Cyber Crisis Management:
Protecting Cyberspace against Zero-Day Attacks
Anouk van BrugStudent number: s2152177 Word count: 20.773
Master’s Thesis
Crisis and Security Management Supervisor: Mr. Drs. W.J.M. Aerdts Second Reader: Dr. S.D. Willmetts EY Supervisor: Drs. M.F. de Jong Leiden University
“Never let a good crisis go to waste.” Winston Churchill
Cover Image: CBR Online 2017
Table of Contents
1. Introduction 7
1.1 Academic Relevance 8
1.2 Societal Relevance 9
2. Literature review 11
2.1 Cyber Crisis Management 11
2.2 Zero-Day Attacks 15
3. Methodology 21
3.1 Research Design 21
3.2 Comparative Case Study 21
3.3 Operationalization 24
3.4 Semi-structured interviews 25
3.5 Methodological Constraints: Validity and Reliability 27
4. Analysis 29 4.1 Prevention 29 4.1.1 Technical measures 29 4.1.2 Cultural measures 31 4.1.3 Cooperation 35 4.2 Preparation 37 4.2.1 Technical measures 37 4.2.2 Cultural measures 39 4.3 Containment 41 4.3.1 Internal organisation 41 4.3.2 Cooperation 42 4.3.3 Vital services 42 4.3.4 Communication 43 4.4 Recovery 44 4.5 Learning 45
5. Conclusion & Recommendations 47
5.1 Conclusion 47
5.2 Recommendations 50
6. References 55
Abbreviations
AI - Artificial Intelligence
CI - Critical Infrastructures
CIO - Chief Information Officer
CISO - Chief Information Security Officer
CSAN - Cybersecurity Assessment Netherlands 2018
DDoS - Distributed Denial of Services
DNB - Dutch National Bank
EU - European Union
ENISA - European Union Agency for Network and Information Security
EY - Ernst & Young
FI-ISAC - Financial Information Sharing and Analysis Centre
GDPR - General Data Protection Regulation GISS - Global Information Security Survey
ICT - Information and Communication Technology
IoT - Internet of Things
ISAC - Information Sharing and Analysis Centre
IT - Information Technology
MNO - Multi National Organisation
MSRC - Microsoft Security Response Centre
NCTV - National Coordinator for Security and Counterterrorism
NCSC - National Cyber Security Centre
US - United States of America
RDP - Remote Desktop Protocol
SCADA - Supervisory Control And Data Acquisition
SDLC - Software Development Life Cycle
Acknowledgements
I would like to thank Mr. Drs. Willemijn Aerdts for supporting me and mentoring me through various projects, especially in the process of writing this thesis. Also I would like to thank Dr. Simon Willmetts for being the second reader during this process and helping me setting up the interviews. I would like to thank Milan de Jong for giving me the opportunity to write this thesis in combination with an internship at EY and providing me with a lot of knowledge and valuable feedback.
I would like to thank all the interviewees that have participated and helped me gather the information necessary in order to do this research. Whether they stayed anonymous or have agreed to publish their names or companies they have given me very valuable information without which this research could not have been conducted. Also I would like to thank them for providing company information and trusting me not to disclose its origin.
I would like to thank Giliam de Valk for introducing me into the field of security studies, which have led me to pursue this master. I would like to thank Nicolas Castellon for organizing the Cyber Security Summer School through which I have become very enthusiastic for the field of cybersecurity, which have led me to this research subject.
I would like to thank my mother for her unlimited support during my academic career and believing in me even if I didn’t. I would like to thank Rutger de Ridder for loving me and helping me get through this process. I would like to thank Manouck Schotvanger for all the times we felt like we would not be able to get to this point, and all the cappuccinos that have helped us through. I would like to thank the numerous people which have helped me get through my academic career by making amazing memories outside of academia. This are memories I will cherish forever.
Exploring the field of cybersecurity has been very fascinating from the very beginning and I am very determined to continue exploring this field.
Abstract
While companies, governments, and individuals are leaving a bigger digital footprint than ever before, this data is very likely to be targeted by a attack. Various actors are using cyber-attacks like zero-day vulnerabilities to gain access to this digital information. In order to diminish the influence of cyber-attacks several steps can be taken. One way is through the use of Cyber Crisis Management.
Where the concept of Cyber Crisis Management has not yet been researched in depth a conceptualisation was in order. In this research Cyber Crisis Management is being conceptualised as a threat to core values, the safety of people, or the functioning of CI’s which has its origin in the IT domain and impacts one or more CI sectors and where generic crisis management is not sufficient but which should be handled.
This research looks into the use of Cyber Crisis Management in order to limit the influence of zero-day attacks. 5 phases of Cyber Crisis Management are being distinguished. These phases are: prevention, preparation, containment, recovery, and learning. By the use of these phases information derived from various elite interviews is used in order to come to a better understanding of the measures that should be taken by companies in order to reduce the influence of zero-day attacks and become more cyber secure. This research then gives recommendations for measures that should be taken in order to become more cyber resilient.
Keywords: Cyber Crisis Management; Crisis Management; Zero-day Attacks; Zero-day Exploits
1. Introduction
In recent years there has been an increase in information available through cyberspace. People leave a digital footprint through the use of sites like Google, Facebook, and Amazon. Not only individuals have vulnerable data available online, also businesses and governments have sensitive data in an online system or in a cloud system which is accessible online. As a result of the growing reliability on online systems information becomes easier to use through cyberspace. Also, there is a growing sophistication and frequency of cyber-attacks, cybersecurity incidents and data leaks. Combining the increasing use of internet, having more vulnerable data available online, and the growing risks in cyberspace more risks are faced in cyberspace than ever before. This forces modern companies to be prepared beforehand for the occurrence of a cyber-attack.
