How to Deal with 0-Days?

%3CLINGO-SUB%20id%3D%22lingo-sub-1378032%22%20slang%3D%22en-US%22%3EHow%20to%20Deal%20with%200-Days%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1378032%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20all%20know%200-Days%20are%20very%20challenging%20and%20due%20to%20complexity%20of%20system%20and%20application%20%2C%20it%20is%20not%20easy%20to%20discover%20and%20deal%20with%20them.%20Performing%20pen-test%2C%20using%20Windows%20Defender%20ATP%2C%20adapting%20defense%20in%20depth%20strategy%20are%20some%20techniques%20to%20have%20pro-active%20defense%20against%200-days.%20I%20open%20this%20discussion%20to%20see%20if%20you%20encourage%20any%20direct%200-days%2C%20how%20did%20you%20dealt%20with%20it%20and%20what%20are%20your%20best%20practices%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1378457%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Deal%20with%200-Days%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1378457%22%20slang%3D%22en-US%22%3E%3CP%3EFirst%2C%20let's%20define%20the%20term%20%22zero-day%22%20based%20on%20industry%20experts.%3CBR%20%2F%3E%22A%20zero-day%20vulnerability%20is%20a%20software%20security%20flaw%20that%20is%20known%20to%20the%20software%20vendor%20but%20doesn't%20have%20a%20patch%20in%20place%20to%20fix%20the%20flaw%22%20-%20Norton%3CBR%20%2F%3E%22A%20zero-day%20(also%20known%20as%200-day)%20vulnerability%20is%20a%20computer-software%20vulnerability%20that%20is%20unknown%20to%2C%20or%20unaddressed%20by%2C%20those%20who%20should%20be%20interested%20in%20mitigating%20the%20vulnerability%20(including%20the%20vendor%20of%20the%20target%20software).%20...%20An%20exploit%20directed%20at%20a%20zero-day%20is%20called%20a%20zero-day%20exploit%2C%20or%20zero-day%20attack.%22%20-%20Wikipedia%3CBR%20%2F%3E%22A%20zero-day%20vulnerability%2C%20at%20its%20core%2C%20is%20a%20flaw.%20It%20is%20an%20unknown%20exploit%20in%20the%20wild%20that%20exposes%20a%20vulnerability%20in%20software%20or%20hardware%20and%20can%20create%20complicated%20problems%20well%20before%20anyone%20realizes%20something%20is%20wrong.%20In%20fact%2C%20a%20zero-day%20exploit%20leaves%20NO%20opportunity%20for%20detection%20...%20at%20first.%22%20-%20FireEye%3CBR%20%2F%3E%22The%20term%20%E2%80%9Czero-day%E2%80%9D%20actually%20refers%20to%20the%20number%20of%20days%20the%20software%20vendor%20has%20been%20aware%20of%20the%20vulnerability%20or%20its%20exploit%22%20-%20Digital%20Guardian%3CBR%20%2F%3E%3CBR%20%2F%3ETherefore%20Zero-day%20by%20its%20definition%20cannot%20prevented%20100%25%20of%20the%20time.%20The%20best%20practice%20is%20to%20assume%20that%20you%20have%20already%20been%20hacked.%20This%20is%20a%20very%20important%20paradigm%20shift%20to%20accept.%20If%20you%20think%20you%20have%20not%20been%20hacked%2C%20you%20are%20not%20going%20to%20be%20hunting%20for%20signs%20of%20intrusion.%20If%20you%20assume%20breach%2C%20then%20you%20will%20always%20be%20hunting%20for%20it.%3CBR%20%2F%3EEvery%20organization%20then%20needs%20to%20balance%20their%20cybersecurity%20risks%20with%20the%20costs.%20Does%20it%20make%20sense%20to%20spend%20more%20money%20on%2060%20separate%20cybersecurity%20solutions%2C%20if%20that%20total%20cost%20exceeds%20the%20value%20of%20the%20asset%20you%20are%20trying%20to%20protect%3F%20Sadly%2C%20the%20average%20medium%20to%20large%20size%20organization%20does%20just%20that%2C%20they%20often%20spend%20money%20on%20%22best%20of%20breed%22%20security%20solutions%20that%20do%20not%20integrate%2C%20which%20ironically%20leads%20to%20a%20more%20vulnerable%20organization%20when%20it%20comes%20to%20zero%20day%20attacks.%3CBR%20%2F%3EFull%20disclosure%2C%20I%20am%20biased%20towards%20how%20Microsoft%20solves%20this%20problem%20because%20I%20own%20and%20operate%20a%20Microsoft%20Cybersecurity%20consulting%20company%2C%20so%20my%20approach%20towards%20a%20zero%20day%20is%20going%20to%20sound%20a%20bit%20like%20a%20Microsoft%20commercial.