The recent Atlassian Confluence remote code execution bug is just the latest example of zero-day threats targeting critical vulnerabilities within major infrastructure providers. The specific threat, an Object-Graph Navigation Language (OGNL) injection, has been around for years but took on new significance given the scope of the Atlassian exploit. And OGNL attacks are on the rise.
Once bad actors find such a vulnerability, proof-of-concept exploits start knocking at the door, seeking unauthenticated access to create new admin accounts, execute remote commands, and take over servers. In the Atlassian case, Akamai's threat research team identified that the number of unique IP addresses attempting these exploits grew to more than 200 within just 24 hours.
Defending against these exploits becomes a race against time worthy of a 007 movie. The clock is ticking and you don't have much time to implement a patch and "defuse" the threat before it's too late. But first you need to know that an exploit is underway. That requires a proactive, multilayered approach to online security based on zero trust.
What do these layers look like? Consider the following practices that security teams — and their third-party Web application and infrastructure partners — should be aware of.
Monitor Vulnerability Repositories
Mass vulnerability scanning tools like Nuclei's community-based scanner or Metasploit penetration testing are popular tools for security teams. They are also popular among bad actors who are looking for proof-of-concept exploit code that will help them probe for cracks in the armor. Monitoring these repositories for new templates that may be designed to identify potential exploit targets is an important step to maintain awareness of potential threats and stay a step ahead of the black hats.
Make the Most of Your WAF
Some may point to Web application firewalls (WAFs) as ineffective against zero-day attacks, but they can still play a role in mitigating the threat. In addition to filtering traffic for known attacks, when a new vulnerability is identified, a WAF can be used to quickly implement a "virtual patch," creating a custom rule to prevent a zero-day exploit and give you some breathing room while you work to implement a permanent patch. There are some downsides to this as a long-term solution, potentially affecting performance as rules proliferate to counter new threats. But it's a capability worth having in your defensive arsenal.
Monitor Client Reputation
When analyzing attacks, including zero-day events, it's common to see them using many of the same compromised IPs — from open proxies to poorly protected IoT devices — to deliver their payloads. Having a client reputation defense that blocks suspicious traffic originating from these sources can provide one more layer of defense from zero-day attacks. Maintaining and updating a client reputation database is not a small task, but it can dramatically reduce the risk of an exploit gaining access.
Control Your Traffic Rates
IPs that are hammering you with traffic can be a tip-off to an attack. Filtering out those IPs is another way to reduce your attack surface. While smart attackers may distribute their exploits across many different IPs to avoid detection, rate control can help filter out attacks that don't go to such lengths.
Watch Out For Bots
Attackers use scripts, browser impersonators, and other subterfuges to mimic a real, live person logging in to a website. Implementing some form of automated bot defense that triggers when it detects anomalous request behavior can be extremely valuable in mitigating risk.
Don't Overlook Outbound Activity
A common scenario for attackers attempting remote code execution (RCE) penetration testing is to send a command to the target Web server to perform out-of-band signaling to make an outbound DNS call to a beaconing domain controlled by the attacker. If the server makes the call, bingo — they found a vulnerability. Monitoring outbound traffic from systems that shouldn't be generating that traffic is an often overlooked way to spot a threat. This can also help spot any anomalies that the WAF missed when the request came as incoming traffic.
Sequester Identified Attack Sessions
Zero-day attacks are not usually a "one and done" proposition; you may be targeted repeatedly as part of an active attack session. Having a way to spot these repeat attacks and automatically sequester them not only reduces risk, but it can also provide an auditable log of the attack sessions. This "trap and trace" capability is really useful for forensic analysis.
Contain the Blast Radius
Multilayered defense is about minimizing risk. But you may not be able to completely eliminate the chance that a zero-day exploit can squeak through. In that case, having blocks to contain the threat is critical. Implementing some form of microsegmentation will help prevent lateral movement, disrupting the cyber kill chain, limiting the "blast radius," and mitigating the impact of an attack.
There is no single magic formula for defending against zero-day attacks. But applying a range of defensive strategies and tactics in a coordinated (and, ideally, automated) way can help minimize your threat surface. Covering the bases outlined here can go a long way to strengthening your defenses and help minimize the fire drills that erode team morale.