Zero-Day Threats: Indicators of Compromise & Best Practices in Patch Management

Author: John Farley

Oftentimes these are "zero-day" vulnerabilities, where they are discovered before a patch is available. This elevates cyber risk to exposed organizations since hackers may find out about these opportunities to compromise networks before IT security professionals can remediate them. To make matters worse, cyber threat actors are launching increasingly sophisticated attacks and focused on specific targets buried deep in a supply chain, making them more difficult to detect.

Common indicators of compromise

Organizations often deploy Endpoint Detection and Response ("EDR") tools to continuously monitor for activity that may indicate that an attack is underway. The goal is to quickly respond to the attack early in its lifecycle to mitigate the effects.

Some common Indicators of Compromise include ¹:

• Unusual inbound & outbound network traffic.
• Anomalies in Privileged User Account Activity and other login red flags.
• Geographical irregularities showing activity in countries not normally operated in.
• Mobile device profile and settings changes.
• Unknown applications found in the system.
• Unusual activity from administrator or privileged accounts, including requests for additional permissions.
• Increases in database read volume.
• Abnormally large volume of requests for the same file.
• Mismatched port application traffic.
• Suspicious registry or system file changes.
• Unusual Domain Name Services ("DNS") requests.
• Bundles of compressed data found in the wrong place.
• Significant web traffic indicating unhuman behavior, including multiple login requests.
• Signs of Distributed Denial of Service ("DDoS") activity.

Leveraging cyber insurance

Cyber insurance and other insurance policies may assist organizations that believe cyber threat actors had victimized them. Many stand-alone cyber policies provide access to crisis services, including breach coaches, IT forensics investigators, and other breach response experts. However, those with cyber insurance should be mindful of claim reporting obligations, requirements to utilize insurance panel breach response vendors, evidence preservation, and issues that may impact attorney-client privilege.

The key components of a patch management program

A formal patch management process should be in place to position your organization to defend against what will likely be a continual flow of new vulnerabilities and the attacks that might follow. It should be designed to do the following ²:

• Inventory your systems.
• Assign risk levels to your systems.
• Consolidate software versions (and software itself).
• Keep up with vendor patch announcements.
• Mitigate patch exceptions.
• Test patches before applying everywhere.
• Apply application patches as quickly as possible.
• Automate open source patching.

Navigating the cyber insurance market

As our clients navigate the cyber insurance application process and policy renewal cycle, they should be prepared for questions from underwriters surrounding known vulnerabilities. Applicants should be able to explain whether or not they were impacted by a reported vulnerability and, if so, be able to point to specific action taken to remediate it. In addition, they may be asked to provide clarity on whether or not there was any evidence of Indicators of Compromise prior to remediation. This exchange of information between applicant and underwriter could have very significant impacts on key policy terms and limits offered, exclusionary language imposed and premium rates.