%20I%20want%20to%20say%20that%20there%20are%20lots%20of%20excellent%20alternatives%20in%20the%20marketplace%2C%20but%20the%20reason%20I%20choose%20to%20partner%20with%20Microsoft%20is%20because%20I%20personally%20believe%20that%20a%20consolidated%20solution%20is%20better%20than%20managing%2060%20separate%20best%20of%20breed%20solutions.%3CBR%20%2F%3EMicrosoft%20Defender%20Advanced%20Threat%20Protection%20(MDATP)%20is%20an%20extended%20detection%20and%20response%20(XDR)%20solution%2C%20that%20combines%20protection%20for%20endpoints%20(Microsoft%20Defender%20ATP)%2C%20email%20and%20productivity%20tools%20(Office%20365%20ATP)%2C%20identity%20(Azure%20ATP)%2C%20and%20cloud%20applications%20(Microsoft%20Cloud%20App%20Security%2FMCAS).%20As%20customers%20face%20attacks%20across%20endpoints%2C%20cloud%2C%20applications%20and%20identities%2C%20Microsoft's%20XDR%20looks%20across%20these%20domains%20to%20understand%20the%20entire%20chain%20of%20events%2C%20identifies%20affected%20assets%2C%20like%20users%2C%20endpoints%2C%20mailboxes%2C%20and%20applications%2C%20and%20auto-heals%20them%20back%20to%20a%20safe%20state.%20So%20while%20the%20initial%20execution%20of%20the%20zero%20day%20may%20go%20unnoticed%2C%20the%20next%20step%20in%20the%20kill%20chain%20should%20get%20picked%20up%20by%20the%20XDR%20platform.%3CBR%20%2F%3EIn%20my%20opinion%2C%20Microsoft's%20use%20of%20virtualization%20technologies%20can%20greatly%20mitigate%20zero%20day%20risk.%20For%20example%2C%20Office%20365%20Safe%20Documents%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fsafe-docs%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fsafe-docs%3Fview%3Do365-worldwide%3C%2FA%3E)%20and%20Application%20Guard%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-application-guard%2Fwd-app-guard-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-application-guard%2Fwd-app-guard-overview%3C%2FA%3E)%20helps%20to%20isolate%20enterprise-defined%20untrusted%20sites%2C%20protecting%20your%20company%20while%20your%20employees%20browse%20the%20Internet.%3CBR%20%2F%3EUltimately%2C%20it%20comes%20down%20to%20how%20much%20risk%20you%20can%20accept%2C%20how%20valuable%20the%20asset%20is%20you%20are%20protecting%2C%20your%20budget%2C%20and%20following%20laws%20including%20mandatory%20notification.%20Fortunately%2C%20you%20don't%20have%20to%20reinvent%20the%20wheel.%20You%20can%20leverage%20risk%20frameworks%20like%20the%20NIST%20Cybersecurity%20Framework%20to%20get%20started.%20(%3CA%20href%3D%22https%3A%2F%2Fnvlpubs.nist.gov%2Fnistpubs%2FCSWP%2FNIST.CSWP.04162018.pdf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fnvlpubs.nist.gov%2Fnistpubs%2FCSWP%2FNIST.CSWP.04162018.pdf%3C%2FA%3E)%3CBR%20%2F%3EThe%20NIST%20cybersecurity%20framework%20is%20a%20prioritized%2C%20flexible%2C%20repeatable%2C%20performance-based%2C%20and%20cost-effective%20approach%2C%20including%20information%20security%20measures%20and%20controls%20that%3CBR%20%2F%3Emay%20be%20voluntarily%20adopted%20by%20owners%20and%20operators%20of%20critical%20infrastructure%20to%20help%20them%3CBR%20%2F%3Eidentify%2C%20assess%2C%20and%20manage%20cyber%20risks.%3CBR%20%2F%3EThe%20other%20question%20you%20raised%20is%20%22if%20you%20encourage%20any%20direct%200-days.%22%20I%20assume%20you%20are%20asking%20if%20it%20is%20recommended%20to%20detonate%20known%20threats%20in%20controlled%20labs%20to%20determine%20if%20the%20defensive%20controls%20are%20effective.%20Yes%20-%20do%20that%20often.%26nbsp%3B%3CBR%20%2F%3EIf%20you%20like%20my%20response%2C%20please%20mark%20it%20as%20the%20best%20answer%20%3D)%3C%2Fimg%3E%3CBR%20%2F%3E-Joe%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1386155%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Deal%20with%200-Days%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1386155%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5941%22%20target%3D%22_blank%22%3E%40Joe%20Stocker%3C%2FA%3E%26nbsp%3Bthank%20you%20for%20your%20valuable%20inputs%20%2C%20actually%20this%20is%20more%20discussion%20than%20question%20and%20I%20shared%20it%20so%20have%20discussion%20in%20this%20forum%20to%20see%20what%20people%20think.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Valued Contributor

