In 1999, the MITRE Corporation launched the Common Vulnerabilities and Exposures (CVE) list. CVE provides each vulnerability with a unique number. This makes it easier to track vulnerabilities, share information and asses security products. The CVE number begins with the letters CVE, followed by a year and a five-digit number. Researchers, developers or companies that find a vulnerability can request a CVE number for it.
As soon as a vulnerability is published through the CVE list, it becomes a “known threat”. Once a CVE is published, security researchers or vendors using this list almost immediately offer risk mitigation measures. These guidelines include software patches, software settings, detection of suspicious traffic or other preventive measures specific to threats. Although the term “known vulnerability” suggests things are under control, in practice it is still an “unknown threat” until patches are applied and/or all recommended countermeasures are taken to counter the threat. Even if action was taken immediately after the CVE was published, it is not always certain that the vulnerability in the affected environment was not exploited. In many cases, researches noted active misuse of a vulnerability in the weeks or even months prior to the CVE publication.
Stopping unknown threats
Then there’s also the actual “unknown threats”. With these threats, we are completely in the dark when it comes to the number and the impact. For nation-states and organized international criminal organizations, unknown vulnerabilities and effective exploits are a very valuable asset. They can use them for their own purposes or sell the techniques on the dark web. Given the huge number of published CVEs and the potentially devastating consequences of targeted attacks using new and ‘unknown’ threats, it seems only logical that you need an updated cybersecurity strategy. This is many times more effective than individually chasing a relentless stream of bugs, vulnerabilities and exploits.
But how do you stop unknown threats? Many vendors claim to offer prevention, but if you dig deeper into the technology, much of that prevention is based on chasing a known Indicator of Compromise. Consider hashes, domain names or IP addresses that are specific to a published CVE or other vulnerability. AI-based tools that search for so-called behavioral indicators or compromise take a more general approach, but follow the same conceptual approach. They prey on the burglars already in your home, which is why many of these technological marvels do not stop unknown threats.
Another way to counter unknown threats is Zero Trust. The Zero Trust model ensures that all assumptions of trust are challenged with every access attempt. Yet there is also a misunderstanding about Zero Trust. This is especially true of the question of how a Zero Trust approach can prevent abuse of unknown threats. After all, what makes it that the Zero Trust approach is arguably better at stopping unknown threats?
Finding unknown threats
Zero Trust turns the problem on its head. In the arms race with cybercriminals, it makes no sense to keep focusing on the immense and by definition unknown attack surface that grows daily. Instead, Zero Trust places the most valuable applications, data, equipment and services into a manageable number of so-called ‘protect surfaces’ that can be overseen. Per protect surface you can determine very precisely which traffic and which users making use of which equipment and with what authentication have access. By consistently implementing these so-called ‘least privilege policies’ (better known as Kipling policies) with appropriate technology, you practically shut the door on the most common exploitation techniques used by cybercriminals.
In short, better security is all about preventing the unknowns. In a world increasingly driven by fast cloud technologies, it becomes increasingly important to take advantage of the dynamic access controls that allow you to eliminate the unknown threats as well. The Zero Trust concept with its ‘protect surfaces’ divides a monolithic infrastructure of data, applications and devices, into smaller protect surfaces. This allows organizations’ most valuable ‘crown jewels’ to be protected by technology and policies precisely tailored to a more secure environment.
Lieuwe Jan Koning