Skip to main content

      The rise of zero-day attacks is no news and proper detecting and responding capabilities are crucial for the readiness of your Security Operations Center (SOC). To put things into perspective: 2023 saw 97 zero-days being exploited in the wild, with 36 vulnerabilities targeted in security software and devices. This amounts to 37.1 percent of vulnerabilities, which is a high increase compared to 2019, when only 11.8 percent of vulnerabilities fell into this category.1 Security software and devices are a valuable target for attackers because they are often placed on the edge of networks. Hence, exploiting them offers threat actors an opportunity to gain an initial foothold in organizations. 

      A recent and very popular example is CVE-2024-3400 2, the PAN-OS Command Injection Vulnerability in Palo Alto Global Protect, which allowed unauthenticated threat actors to establish remote code execution with root privileges. This particular vulnerability could allow for the downloading of a bash script onto the firewall’s operating system. If successfully exploited, the commands of the script could execute with root privileges and attempt to deactivate and eliminate any existing security services on the compromised system. Once a device is effectively exploited, threat actors have the ability to install malware, which potentially can propagate to other devices that the compromised host has access to. Depending on how well segregated the network is, the threat actor can then move freely and spread the malware further. The question is, therefore, how quickly the security team is able to pick up on such malicious activity in your environment.

      The most likely answer: too late. 

      Traditional security monitoring setups, usually consisting of a Security Operating Center (SOC) utilizing a SIEM and EDR solutions, will probably be unable to catch these zero-day exploits. Such setups lack the right information, context, or use cases to detect them. SOCs must adapt and enhance their capabilities to ensure that they are ready for the forever evolving threat landscape, and are prepared to face unknown threats and detect them in a timely manner. Using an EDR or AV and a SIEM with log-based use cases has proven to be insufficient, as this approach is heavily based on previously seen attacks and may also leave gaps in the visibility of your environment. Fortunately, there is a clear tip-off pattern: threat actors need to perform reconnaissance and lateral movement techniques to move their way through the network towards the crown jewels. 

      What other options do you, subsequently, have to start your journey towards discovering unknown threats in your environment and getting your SOC zero-day ready?

      Step 1: Ensure your asset management procedures are properly defined and properly followed

      Protection starts first of all with visibility and knowing what you have in your environment – you cannot protect your environment if your assets are not all within sight and you are unaware of what you need to protect. Start with ensuring that you have an up-to-date asset inventory, and that, accordingly, the visibility of your work environment is up to par. With this implemented, aim to minimize existing vulnerabilities. Achieve this by proactively deploying available patches and ensuring that all software and systems are updated regularly to their most recent versions. Then convey this information to your IT provider and SOC provider, who now have a clear understanding of what the scope of monitoring is, because you have provided them with context and the visibility of your environment. They are now able to collect the logs from all the hosts and appliances, and to deploy an EDR solution.

      Are you safe once this is done? Short answer: no. You might be safe from existing vulnerabilities, but the threat actors are fast and the zero-days are always around the corner. Your SOC provider might have more in sight now, but the threat actors have learned how to remain unnoticed by an EDR. Moreover, all the collected logs are usually overwhelming if not processed correctly. 

      Step 2: Do not let logs overwhelm you – leverage them to get a better, more simplified image of what is happening in your environment

      Various SIEM solutions use correlation rules powered by AI capabilities, which combine information from multiple log sources such as the WAF, IDS, IPS or EDR solutions you have in place, and deliver more contextualized alerts. In this way, you will not have to go through hundreds of alerts to find the one corresponding to the threat actor moving in your environment.

      Step 3: Monitor for behavior

      As mentioned before, most of the attacks, including the zero-days, have a pattern in their actions, which is an advantage for the defensive side. You can start building use cases to monitor for these patterns, but an easier, or complimentary solution, is using a Network Detection and Response (NDR) solution. An NDR will monitor your traffic for these specific behaviors and will let you know when something suspicious appears in your environment. Hence, by deploying it, you will be able to detect threat actors within your network at an early stage, before they are able to reach your crown jewels. 

      Step 4: Once you get your network detection solution in place, consolidate all these monitoring components, and finally, gain the necessary full visibility of your environment

      Combine all the information gathered from your EDR, NDR, and logs and leverage the power of AI and ML to obtain more insightful and accurate detections. By making sure that you receive high-quality and well-tuned alerts in your SIEM solution and ensuring that they have the correct priority, you will be able to discover the unknown in a timely manner. 

      Step 5: Get your SOC ready to act

      The ‘assume breach approach’ is a widely adopted practice in the cybersecurity industry. It involves moving the SOC towards a proactive stance to improve the detection of and response to potential threats. To implement this approach successfully, it is essential to have a well-defined procedure for SOC analysts, clear governance, and the right people, processes, and technology in place. Additionally, it is also important to offer your SOC the tools to orchestrate the correct response and to leverage the power of automation. As a result, they will ensure your environment remains safe and threats are isolated at an early stage. 

      Despite that catching zero-day exploits before they cause any damage will always remain a challenge, it is possible to protect your organization's assets effectively with the right combination of governance, people, process, and technology. Having a proactive SOC, a proper visibility of your environment and a sound response plan will help you in staying ahead of cyberthreats when safeguarding your crown jewels. 

      Discover more

      SAP S/4HANA: the moment is there to elevate security and controls to a higher level​
      Read more

      Explore modern software engineering, focusing on supply chain security and licensing
      Read more

      Contact us

      Kim van Assendelft
      Kim van Assendelft

      Manager Data Privacy

      KPMG in the Netherlands

      Henrik Smit
      Henrik Smit

      Director CyberOps

      KPMG in the Netherlands

      Koos Wolters
      Koos Wolters

      Head of Cyber Security

      KPMG in the Netherlands

      What does it really mean to work at KPMG?

      Get inspired by stories, videos, and blogs from colleagues

      Read more
      Lachende vrouw met telefoon