In 2002, Donald Rumsfeld made his famous “known-knowns/unknown-unknowns” speech setting the scene and creating Fear-Uncertainty-Doubt (FUD) in the war against terror. Some cyber security vendors have adopted a similar approach using 0-days vulnerabilities as their weapon of choice.
The unknown-unknowns
Having FUD is not beneficial. It makes you susceptible to buying products and services you don’t need and takes your focus away from doing actual work that improves your security.
Unless you operate in the “three-letter-agency” world, you should not worry about 0-days vulnerabilities. 0-days is the equivalent of the unknown-unknowns. A lot of software is poorly written. Accept it and move on.
Remember that adversaries operate as a business. If you look at things from an adversary business case perspective, 0-days vulnerabilities typically don’t make sense. The reality is, when they execute an exploit, they want to make sure it works. Not only in the lab, but in the target environment! It takes a lot of time and effort to find, test, and mature a 0-day into “weapon-grade”. And when they have deployed their precious 0-day exploit, they risk it being discovered, so they choose their targets very carefully.
Let’s face it, you are probably not important enough to risk a 0-day exploit on 😊
Think of 0-days as a race between the software vendor and the adversary, not you.
Adversaries prefer easier and cheaper methods. Like any other business, they want to achieve their objective at the lowest cost with the highest degree of certainty.
So, forget 0-days. There is something far more dangerous you should focus on – 1-days and forever-days!
The known-knowns
1-day vulnerabilities are bugs that are publicly known. As soon as a vendor has released a patch, the clock is ticking. Adversaries can reverse-engineer a patch, and from this patch-diffing process create a weaponized exploit. After Patch Tuesdays comes Malware Wednesdays. Here you face the known-knowns.
It’s a great business case from an adversary perspective, as the software vendor has done all the development and testing. The reverse-engineering doesn’t take that long. For this reason, you should apply critical patches within 48 hours, prioritizing publicly facing systems and those deemed exploitable by your threat modelling.
It’s a race between you and the adversary. And they got a head start.
The known-unknowns
Forever-day vulnerabilities are bugs that never get fixed. Software that is “out of support” or “end of life” suffers from this. Sometimes vendors don’t even disclose when new ones are discovered. Here you face the known-unknowns.
Make sure your vulnerability/patch-level metrics and SLAs don’t mislead you into sleeping at night without having nightmares. For adversaries targeting industries where obsolete software is prevalent, developing and building a repository of forever-day vulnerabilities are like kids in a candy store.
You don’t even get to participate in the race.
In summary, don’t fall for FUD. Think like a “defensive business”. Focus on the important things and apply your resources where you get the highest return on investment.
You find more info on Improsec and our services here: Services Overview — Improsec | improving security