Investigating zero-day vulnerabilities and exploits is becoming impractical

Unfortunately, zero-day vulnerability exploits are increasingly common. According to Mandiant’s analysis, attackers exploited 55 zero-days in 2022, and the MOVEit Transfer vulnerabilities have been making headlines since May 2023 for continuing to affect hundreds of large companies. According to Edgescan’s vulnerability statistics report, the MTTR for critical severity vulnerabilities is about TWO MONTHS! With zero-day incident rates rising and MTTR failing to keep pace, the value of investigation efficiency has never been higher. 

We recently covered how to Investigate MOVEit Transfer vulnerabilities and exploits efficiently. We have since received many questions about how to be prepared when the next zero-day is reported. 

Using the MOVEit Transfer vulnerabilities as an example, we saw how the investigation had a painful amount of manual work. Its CISA advisory had 40+ file hashes for LEMURLOOT webshell and 60+ malicious IPs. Security teams are already stretched thin and find it extremely difficult to scale to truly and fully investigate zero-days.

From the moment the exploit is publicly known, the team needs to:

  1. Check whether they are vulnerable, and if so, 
  2. Take temporary emergency measures to prevent/block until the vendor has a patch,
  3. Review past data to determine whether the vulnerability was already exploited in their environment, and if so, 
  4. Complete IR, cleanup, notification, etc., and 
  5. Patch when the vendor releases one.

When not using solutions like Query’s open federated search, the investigation requires pivoting into multiple tools, running hundreds of queries, combing through individual file and process information, looking through network logs, EDR telemetry, asset inventory, server logs, database data, etc. Moving/duplicating that data into SIEM was not just cost-prohibitive but also impractical/not possible.

Automation could help, but ultimately humans are needed

Security automation continues to get over-promised by vendors but is only partially successful. Why is that?

The  investigation of zero-day vulnerabilities involves following a custom set of steps. The TTPs of zero-day exploits are very specific and previously unknown. The starting point is typically an external document – like a CISA advisory or a CVE document – and sometimes an individual researcher’s blog/Reddit/Twitter post while the zero-day discovery is still unfolding. 

As for why investigating early is important, a Palo Alto Networks report found that 80% of studied exploits were made public before their related CVEs had even been published. Although a structured STIX XML could ultimately follow via your threat intel feeds integrated into your SIEM, SIEM has limited data visibility (as we saw with the MOVEit Transfer exploit’s investigation). Even your SOAR can’t automate the investigation upfront – these are unknown unknowns and you can only automate what you know. 

By nature, detection tools are reactive, as well. Your EDR and NDR vendors update their detections after a notification and trigger only from that time forward. As we saw, once the MOVEit Transfer exploit was disclosed, analysts had to manually look back from May 2023 onwards because detection tools would not have triggered.

Conclusion: a human needs to review and act as early as possible.

Maybe ChatGPT can automate cybersecurity someday, but that remains a pipe dream. (For some fun with exploring ChatGPT, see Can ChatGPT help query my cybersecurity events data?).

Like it or not, you have to empower humans, i.e. your analyst team, with the right set of tools to get the required visibility to investigate in an efficient and effective manner. Query does just this.

Use open federated search to proactively create an effective and efficient IR process

Query’s open federated search solution empowers analysts. It is a single search bar for all systems across dates past and present. It normalizes and correlates information across sources (using OCSF), and provides visual and navigable graphs of how entities of interest are interacting, e.g. graphing what device a file was observed on, which IPs that device interacted with, whether any alerts were generated, which user used that device, what is the business role of that user, etc. 

Without federated search, performing these tasks manually over multiple command shells, console tabs, and a notepad, is not only time-consuming, it is extremely complex and only possible by a few senior ninja analysts and hunters. Most CISOs find it difficult to hire and retain the ninja analysts because of the talent shortage and extreme burnout with manual investigations.

Unlike SIEM, using federated search doesn’t require moving/copying data, so it is easier to hook-up and be able to search in minutes, even retroactively. All you need are the API keys/credentials and federated search can be integrated into your SOC up front, making it quickly and easily available to your analysts as a key component of their arsenal. 

Open federated search is a small fraction of the costs of centralizing data into your SIEM and wasting precious human capital on any manual investigating drudgery.

Query is federated search for security. Find out more.