Zero-day is public, exploits are available – and now?
Risk of zero-day
Despite other activities, a zero-day called “Follina” kept security staff in June busy. The Microsoft Support Diagnostic Tool (MSDT) is installed on all Windows Operation systems. Applications like Word or PowerShell can be used to download and run additional code from the internet through the Diagnostic Tool. This is how attackers can gain access and manipulate all accessible data.
With a targeted attack against managers, attackers can gain access to confidential data or, in the case of systems administrators, gain access to systems. While the scenario with the data can lead to unexpected data loss or espionage, the second is used to discover the infrastructure and the installation of footholds. A hidden foothold allows the attacker to remain in the system even after the vulnerability is patched.
What is a zero-day, and why is it so dangerous?
A zero-day is a publicly known vulnerability where no official patch from the supplier is available. Once it is known, how the vulnerability can be exploited, the threat can also have an impact on your company.
There might be mitigation activities to reduce the risk, but the vulnerability remains called “zero-day” until an official patch is released by the supplier. Once the patch is out, it is the customers’ responsibility to deploy the patch in a timely manner. In this stage, it is no longer called a “zero-day”. However, the risk remains the same until all systems are patched.
Benefits of a Security Operation Center (SOC )
The Security Operation Centers (SOC) supports identifying such attack attempts by monitoring events from multiple sources on a single pane of glass. The continuously active monitoring and gathering of publicly available information from researchers of software suppliers allows the SOC to:
- Detect and analysis attack attempts
- Prepare and implement new detection rules
- Review status of threat analytics in Microsoft Sentinel
- Inform the customers about protection, detection, and mitigation steps
- Inform the customers when the patch is finally available
These activities are a continuous process, as an attack with a zero-day can change within hours or even minutes. The SOC-Team sends out relevant information to the customer to keep their management, business, or IT department updated about the vulnerability exposure.
Moreover, the SOC Security Analyst will explain, discuss and propose mitigation with the customer. With this collaboration, it is possible to elaborate on the best solution(s) to protect the customer’s company until a patch is available and deployed.
Sharing is Caring
A SOC has its internal and external sources for fast detection, reaction, and response. As a SOC provides its services for multiple customers, it can compare results and identify attack vectors like emails, public file storage, etc. Furthermore, could it provide information if only one customer or if multiple customers are under attack. This could provide additional indicators for targeted groups of companies or people.
How does our SOC work
The baseVISION SOC uses latest Microsoft cloud technologies to detect, react, analyze attacks. The activities are processed in your Azure cloud infrastructure. Depending on the agreements, our SOC Analyst can even isolate devices, enforce a new authentication or block standard users.
Interested in the baseVISION SOC?
We invite you to our regularly SOC Tour in Olten. Get to know the SOC activities in action and meet the team behind the SOC. Do not hesitate to contact us.
Visit our SOC in Olten