Earlier this year, numerous zero-day attacks for network routers and firewalls were claimed to have been stolen...
from the National Security Agency-linked Equation Group by a faction called the Shadow Brokers. This code affects common network security vendors such as Cisco, Fortinet, Juniper and WatchGuard, among others. Enterprises have a lot to lose here if these zero-day exploits are used against them in the wild, especially when the outcome is an attacker gaining access to perimeter devices and then, presumably, the internal network.
What's an enterprise to do? Some of these zero-day attacks are many years old, so are they still a serious matter? How should network security administrators plan to prioritize these zero days? Finally, how should admins prepare for a future dump of zero-day flaws, which the Shadow Brokers have promised? These are all questions that enterprise security teams must consider if the risks are to be minimized. Here are some basic steps to address zero-day attacks that could potentially affect your organization.
Assess the risk
First off, rushing to find an immediate "fix" is likely unwarranted. Typical security assessments --vulnerability scanning and penetration testing -- may provide the details that you need in order to determine which systems are susceptible to the zero-day attacks. Your enterprise's vulnerability scanner reports may provide this information, but manual analysis may be needed in certain situations. You might even consider performing configuration analyses on your systems using tools such as AlgoSec Firewall Analyzer or Tufin to provide more context around the situation and assess actual vulnerabilities, rather than just assuming that everything is exploitable. Depending on your product version and configuration, an exploit may not affect you.
Perhaps the smartest thing to do is to contact your vendors directly to see which of your systems may be vulnerable to these specific exploits. In the case of the Equation Group exploits, the affected vendors have released several security advisories with details of the product vulnerabilities and information regarding patches and mitigation methods. Organizations need to stay on top of these security advisories and be ready to contact the vendors if there are any questions.
Analyze the affected systems
As with any patch, you need to understand any specific risks associated with the patch application process as well as the patch itself. Again, analyze your enterprise's unique situation. Just because you have systems that are vulnerable to these exploits does not mean that they are vulnerable in the context of your specific network environment. If you find that your systems are vulnerable and at risk, apply the patches when it's reasonable to do so. If your systems may be vulnerable but there is evidence that the risk does not exist in your current setup, document these findings and obtain management and/or auditor approval. If the current situation does not allow for patching, that's probably OK. Make sure that if and when these specific systems are repurposed and, therefore, have their positioning and context in your network changed, they are updated appropriately at that time.
Prepare for more attacks
The final step is to consider future zero-day attacks. If your security testing and vulnerability management programs are solid (i.e., zero days are being adequately addressed), then keep doing what you're doing. Otherwise, take the necessary steps to build out your technologies and processes in order to achieve the visibility and control required for your network security systems. Either way, make sure to subscribe to vendor security alerts and, to be doubly safe, alerts from organizations such as the National Institute of Standards and Technology and the U.S. Computer Emergency Readiness Team.
With so little information available on most zero-day attacks, there is a tendency to assume that preventing these attacks is so complicated that it's not worth spending the effort. It doesn't have to be that way and should not be the case for these particular zero days. The general rule of thumb for running an effective security operation applies here: Knowing what you've got, understanding how it's at risk and taking the appropriate steps to minimize those risks. These information security basics, however simplistic they may seem, can buy a ton of assurance that all is well -- within reason -- in your network environment. It's only as soon as you lose track of these core elements through day-to-day distractions that the zero-day attacks tend to rear their ugly heads.
Find out the pros and cons of automated patching technology
Learn how to manage a high volume of security alerts
Discover how to prevent advanced persistent threat group attacks on a patched Microsoft Office flaw