Cybersecurity is growing in importance in our lives, especially since the cyber domain cuts through national borders. Cybersecurity threats can emerge from anywhere in cyberspace. This gives cybercriminals the ability to attack worldwide through the use of cyberspace. An ability they are very eager to use. In the media there are a lot of reports about the occurrence of cyber-attacks. The occurrence of a cyber-attack is no longer a matter of if, but when they will occur (EY 2018a: 5). With this growing cyber threat companies need to become cyber resilient by knowing how to react, recover, and maintain their cybersecurity in order to protect their services, privacy data, and intellectual property (ibid).
This increasing use of cyberspace and information technology poses new risks and vulnerabilities to our society. Whether instigated by malicious actors or by accident, cyber incidents have the potential to cascade and seriously disrupt the provision of essential public services (Boeke 2017: 449). One of the ways to perform a cyber-attack is through the use of zero-day attacks.
Zero-day attacks use zero-day vulnerabilities that software vendors of network operators are not aware of. This makes a zero-day attack a previously unknown attack that has not yet occurred (Tran et al. 2016: 21). Since these sorts of cyber-attacks have not occurred before, it is hard to know what to prepare for. Nevertheless, they pose a big risk to governments and businesses. Since zero-day attacks have an unknown signature which poses a big threat to information security, there are multiple efforts to come up with defensive strategies which detect and mitigate the harm caused by them (Wierman & Marchette 2004). The ultimate goal here is to detect, contain and remove zero-days to prevent future recurrences (Mitropoulos et al. 2006). In order to come to this ultimate goal the patterns of handling zero-day attacks need
to become more visible. This can be done with the use of Cyber Crisis Management frameworks which describe several steps that can be taken in the various stages of a cyber crisis. With the use of Cyber Crisis Management the crisis of a zero-day attack can be handled adequately. This way patterns and behaviour in Cyber Crisis Management during zero-day attacks can be better understood.
Therefore, the goal of this qualitative master thesis is to examine the use of Cyber Crisis Management on zero-day attacks, with the aim to understand how the influence of zero-day attacks can be reduced with the use of Cyber Crisis Management.
The research question is thus as follows: “How can zero-day attacks influence the process of Cyber Crisis Management?”
In order to answer this research question the following sub-questions will be posed:
What is Cyber Crisis Management?
How do zero-day attacks differ from other cyber-attacks?
How has Cyber Crisis Management been used on past zero-day attacks?
How can companies become more cyber resilient?
By using these sub-questions the concept of Cyber Crisis Management will be better understood, and the use of the concept on zero-day attacks is researched and evaluated with the aim to get a better understanding on the matter. This will lead to recommendations for becoming more cyber resilient.
1.1 Academic relevance
Currently there is a high academic interest in the field of cybersecurity. This interest is triggered by the new challenges that cybersecurity faces since it goes beyond the way we have known security for years into a more transboundary understanding. With this interest in cybersecurity the concept of Cyber Crisis Management is recently constructed. This concept makes use of the field of crisis management, which has been researched extensively over the years. In order to come to an understanding of Cyber Crisis Management this knowledge has been extended with IT data knowledge in order to come to a concept of Cyber Crisis Management. However, it is a rather new field within which little research has been done. The researches that have been published on the subject of Cyber Crisis Management hold a strong aspect of crisis
management, but an understanding of Cyber Crisis Management has not yet been developed much further.
Within the research on cyber threats the field of zero-day attacks is fairly new. Over the past years more and more reports on zero-day exploits have become public. Examples of such zero-day exploits are StuxNet, WannaCry, and NotPetya (Gibnet 2016; Greenberg 2017; Greenberg 2018). But more recently various other exploits have become public. Since zero-day exploits are exploits which use the weaknesses in an already existing system that are unknown by the system managers preparing for a zero-day attack is rather hard.
Where knowledge on Cyber Crisis Management is limited, the combination with zero-day attacks is rather new. In a time wherein the impact of these attacks rises this gap in academic knowledge needs to be filled. By combining theories on Cyber Crisis Management and zero-day attacks with empirical findings on Cyber Crisis Management during zero-day attacks this thesis aims to provide better knowledge on handling zero-day attacks.
1.2 Societal relevance
Since the Internet came about the security of cyberspace has been an ongoing debate. Over the past years the dependency of society and economy on digital resources has only increased. Due to this increasing dependency the impact of a cyber-attack has increased extremely to, and the impact of such an attack can be enormous. The consequences of attacks system dropouts can be large and even disruptive for the society as a whole (NCTV 2018).
Also the scale and seriousness of the digital threat is still considerably high and continues to evolve (NCTV 2018). There is a continuous digital threat to our security (ibid). Over the years the capabilities of hackers have increased, and therefore our society faces bigger cyber threats than before. One of the cyber capabilities that is problematic for society is the zero-day attack. Once a zero-day exploit is used the impact can be high across the society as a whole and companies more specifically and the exploit in the system needs to be fixed as soon as possible. However, the malfunction in the system which is used in a zero-day attack is not only unknown to the developers of the system before the exploit. Even during the exploit the exploit it is still unknown and needs to be found before the zero-day exploit can be fixed. Therefore, it is very hard to prepare, prevent and fight a zero-day exploit.
This lack of knowledge on the matter of zero-day attacks is not only problematic but also potentially dangerous. Since the impacts of zero-day attacks are very high such an understanding is very important to have for all actors using the Internet in their everyday business. Presenting insights on the concept of Cyber Crisis Management, and the use of the
concept on zero-day attacks may foster a better way of implementing the different phases of Cyber Crisis Management in order to limit the impact of future zero-day attacks.
