero-day vulnerability in the Kaseya VSA remote management service enabled the REvil gang to infect up to 1,500 businesses with a single blow.

A number of this year’s zero-days were reported to be variants of previously patched bugs, underscoring how this has become all too easy for attackers to tweak tools and quickly circumvent threat intelligence. The security world needs to rethink its approach to combating these attacks and reconfirm what we already know about cybercriminals: Where there’s a will, there’s a way. Being purely reactive about these exploits is simply not enough.

Detecting zero-days before they hit the headlines

In March 2020, a remote code execution (RCE) vulnerability was identified in the Zoho Manage Engine software. The China-linked threat group APT41 were reported to be exploiting the vulnerability in a global-scale campaign.

Two weeks before these attacks were publicly attributed to APT41, a number of organisations leveraging AI security technology had already detected and remediated the highly targeted attack — well before any associated signatures had become available.

AI was able to detect the subtle indicators of compromise (IoCs) based not on public information, but on its understanding of what ‘normal’ business activity looked like for the organisations being targeted. By piecing together a series of anomalous activities, it was able to detect the never-before-seen threat and generate reports that human analysts were able to act on in a matter of minutes.

This is an example of good security in practice. Without public IoCs or any open-source intelligence available, targeted attacks like these must be actioned in their very earliest stages but are incredibly difficult for traditional security tools to detect. The ‘rearview mirror’ approach to security will not account for, or protect against, any new and undisclosed IoCs — security technology must get there first.

That’s where AI excels at fighting unknown threats: It builds an evolving understanding of what’s normal in order to identify what’s not. When a zero-day is exploited, AI detects deviations from a device’s normal behaviour and can respond autonomously without the need for rules and signatures. This should be the goal of any defensive system — detecting and mitigating an attack in the earliest possible stages, before a bridgehead can be established, before other opportunities for exploitation can be identified, and before data is put at risk.

Turning the tables on attackers

But the fight against zero-days doesn’t end at detection and response. After a vulnerability is published, security teams battle against time and resourcing constraints to identify and restore affected assets and apply the appropriate patches, all the while trying to protect their other assets without a sure idea of what the next attack will look like. It’s not possible or optimal for humans to do this alone.

AI is now taking on this proactive role by not only detecting and responding to these attacks, but continuously testing vulnerable pathways and attack surface assets in the background, and then feeding that information into existing defences. AI can now predict the attacks and protect at-risk assets before they are put in harm’s way, reducing the difficulty of remediation efforts. When the next zero-day comes around, this industry shift towards proactive, always-on AI technology promises to give defenders a fighting chance.

Take the case of a data vulnerability attack like that suffered by Singtel. It’s possible that AI could have identified Singtel’s file-transfer platform as a vulnerable attack path, and recommended measures to harden defences, preventing the loss of any personal information. With AI continuously identifying and hardening vulnerabilities inside the company and externally on the attack surface, attackers undertaking reconnaissance would find it increasingly difficult to launch and spread their attacks, expending finite resources to find weaknesses. Most likely, they would simply move on to another target.

This pre-emptive, preventative security approach forms a new frontier for fighting zero-day attacks, allowing security teams leveraging AI to harden defences and win the fight against attackers before the next new vulnerability is even discovered.