It’s no happy day for enterprises when cyber thugs celebrate their favorite ‘holidays’—special days when they attack with even more cunning and fervor. Learn these days and get ready to respond to related exploitations.
- Software Support Retirement / End of Support Day. This is the date when support ends for any OS or software package. Unsupported software leaves enterprises open to attack. Because the vendor will no longer make general releases of security patches, each new hole attackers uncover will remain vulnerable.
To prepare for this day and defend the enterprise against such attacks, investigate the availability of extended support offered by the vendor at a premium. Weigh that cost against an investment in deploying the latest software product or version that replaces the older product. Either of these avenues is going to cost you.
If neither option will fit your budget, consider a refresh roadmap that includes well-supported open-source software for applications where the reward outweighs the risk. This software can be more affordable to update.
- Zero-Day. This is the date of discovery of any new vulnerability where attackers unleash an exploit for it that same day. Until a patch arrives, the software remains flawed and open to attack. Zero-Day vulnerabilities last for very long periods. “Zero-day attacks last between 19 days and 30 months, with a median of eight months and an average of approximately 10 months,” according to “Before We Knew It. An Empirical Study of Zero-Day Attacks in the Real World”, Symantec Research Labs, 2012.
Since Zero-Days can live so long without patches, patching is a non-starter in those instances where no patch is available. To defend the enterprise in those instances, be ready to discover and remediate attacks quickly and thoroughly. Companies that offer threat intelligence data points about potential indicators of compromise can arm network defenders with advanced warnings, says Margee Abrams, director of security solutions, Neustar. You should baseline, harden, and image endpoint devices so that you can immediately reimage them where anomalies appear outside that baseline, adds Abrams.
- Patch Tuesday / Ida Pro Wednesday. By the day after Patch Tuesday, attackers have routinely reverse engineered those Microsoft patches using a tool called Ida Pro and then released exploits that penetrate the patches, says Jayson Street, Infosec Ranger, Pwnie Express.
To prepare for and defend against Ida Pro Wednesday, enterprises should use ample, layered attack mitigations such as network firewalls, IPS, and network segmentation as buffers until the organization can roll new patches for the reverse engineered patches, Street explains.
- Data Dump Day. This is any day when attackers release stolen data online on anonymous text sharing or bulletin board sites such as Pastebin or 4chan. Dumps can include employee information, customer information such as credit card numbers and PII, intellectual property and trade secrets, and much more, says Demetrios Lazarikos, CISO, vArmour. If your enterprise is the target on Data Dump Day, you or your customers could suffer further attacks, financial losses, and / or embarrassment, which in the case of the enterprise could cause brand damage.
To prepare for these surprises, improve your awareness of data in these dumps. Engage qualified threat research teams that monitor the Internet underground for cyber-criminal activities that may heighten just before a dump occurs, says Lazarikos. When dumps do happen, an incident response plan should be in place to enable the organization to research its environment, coordinating internal and external threat research efforts to gauge the damage as it happens and find the source of the attack using forensics tools and experts, says Lazarikos. Use these resources, law enforcement, and remediation technologies and techniques that should already be in place to bring the event to a speedy close.
“Before We Knew It. An Empirical Study of Zero-Day Attacks in the Real World”, Symantec Research Labs, 2012
- Quarterly Earnings Day. Attacks occur on public companies just before a big quarterly earnings release, combined with shadow shorting of the company’s stock in order to make money based on the ensuing mayhem, says Michael Argast, director, security solutions, TELUS. “Shorting is basically selling a stock without owning it, with the plan to buy the stock later on when the price drops. By creating a crisis, the attackers can manipulate the stock price downwards and profit when the price goes back up,” explains Argast.
To defend against this cyber thug celebration, make sure the security team is on high alert and recognizes that this is a critical time for the business, says Argast. Realize that the criminals don’t necessarily need to use a technological attack vector to create havoc here. “They can also use fake press releases to create false, foreboding news about the company. Monitor social and financial networks for information that may be inaccurate and be ready to respond quickly,” says Argast.
- Black Friday / Cyber Monday. Heavy shopping on these dates means more exposed credit cards and consumer information, driving attackers to take advantage at these times.
Retail security expert Demetrios Lazarikos, CISO, vArmour cites these areas of preparation for preventing the attackers from seeing the most profit on these dates. Use data center / IT and security solutions that are non-intrusive and transparent to stakeholders so that the organization can continually see what is going on inside its systems despite its constant embrace with emerging technologies, according to Lazarikos. “Embed IT solutions that align with digital transformation and evaluate these technologies even during the holiday shopping season. This is the best time to evaluate new systems since this is when the most traffic will visit your environment and when cyber criminals are most active,” says Lazarikos.
- Tax Day. “I’ve seen an increase in phishing/spear phishing attacks on the business around Tax Day (April 15th),” says Lazarikos. The emails typical of these attacks assume the authority of the IRS in requesting that the recipient visit the ‘IRS’ website link enclosed or open the ‘IRS’ file. The file or link contains requests for updated personally identifiable information or PII, which the attackers will exploit.
During tax time, says Lazarikos, remember that the IRS never sends such emails. They will only make contact through the US mail. “If you are a business owner, employee, or executive who received this, email the IRS about it at phishing@irs.gov,” says Lazarikos. Certainly never open it or follow its instructions. Keep and share clear, highly-visible, company-wide policies about this.
The broader calendar
If you’ve been around, you probably know that attacks ebb and flow. If this seems to happen with your organization around particular dates or events, add them to the list to make yourself especially resilient at these times.