This thesis will firstly discuss the concepts of Cyber Crisis Management and zero-day attacks. Thereafter, the different phases in the process of Cyber Crisis Management as described by Kovoor-Misra & Misra (2007) will be used in order to come to a method of measuring the Cyber Crisis Management on zero-day attacks. Also the cases used in order to answer the (sub) questions will be discussed. Then, the case studies will be set out and analysed in order to come to a conclusion and answer to the research question and come to recommendations on becoming more cyber resilient.
2. Literature review
2.1 Cyber Crisis Management
A crisis is defined as a threat to core values, the safety of people, or the functioning of critical infrastructures (hereafter CI) that has to be urgently addressed under conditions of high uncertainty (Rosenthal et al. 1989; Boin et al. 2005). The handling of such crisis situations is called crisis management. Multiple authors have described the concept of crisis management. The field of crisis management includes actions such as prevention, mitigation and incident response, and institutional learning (Boeke 2018: 450). Coordination is identified as a critical failure factor in crisis management (Boin & Bynander 2015: 123). But crisis management is seen as more than incident response, especially with crises increasingly regarded as processes rather than events (Roux-Dufort, 2007; Pearson & Clair, 2008). Many different conceptual models are available that identify phases in the chain of crisis management. For instance, Kovoor-Misra & Misra (2007) distinguish five phases for effective (cyber) crisis management: prevention, preparation, containment, recovery, and learning.
Every incident or crisis creates a need for information (Coombs & Holladay 2012). This need is both for the people dealing with the crisis inside the company as well as for the outside audiences (ibid). Therefore, incident information disclosure is an essential part of crisis management (Kulikova et al. 2012: 103). When there are no processes in place to ensure timely and consistent communication with stakeholders this can have damaging consequences (ibid). The lack of good communications can contribute to overall confusion in the process of crisis management (Dilenschneider & Hyde 1985).
A lot of research has been done on the subject of crisis management. However, the field of Cyber Crisis Management has not yet been researched that much. Only a small number of researches has been published on the matter. In order to come closer to a conceptualisation of Cyber Crisis Management Boeke (2018) links the concept of crisis management with the concept of cyber crisis.
There is no international consensus on the definition of a cyber crisis (Boeke 2018). In this thesis the definition used by the Dutch National Coordinator for Security and Counterterrorism (hereafter NCTV) will be used. In the Netherlands a cyber crisis is described as a crisis with its origin in the information technology (hereafter IT) domain, which impacts one or more critical infrastrures (hereafter CI) sectors and where generic crisis management structures do not suffice (NCTV 2012: 5). The risk or damage due to abuse, disruption or loss of cyber data can consist of limiting the availability and reliability of the information and
communication technology (hereafter ICT), violation of the confidentiality of information stored in IT or damage to the integrity of that information (NCTV 2018). A cyber crisis can involve a real or suspected breach or exploitation of vulnerabilities in the system (ENISA 2016: 7). These incidents typically include the introduction of malware into a network, Distributed Denial of Service (hereafter DDoS) attacks, unauthorised alteration of software or hardware and identity theft of individuals or institutions (ibid).
The preparation for such a cybersecurity crisis is described as the sum of measures available to prevent damage caused by disruption, failure or misuse of ICT and to recover should damage occur (NCTV 2018b).
Boin & Lodge (2016: 290) have described two emerging trends in crisis management. First, there has been a rise of new sorts of threats (ibid). And second, the increase in transboundary crises, which revolve around threats that cut through geographic and/or policy boundaries (Ansell et al. 2010; Boin & Lodge 2016). They name cyber threats as an example of a new sort of crisis in which traditional borders may simply have become irrelevant (Boin & Lodge 2016: 290).
Cybersecurity is important for the functioning of highly digitised societies, like the Dutch, and its economy as well as forming a barrier against digital threats (NCTV 2018b: 5). Especially since the consequences of cyber-attacks and system failures can be severe, and can even disrupt society (ibid). But the importance of cybersecurity goes further than that. Cybersecurity is important for sectors like the private, civil, and public sector since the cyber domain is responsible for nearly all communication (Castellon 2015: 7). The more advanced a country is, the more digital it will have become. The member states of the European Union (hereafter EU) are very interconnected as a result of the high amount of Internet users (ITU 2013, as cited by Castellon 2015: 7). This high amount of Internet users poses a big threat to cybersecurity. Therefore, it is important to have good insights of what cybersecurity is in order to be able to act upon cyber-attacks.
Especially in sight of the Internet of Things (hereafter IoT), where everything is connected in cyberspace which causes the data available in cyberspace is growing. This data needs to be protected from cyber-attacks. In order to be able to act upon cyber-attacks it is important to see security as a multidisciplinary field, since such an approach is propitious as well as timely. The increasing threats in the cyber domain transcend disciplinary boundaries and ask for multidisciplinary analysis of cybersecurity.
Cyber Crisis Management involves both the public, private and civil sectors, which act on an equal level, since in the market economies; the overwhelming part of national CI is operated by the private sector (Boeke 2018: 451). However, in general, private companies are expected to ensure their own cybersecurity, but states cannot offload their own responsibility as the principal security provider against top-level threats, especially if these emanate from nation states (ibid). Besides their important role in cyber defence, the private sector can also play a crucial role in incident response. In times of crisis, IT companies like FireEye or Fox-IT can frequently leverage more cyber expertise, and more rapidly, than what the public sector of a small country can muster (Stone & Riley 2013). The logical exponent of these public–private partnerships is a governance approach that consists of networks of various public and private organizations (Boeke 2018: 451).
