An automated response to endless zero-days

There’s an even larger treasure trove of potential vulnerabilities hidden from view that defenders haven’t even begun to take into consideration as part of their security strategy

An automated response to endless zero-days - CIO&Leader

The number of vulnerabilities available to cybercriminals continues to accelerate. But according to one recent report, of the over 100,000 vulnerabilities published to the CVE list, less than 6% were actually exploited in the wild. The challenge is that predicting which vulnerability will be targeted next, and which exploit will be used, requires advanced strategies, such as leveraging telemetry data to perform predictive analysis, that many organizations do not have in place.

As threats become more sophisticated, the challenges facing security personnel become more formidable. Take for example, the findings of the FortiGuard Labs Threat Landscape Report from the third quarter of 2018. The FortiGuard Labs team detected close to 34,000 new malware variants - a 43% increase from the second quarter and a 129% increase over the first quarter in 2018. Zero-day attacks are becoming a more regular occurrence, and 75% of the unknown malware detected by FortiGuard Labs was not found on the VirusTotal tool - which aggregates information from 50 different antivirus vendors. With the number of exploits and vulnerabilities continues to grow, processing that burgeoning library against live traffic is becoming a burden for many of today’s security solutions. 

Even more concerning, the accelerating growth of known vulnerabilities and exploits is just the beginning of the problem. There’s an even larger treasure trove of potential vulnerabilities hidden from view that defenders haven’t even begun to take into consideration as part of their security strategy. Countless vulnerabilities exist inside software and hardware, particularly in the area of IoT, waiting to be discovered and exploited by cybercriminals.

Fortunately, cybercriminals have not yet figured out how to extract those zero-day vulnerabilities from existing software except in the most rudimentary ways. But that is about to change. As malicious actors begin to incorporate AI and machine learning (ML) into their exploit models, zero-day vulnerabilities and exploits will explode, and the threat landscape will be completely transformed. Attack campaigns targeting multiple zero-day vulnerabilities will be able to spin up at any instant, and cybercriminals will begin integrating more and more zero-day exploits into attack kits.

Artificial Intelligence Fuzzing (AIF) has traditionally been a sophisticated technique used in lab environments by professional threat researchers to discover vulnerabilities in hardware and software interfaces and applications. Cybercriminals will begin to leverage machine learning to develop automated fuzzing programs to accelerate the process of discovering zero-day vulnerabilities, which will lead to an increase in zero-day attacks targeting different programs and platforms.

Once AIF is in place, it can be pointed at code within a controlled environment to mine for zero-day exploits. This will significantly accelerate the rate at which zero-day exploits are developed. Once this process becomes streamlined, zero-day mining-as-a-service will become enabled, creating customized attacks for individual targets.

Historically, the price of zero-day exploits has been quite high, primarily because of the time, effort, and skill required to uncover them. But as AI technology is applied over time, such exploits will shift from being extremely rare to becoming a commodity. We have already witnessed the commoditization of more traditional exploits, such as ransomware and botnets, and the results have pushed many traditional security solutions to their limits. The acceleration in the number and variety of available vulnerabilities and exploits, including the ability to quickly produce zero-day exploits and provide them as a service, will also impact the types and costs of services available on the dark web.

An Automated Response

The implications of such powerful and sophisticated attacks may feel overwhelming, but organizations are not helpless. Automation is available to both sides, and organizations can use automation and AI to anticipate and mitigate these advanced threats. As the number of evasive techniques multiply and the time windows for prevention, detection, and remediation continue to shrink, an automated response is essential. Organizations require a security platform where traditionally discrete security element can communicate with each other in real time. AI-powered communications and collaboration will enable the discovery of even the most advanced threats, dynamically deliver a proactive response to suspicious behaviour, and even begin to anticipate attacks.

However, today’s security environment, too often comprised of isolated security devices and poor security hygiene, will not be able to keep up. They will instead expose organizations to greater risk as they do not provide adequate visibility or controls. Instead, today’s organizations require an integrated security solution that not only spans the entire distributed network environment, but also provides deep integration between each security element to automatically collect, correlate, and respond to threats in a coordinated fashion.

This is a vital first step toward addressing today’s evolving threat environment and lays the fundamental foundation to protect against the threats of tomorrow. It enables actionable threat intelligence to be shared at speed and scale, shrinks the necessary windows of detection, is able to trace and intervene against attack workflows that move between network ecosystems, and provides the automated remediation required for today’s multi-vector exploits.

The traditional process of identifying a threat and then developing a counter defense, or even attempting to anticipate and neutralize new attack strategies, are becoming obsolete. Defenders need to approach this problem from an entirely new direction. One possible approach is to make changes to people, processes, and technologies that impact the economic model of the attacker. 

1. Deploy Deception

One economic model used by cyberattackers depends on reducing risk of discovery. Since the time between breach and exploit continues to shorten, one strategy with real potential is to simply slow down attacks. Deception strategies can generate dozens of enticing false targets combined with tripwires that force attackers to slow down, allowing attackers and malware to be quickly identified and removed.

2. Refine Threat Intelligence

Building new attacks is expensive. Instead, cybercriminals maximize their investment in an attack by making minor changes to their malware. Even something as basic as changing an IP address can enable malware to evade detection by many traditional security tools. The continued success of known exploits is testament to the effectiveness of this strategy. 

As threat intelligence becomes better at identifying entire attack families, the more difficult it becomes for cybercriminals to simply adjust their existing attack tools and strategies to evade detection. 

3. Take a Proactive Approach

The final approach is to engineer as much risk as possible out of your current network by moving from implicit trust to a zero trust model. This includes implementing multi-factor authentication, deploying network access control, and adopting automated, intent-based segmentation and micro segmentation. This begins by integrating traditionally isolated security devices into a single, integrated architecture. Tools that can actively correlate threat intelligence and respond as a single, integrated system are much more effective at combating even the most advanced threats.


Getting out of the trap of security brinksmanship requires organizations to rethink their security strategies. Instead, organizations need to target the economic motivations of cybercriminals by anticipating their attacks and thereby forcing them back to the drawing board. This starts with a cohesive security fabric that can gather and share threat intelligence, perform logistical and behavioral analysis, and tie information back into a system to pre-empt criminal intent.

The author is Regional Vice President, India & SAARC, Fortinet

Add new comment