We all know 0-Days are very challenging and due to complexity of system and application , it is not easy to discover and deal with them. Performing pen-test, using Windows Defender ATP, adapting defense in depth strategy are some techniques to have pro-active defense against 0-days. I open this discussion to see if you encourage any direct 0-days, how did you dealt with it and what are your best practices?

2 Replies

First, let's define the term "zero-day" based on industry experts.
"A zero-day vulnerability is a software security flaw that is known to the software vendor but doesn't have a patch in place to fix the flaw" - Norton
"A zero-day (also known as 0-day) vulnerability is a computer-software vulnerability that is unknown to, or unaddressed by, those who should be interested in mitigating the vulnerability (including the vendor of the target software). ... An exploit directed at a zero-day is called a zero-day exploit, or zero-day attack." - Wikipedia
"A zero-day vulnerability, at its core, is a flaw. It is an unknown exploit in the wild that exposes a vulnerability in software or hardware and can create complicated problems well before anyone realizes something is wrong. In fact, a zero-day exploit leaves NO opportunity for detection ... at first." - FireEye
"The term “zero-day” actually refers to the number of days the software vendor has been aware of the vulnerability or its exploit" - Digital Guardian

Therefore Zero-day by its definition cannot prevented 100% of the time. The best practice is to assume that you have already been hacked. This is a very important paradigm shift to accept. If you think you have not been hacked, you are not going to be hunting for signs of intrusion. If you assume breach, then you will always be hunting for it.
Every organization then needs to balance their cybersecurity risks with the costs. Does it make sense to spend more money on 60 separate cybersecurity solutions, if that total cost exceeds the value of the asset you are trying to protect? Sadly, the average medium to large size organization does just that, they often spend money on "best of breed" security solutions that do not integrate, which ironically leads to a more vulnerable organization when it comes to zero day attacks.
Full disclosure, I am biased towards how Microsoft solves this problem because I own and operate a Microsoft Cybersecurity consulting company, so my approach towards a zero day is going to sound a bit like a Microsoft commercial. I want to say that there are lots of excellent alternatives in the marketplace, but the reason I choose to partner with Microsoft is because I personally believe that a consolidated solution is better than managing 60 separate best of breed solutions.
Microsoft Defender Advanced Threat Protection (MDATP) is an extended detection and response (XDR) solution, that combines protection for endpoints (Microsoft Defender ATP), email and productivity tools (Office 365 ATP), identity (Azure ATP), and cloud applications (Microsoft Cloud App Security/MCAS). As customers face attacks across endpoints, cloud, applications and identities, Microsoft's XDR looks across these domains to understand the entire chain of events, identifies affected assets, like users, endpoints, mailboxes, and applications, and auto-heals them back to a safe state. So while the initial execution of the zero day may go unnoticed, the next step in the kill chain should get picked up by the XDR platform.
In my opinion, Microsoft's use of virtualization technologies can greatly mitigate zero day risk. For example, Office 365 Safe Documents (https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-docs?view=o365-worl...) and Application Guard (https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-gua...) helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet.
Ultimately, it comes down to how much risk you can accept, how valuable the asset is you are protecting, your budget, and following laws including mandatory notification. Fortunately, you don't have to reinvent the wheel. You can leverage risk frameworks like the NIST Cybersecurity Framework to get started. (https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf)
The NIST cybersecurity framework is a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls that
may be voluntarily adopted by owners and operators of critical infrastructure to help them
identify, assess, and manage cyber risks.
The other question you raised is "if you encourage any direct 0-days." I assume you are asking if it is recommended to detonate known threats in controlled labs to determine if the defensive controls are effective. Yes - do that often. 
If you like my response, please mark it as the best answer =)
-Joe

@Joe Stocker thank you for your valuable inputs , actually this is more discussion than question and I shared it so have discussion in this forum to see what people think.