While the academic research on the concept of Cyber Crisis Management is limited, the concept has been researched by businesses like Deloitte (2016) to a further extent. In order to come to an effective process of Cyber Crisis Management preparation is in order (ibid). To prepare effectively for a cyber incident the entire crisis management cycle of readiness, response, and recovery should be addressed (Deloitte 2016: 2). In order to be ready a team must be poised to deal with all aspects of an incident or crisis (ibid). For the response, management must be prepared to communicate, as needed, across all media, including social media, in ways that assure stakeholders that the organization’s response is equal to the situation (ibid). To return to normal operations and limit the damage done to the organization and its stakeholders after an incident or crisis a recovery is on order. Such a recovery includes assessments of the incident or crisis and the lessons learned (Deloitte 2016: 3).
In order to measure the way crisis management is conducted there are several models. Elsubbaugh, Fildes, & Rose (2004) describe a model that defines 5 phases of crisis management: signal detection, preparation/prevention, containment/damage limitation, recovery, and learning (ibid: 113). The first two stages of this model, signal detection and preparation/prevention are the proactive parts of crisis management, which can prevent many crises from occurring, if done properly (ibid). After the crisis has occurred the containment/damage limitation and recovery phases are carried out after a crisis has happened, and is known as crash management (ibid). The last phase, the learning phase, shows the interactive aspect of crisis management (ibid).
This model is very similar to the model already shortly stated earlier on published by Kovoor-Misra & Misra (2007: 95) whom distinguished five phases for effective (cyber) crisis management: prevention, preparation, containment, recovery, and learning. These phases are
the result of the fact that organizations must have the capabilities to prevent a cyber crisis, but they should also be prepared to contain a cyber crisis, recover from it, and learn from the crisis (ibid). But most organisations have not yet developed their capabilities in handling a cyber crisis (ibid). Organizations are still in the process of learning from and avoiding them (Kovoor-Misra & (Kovoor-Misra 2007: 95). Online crises that have occurred have generated awareness within organizations, which causes a growing knowledge on the matter (ibid).
Kovoor-Misra & Misra (2007: 96) name seven strategies that should be part of the practices of Cyber Crisis Management. First, it is important for organizations to develop an online crisis portfolio (idem: 97). This is the result of the assumption that organizations that are prepared for a particular type of crisis also have the capability to translate this preparedness to a similar sorts of crises (idem: 98). Part of this strategy is the use of ethical hackers that will attempt to penetrate your systems the same way a malicious hacker would (Kovoor-Misra & Misra 2007: 98). Also intrusion detection services that detect intrusions into your network is a part of this strategy (ibid). These practices are considered to be part of all of the 5 phases as have been described (idem: 96).
A way to prepare for a cyber crisis is through secondary data centres (Kovoor-Misra & Misra 2007: 98). When an organization has been the victim of a cyber crisis they should have the redundancy in their system to recover from this crisis (ibid). By infesting in a back-up system organizations should be able to have their business up and running within hours after a cyber crisis has started (ibid). This strategy is also considered to be part of the containment and recovery phase (Kovoor-Misra & Misra 2007: 96).
To be able to prevent and contain a cyber crisis organizations should monitor technology and chat groups in order to detect threats (ibid). As part of the monitoring organizations should have security systems in order to be able to see attacks on valuable data (ibid). By monitoring chat rooms for hackers and notice boards organizations are also able to gather a lot of valuable insights for an organization (ibid).
Another way to prevent and contain a cyber crisis is through the identifying of key online stakeholders (ibid). An organization should be able to asses which stakeholders are able to harm them and which could be allies (ibid). Especially since the presence of cyberspace has introduced many new stakeholders like hackers, but also online service providers or data centre operators (Kovoor-Misra & Misra 2007: 97). Knowing these stakeholders could help an organization to plant its crisis-containment strategy (ibid).
Part of the containment and recovery phase is the addressing of nontechnical aspects of online crises (idem: 96). Since a cyber crisis is a very technical crisis organizations can have
the tendency to focus on the technical aspects of the crisis (Kovoor-Misra & Misra 2007: 98). By doing so they can ignore nontechnical aspects like negative media attention, the psychological burnout of employees, or the relationships with their customers (idem: 99).
Another part of the containment and recovery phase is customer relationship management (idem: 96). The loss of trust resulting from a cyber incident can damage the organization in building or maintaining a long term relationship (idem: 99). As a result it can disrupt the ability to recover from the crisis (idem: 99).
In order to learn from a cyber crisis organizations should share their crisis learning across other organizations (Kovoor-Misra & Misra 2007: 96). After a crisis organizations have learned valuable lessons regarding their strengths and weaknesses (idem: 99). However, organizations can also learn from crises that have hit another organization, but are perceived to be likely to happen to them to (idem: 100). In order to be able to learn from crises within other organizations it is recommended that a positive learning climate is created in which organizations can learn from each other (idem: 100). Also these lessons should be followed up within an organization (idem: 100).
Where Elsubbaugh, Fildes, & Rose (2004) start with the signal detection phase, Kovoor-Misra & Misra (2007) start with the prevention phase. In the case of the Cyber Crisis Management of zero-day attacks it is not very likely that the phase of signal detection will actually be present given the nature of a zero-day attack, which will be further discussed in the next section. Due to the fact that zero-day attacks are unknown to the system operators it therefore makes sense to skip that phase. In the process of handling a cyber crisis it is possible to prevent people from attacking your system as well as prepare yourself for a cyber-attack. Also do Elsubbaugh, Fildes, & Rose (2004) combine the phases of preparation and prevention, while Kovoor-Misra & Misra (2007) describe this as two different phases with each a different role. These differences may occur since the model of Elsubbaugh, Fildes, & Rose (2004) is a model of crisis management, where the model by Kovoor-Misra & Misra (2007) has been designed more specifically for Cyber Crisis Management. Since the model by Kovoor-Misra & Misra (2007) has been specified for the use in cyber crises this model is chosen in this research.
2.2 Zero-day attacks
When creating software, the aim is to make it flawless (Ablon & Bogart 2017: 1). However, this aim is aspirational (ibid). Estimately, there is a range from 3 to 20 bugs per 1000 lines of code that varies per application, device, or method and which can be reduced a little after
thorough review (McConnell 2004). A type of bug that creates security weaknesses in the design, implementation, or operation of a system is called a vulnerability (Ablon & Bogart 2017: 2). When such a weakness is used to infect or disrupt a computer without the user knowing it it is called an exploit (Microsoft 2013). When there is a vulnerability for which no patch is available we speak of a zero-day attack or zero-day exploit (Ablon & Bogart 2017: 2). In this research the concepts zero-day attack and zero-day exploit are considered to be equal and will be used simultaneously. There is no patch available for a zero-day attack because the threat of attacks this sort has never been seen before, better known as day attacks or zero-day exploits (Ablon & Bogart 2017: 2).
The name zero-day attack comes from the computer security where “Day Zero” is the day the vulnerability becomes known (Sharma et al. 2017: 2). They are zero-days between the discovery of the vulnerability and the first time it is used for an attack (ibid). Zero-day attacks use malware that is a previously unknown virus or worm for which specific antimalware signatures are not yet available (Tran et al. 2016: 20). Therefore, zero-day malware attacks are likely to easily circumvent existing detection systems (Schultz & Shumway 2001; Mitropoulos et al. 2006). Also, zero-day malware has an unknown signature and is a serious threat to the information security of a company or government (Tran et al 2016: 19).
Zero-day attacks differ from other cyber-attacks be it are in the sense that it are so called unknown unknowns. In this research the conceptualisation of Feduzi & Runde (2014: 270) is followed in which an unknown is seen is a hypothetical event, which may or may not occur. These events can be known and unknown (ibid). Focussing on the unknown unknown, this is a hypothetical event that is not imagined by decision makers and therefore is not even considered as a possibility (ibid). This makes that a zero-day possibility cannot be foreseen. This understanding of unknown unknowns is also backed by Rumsfeld, the former US minister for Defence, who stated that there are things we do not know we do not know (Ministry for Justice and Safety 2018: 122). This statement by Rumsfeld has been transformed to the Rumsfeld matrix by Goldbach & De Valk (ibid) where on the x-as there is stated whether data is known or unknown, and on the y-as states if the method for the retrieval of data is known or unknown (Ministry for Justice and Safety 2018: 123). This leads to an unknown unknown being an unknown type of events with unknown knowledge (ibid). When an unknown unknown has occurred and the hypothetical event that was not considered has occurred and surprises the decision maker, is defined as a black swan (Taleb 2010).
In this research zero-day attacks are called unknown unknowns because zero-day attacks try to use weak points in software protection, which are not known to the developers of
the software. Therefore, the occurrence of a zero-day attack is not imagined within most companies. Since these zero-day exploits are not considered to be possible, and mostly there are no plans in place to fix the exploits once they actually occurred, it is very hard to protect cyberspace against these kinds of attacks (Verizon 2012). This makes that zero-day attacks are different from other cyber-attacks since other cyber-attacks are seen as so called known unknowns, an expected event which can be anticipated reasonably but cannot be quantified based on past cases (Ministry for Justice and Safety 2018: 123). These kinds of attacks are anticipated to happen by policy makers, only it is not possible to predict how a cyber-attack will happen using historic information.
Given the fact that zero-day security breaches are described as unknown unknowns, they are mostly discovered by third parties (Verizon 2012; Kulikova et al. 2012). These breaches can be present for years before they are actually exploited. Once exploited the mitigator of the computer-software needs to fix the exploit. But, even once a zero-day exploit has been noticed in a system, it can be challenging to fix the problem since the leak has to be identified first. Up until the moment the vulnerability is mitigated, the exploit can be used to infiltrate the computer system and affect computer programs and data, or even additional computers or a whole network. Also, since the breach has been detected as a result of an exploit the majority of cases will become public knowledge (Kulikova et al. 2012: 103). Once a zero-day is detected the aim is to create a patch to improve the system. However, when companies do not use this patch to fix their systems the zero-day can still be exploited (EY 2018a: 3).
Mostly, there are two groups interested in finding zero-day vulnerabilities. Those who are interested in knowing the vulnerability of software but do not wish to exploit the vulnerability, and those who wish to exploit those vulnerabilities for their own benefits (Ablon & Bogart 2017). In the case of the first group it mostly concerns ethical hackers, people who find a vulnerability and inform the mitigator in order to let them fix the vulnerability. The second group, those who release code, which exploits the vulnerability in the system, poses the biggest risk. This exploit is used during the “vulnerability window”, the time between the identification of the zero-day vulnerability and the software vendors know about the problem and devise a solution (Sharma et al 2017). This window can last for days, or even years.
There are 3 types of actors that are perceived to be responsible for cyber-attacks. First, the conventional cyber-criminals who are interested in quick financial profits (Gibney 2016). In June 2016 a Russian cyber-criminal named “BuggiCorp” had a zero-day exploit for sale on the dark web (Watchpointdata 2018). The exploit was believed to have the potential of affecting machines running any form of Windows (ibid). The exploit was on the dark web for $90.000,
- and it is uncertain if the exploit has been sold (ibid). However, it can come up in a next big zero-day attack (Watchpointdata 2018).
Second, hacktivists that hack for fun or are pushing for a political matter (Gibney 2016). This was the case with the DigiNotar hack in 2011 where hackers had managed to generate false SSL certificates, and over 500 false certificates where spread (Van der Meulen 2013: 46). DigiNotar was a company that was responsible for the security of government websites and the SSL certificates are necessary to make sure that Internet traffic is safe (ibid). On July 19, 2011 the company detected an intrusion, which had taken place more than a week before, on July 10th (idem: 48). The company had tried to mend the breach, but on August. 28th it turned out to have failed when the hack became publicly known (Van der Meulen 2013: 48). Several companies, like Google, have suffered from this hack and also resulted in the malfunctioning of computers within the Dutch government (ibid). This hack has resulted in the bankruptcy of DigiNotar in September 2011 (Van der Meulen 2013: 49). Since the primary product of DigiNotar was trust in delivering digital certificates to enable safe Internet connections, the revocation of this trust after the hack could not be repaired (ibid). The hacker that claimed the hack was a 21 year old Iranian, who called himself Comodohacker, and claimed to have launched the attack at DigiNotar as a revenge for the Dutch actions in Srebrenica in 1995. He also named Geert Wilders as a reason for the attack and stated that he should be destroyed as a critic of the Islam. The hacker is believed to have worked alone (Van der Meulen 2013).
And last nation states whom are trying to gather high quality intelligence or sabotage activities (Gibney 2016). In these cases intelligence services are actively looking for zero-day vulnerabilities that they can use in order to do their work (ibid). Naming examples of zero-day attacks that are launched by nation states is quite tricky since nation states do not claim zero-day exploits as theirs. However, some zero-zero-day attacks are believed to be launched by nation states actors. One of these zero-day attacks is Stuxnet, which is allegedly launched by the United States and Israel (Gibnet 2016). Stuxnet is a computer worm which was discovered in June 2010 that has been designed specifically to target certain ‘supervisory control and data acquisition” (SCADA) systems of Siemens (Britannica Academic 2018). The Stuxnet worm relies on four different Microsoft zero-day vulnerabilities (Naraine 2010). It specifically targets the Siemens SCADA systems that have been used in conjunction with frequency-converter drives produced by certain manufacturers (ibid). This combination hinted to analysts that the Stuxnet attack was most likely targeted at nuclear installations in Iran (ibid). This analysis is backed by the fact that over 100.000 computers have been infected with the Stuxnet virus, but very view have been used (ibid). Given the presumed target of the attack a combination of
nation states that have been trying to stop the Iranian ambitions of obtaining nuclear weapons are believed to be behind the attack (Gibney 2016). However, the launch of Stuxnet has never been claimed by anyone, and even has been actively denied by the US government and therefore it cannot be said with certainty that the attack has been launched by nation states actors. The actual launcher of the Stuxnet virus may even never be discovered. Nevertheless, it is a vital example of the capabilities nation states are believed to have on the matter of zero-day attacks.
In 2016 the first version of encrypted ransomware was discovered, going by the name WannaCry (Greenberg 2017). This malware targets Microsoft Windows-based systems by infecting the master boot record in order to execute encryption that can only be decrypted by paying a ransom, mostly in BitCoin (ibid).
Another example of a zero-day attack that is believed to have been launched by a nation state is NotPetya. In May 2017 a worldwide cyber-attack targeted computers running the Microsoft Windows operating system: the NotPetya ransomware attack (Greenberg 2018). This attack encrypted the data of users demanding payments in order to decrypt them (ibid). The ransomware used a zero-day exploit in older Windows systems that had been released a view months earlier by The Shadow Brokers (ibid). When this exploit became known Microsoft had released patches for the software, but many companies did not use these patches. Due to this patch NotPetya is technically not a zero-day attack, but it did use a zero-day vulnerability that was still present in unpatched systems. Therefore, NotPetya could spread over 150 countries and could have approximately affect more than 200.000 computers (Greenberg 2018). The total damages range from hundreds of millions to even billions of dollars (ibid). The United States, United Kingdom and Australia have formally asserted North-Korea to be responsible for the attack, but no one has come forward and claimed the attack.
These various actors have shown interest in the use of zero-day attacks. As a result of the high number of actors interested in day attacks there are black markets where zero-day exploits are sold for high amounts of money. Since exploits are digital products, they are high valued information goods with a marginal cost close to zero. The vulnerability will only decrease in value once the original developer of the system will patch the vulnerability. Until that point, the exploits will hold its value (Afidler 2014). However, once the vulnerability is patched it will not lose all its value all together since 1) the distribution of the patch is asymmetric which means the exploit might still be usable and 2) developers could use the original bug to create a variant of it. Transaction will mostly occur through the use of cryptocurrencies or stolen digital funds like credit cards in order to keep the identity of at least
one of the parties a secret. Since zero-day exploits are digital goods, the selling of the products occurs online. However, not all the buyers of zero-day exploits are hackers, also companies are actively involved in searching for exploits that might infect their systems and there are even grey markets where zero-day exploits are sold to the various governments in exchange for security (Gonzalez 2015).
As shown above all three actors using zero-day attacks can have a very high impact. Especially since zero-day attacks have a direct effect on the working of a company or a nation targeted (Sharma et al 2017: 2). Therefore, a lot of effort is put into preparing for and the prevention of day attacks in order to diminish these effects. In order to prepare for zero-day attacks organizations implement various approaches to defend and protect their intellectual property (Tran et al 2016: 19). An effective incident response and recovery process can strengthen the resilience of a system or network (idem: 20).
3. Methodology
This chapter will further explain the methodology of the research. It will elaborate on the research question, highlighting the variables and causal mechanisms. In addition to this, it will also address the mixed research methodology approach, as Crisis Management Framework will be used for this research. After this the 8 cases used for the comparative case study for this research will be introduced. Then the operationalization of the chosen model will further be discussed where after the semi-structured interview method will be explained. Lastly, the validity and reliability of this research will be looked at.
3.1 Research Design
This research addresses the following question: “How can zero-day attacks influence the process of Cyber Crisis Management?” This research question is explanatory and seeks to identify 1) What is Cyber Crisis Management?; 2) How do zero-day attacks differ from other cyber-attacks?; 3) How has Cyber Crisis Management been used on past zero-day attacks?; 4) How can companies become more cyber resilient?
3.2 Comparative Case Study
Given the fact that there has been very little research on Cyber Crisis Management conducted, especially when combined with zero-day attacks, there is not a lot of quantitative data available. Therefore, for this research the method of a qualitative research is chosen which is descriptive in nature and will focus on understanding the Cyber Crisis Management carried out by private companies on zero-day attacks. By carrying out qualitative case studies, the current way in which Cyber Crisis Management is applied to zero-day attacks can be based on the existing theory by Kovoor-Misra & Misra (2007). The theory will be supplemented with interviews and open source data to get a complete picture of the current situation. The cases that will be used in this case study are all companies in the private sector, which have faced a zero-day exploit in some way. A total of 9 interviews has been conducted with 8 companies. 4 of these companies are big multinational organisations (hereafter MNO’s) that operate on a global scale. The other interviewees are added to this research based upon their experiences with cyber incidents in their careers. Combined these three interviewees hold a total of 43 years of experience in the cybersecurity domain.
This research will use a comparative case study. Comparative case studies look for the similarities, differences and patterns across two or more cases that share a common focus or goal in a way that produces knowledge, in this research the practices of Cyber Crisis
Management on zero-day attacks (Rohlfing 2012). The comparative case study was chosen as a result of the numerous zero-day attacks that occurred over the past years to various companies. By using the method of the comparative case study the overall use of Cyber Crisis Management on zero-day attacks can be analysed. This can be done by using a cross-case comparison where more than one case is analysed (Rohlfing 2012: 15).
This qualitative research tries to give a better understanding of the use of Cyber Crisis Management on zero-day attacks. In this comparative case study there are four MNO’s which have been analysed: Dutch telecommunications company KPN, a leading financial institution, a technological multinational, and Microsoft. All these companies are big companies with great experiences in cybersecurity by being a target almost every day. The limited number of cases analysed in this cross-case comparison makes this a comparative small-n research. There has been chosen to conduct a small-n research since the data necessary for this comparative case study will come from semi-structured interviews using elite interviewing. This will be further discussed later on.
The first case that will be analysed is KPN. KPN faced an cyber-attack in 2012 that used a zero-day vulnerability which had a big impact on the company back then, as well as it did change the way the company handles its cybersecurity currently. This attack at the Dutch telecommunications company did not only cause problems for private users of the telecom company, but also potentially had an impact on the Dutch emergency call centre in Driebergen for which KPN provides the teleconnections.
The second case to be analysed is a leading financial institution that wants to stay anonymous. Financial institutions in general are a target for cybercrime due to the accessibility of money they can give hackers. Also, due to regulation these institutions are forced to have their cybersecurity practices in place and with programs like the financial Information Sharing and Analysis Centre (hereafter FI-ISAC) these institutions share their lessons learned within the sector in order to protect the sector as a whole.
The third case used in this thesis is a technological multinational that wants to be anonymous in this research. This multinational produces several products which are a potential target for attacks. These products can be for all sorts of use and can be physical products as well as services. By producing these sorts of products competitors as well as governments of countries like China and Russia are targeting the company on a daily basis. Therefore they are very aware of the risks involved regarding cybersecurity.
The last case looked at is Microsoft. Microsoft has been hit by several zero-day exploits over the years. Earlier on the several recent cases of zero-day exploits targeting Microsoft
software have been addressed. But the examples of zero-day exploits at Microsoft have occurred on multiple occasions in the last decade. Therefore, Microsoft is a company with a lot of hands on experience in handling zero-day exploits. Microsoft differs from the other cases stated above in the sense that the company itself is not the prime target of these attacks, but the users of their products are. However, when a product of Microsoft has been hit by such an attack the company will most likely still feel the impact due to the zero-day attack that has been launched on one of their products. Therefore, this experience will be used in this research.
The information derived from these cases will be complemented with three interviews regarding the point of view from outsiders who have a more overall experience with cybersecurity and zero-day attacks in specific. Here for Ronald Prins has been interviewed. Ronald Prins is part of the Testing Committee Deployment Powers of the Intelligence- and Security Services in the Netherlands. Throughout his career he has been involved in the domain of cybersecurity.
Another case that has been used is Fox-IT. Fox-IT is an IT security company that helps companies as well as governments to handle their cybersecurity incidents. By handling cybersecurity incidents within multiple organisations Fox-IT has a lot of experience in handling cyber-attacks.
The last case that is used in this research is Northwave. Like Fox-IT Northwave is an IT security company with hands on experience with cybersecurity incidents and zero-day attacks in multiple middle and small sized companies of the MKB in the Netherlands. Also, the information derived from these interviews will be supplemented with other data in order to come to a complete overview in the analysis.
The necessary data will be retrieved through an internship at EY, in the cybersecurity unit. EY is a company with four integrated service lines: assurance, advisory, tax, and transaction advisory services (EY 2018b). For the purpose of this research the cybersecurity consultancy department as part of the advisory unit is the most important one. Through this department contacts have been acquired with companies that have been interviewed, documents have become accessible and where necessary further information has been provided on cases of zero-day attacks and the Cyber Crisis Management processes.
Since some of the interviewees have requested to stay anonymous the choice has been made to not disclose any of the sources in the rest of this research. The analysis of this research will be anonymized in order to make sure that none of the statements that have been made by the interviewees can relate back to either the interviewee or the company they work for in any way. This way the identities of the various sources is protected to the fullest extent.
3.3 Operationalization
This research will use the Cyber Crisis Management model as described by Kovoor-Misra & Misra (2007). In this model various phases are set out. These phases are: prevention, preparation, containment, recovery, and learning (ibid). In phase one, prevention, there will be looked at the way companies take actions to prevent a zero-day attack from happening. What valuable information does the company hold that might be of value to outsiders and how is this information protected are key points in this phase. Also the measures that can be taken in order to protect this data from zero-day attacks are a very important part of this phase. Especially since it is particularly difficult to protect yourself against the occurrence of a zero-day attacks since it is considered to be an unknown unknown, and Therefore companies do not know what to prepare for.
The second phase, the preparation phase, closely analyses the way companies take action to prepare for a zero-day exploits. Here the focus is on issues like scenarios and how valuable information can be acquired by an outsider as well as whether the management of the company is properly trained for the crisis that a day attack can bring. In the case of zero-day attacks this phase is also considered to be rather difficult given the fact that zero-zero-days are unknown unknowns and only become known once the zero-day exploit is used for an attack. Due to this lack of knowledge on a next zero-day attack a proper preparation to such a crisis can prove to be difficult. However, using experiences of past zero-day attacks can be used in order to be able to prepare for a new crisis situation regarding a zero-day attack.
In the third phase, containment, the measures taken during a zero-day attack will be analysed. There will be looked at how the company reacts during a zero-day attack. The containment phase in handling zero-day attacks is a very important one since the zero-day exploit needs to be contained fast once a zero-day attack has occurred. Once the zero-day has been identified the system operators will try and patch the system as soon as possible (Sharma et al. 2017: 2). However, due to the little time there is to launch a patch there has been limited testing’s of the patch before it was launched. Therefore, this patch may have a bug in it or might not be enough to patch the zero-day vulnerability, which makes this a very difficult phase (ibid). Also, the people involved in the process of containment need to be considered, especially focussing on the primary business process that should keep on running. Also, since this phase holds the actual cyber crisis communications are of vital importance in this phase. Companies that are in a cyber crisis have the chance of losing customers trust which can cause a downfall
like the one that happened with DigiNotar. By means of communication such an ending may be prevented.
The fourth phase, the recovery, focuses on how the company goes from the crisis situation back to its normal operations. During a crisis a company possibly has not been able to carry out all its every day practices. Or even if they were able to do so, some actions have been taken during the crisis in order to overcome it. Once the zero-day attack has been handled the company will want to restart these practices and go back to its normal ways. In the recovery phase this process of going back to the normal way of practices is looked at.
And the fifth phase, the learning phase, looks at how the experiences of the zero-day attack are implemented in the way Cyber Crisis Management will be used in the future. By implementing this phase the practices in the other Cyber Crisis Management stages practices can be improved in order to be able to handle future zero-day attacks better and to limit the impact zero-day attacks have.
3.4 Semi-structured interviews
For this research there has been chosen to hold semi-structured interviews. The structured elements lie in the fact that the same questionnaire is followed with all interviewees, the form of questions goes through a process of development to ensure the right focus, interviewees are prompted with supplementary questions if necessary, and approximately equivalent time is scheduled for all the interviews (Gillham 2005: 70). There are also less structured elements, like that the questions are open and therefore the type or the direction of the answer is open (ibid). Also, probes are used when the interviewer thinks there is more to be disclosed in the interview (ibid). A powerful element of the semi-structured interview is that it leaves room for a strong element of discovery, but the structured focus allows an analysis in terms of commonalities (Gillham 2005: 72).
The positives of using semi-structured interviews are that it provides a balance between openness and structure, by using prompts roughly equivalent coverage can be achieved over the interviews, and analysis is facilitated by the level of structure (Gillham 2005: 79). However, there are also some negatives with this way of interviewing. Some of these negatives are that it takes a lot of time to conduct the interviews, but also to transcribe the interviews and write the analysis costs a lot of time, the development of the questions is also a long process, and there is a certain level of skill required in order to achieve adequate performance during the interviews (ibid).
The questions for the interviews will be divided into the various phases as described by Kovoor-Misra & Misra (2007). These phases are: prevention, preparation, containment, recovery, and learning (ibid). By dividing the questionnaire in these various phases the emphasize lies upon the different aspects each phase has in the process of Cyber Crisis Management. This way it becomes visible how various companies use the process of Cyber Crisis Management resulting from their experiences with zero-day attacks. Also, by structuring the questions in this way the best overview can be given regarding the use of the different phases in the way Cyber Crisis Management is conducted at several companies. Prior to this phases some introductionairy questions will be asked in order to ease into the interview and let the interviewee feel comfortable. At the end of the interview some wrapping up questions will be asked in order to find out if there is any more information the interviewee thinks might be relevant to mention. Also, this way arrangements will be made regarding the disclosure of the identity of the interviewee in name or in position. The questions are the result of theory and test interviews conducted at EY. Through the test interviews there has been established that the questions as composed in the questionnaire will lead to the kind of answers that are sought in this research. The questionnaire is added in appendix 1.
The interviewees have been selected on the basis of their expertise. Therefore, the selected method is one of elite interviewing, a key qualitative research method (Boucher 2017: 99). Through the use of elite interviewing the expertise of those with experience with zero-day attacks and knowledge of the Cyber Crisis Management procedures of a certain company are targeted. As a result of this choice the number of interviews that can be conducted is limited, as a combination of the small group of potential interviewees and the short period of time that is available for this research. However, since the interviewees are perceived to hold valuable information of various multinational businesses this makes up for the limit number of interviewees. The interviews will be held partly in Dutch and partly in English and this is based upon the preference and language skills of the interviewee.
In order to use the data from the interviews they will be coded as being part of one of the 5 phases of Cyber Crisis Management as discussed earlier. By coding the interviews this way the information derived on the different stages of Cyber Crisis Management can be divided per phase and can be processed in the analysis in the right way. Since some of the interviewees have requested to stay anonymous the choice has been made to not include the transcripts of the interviews since this makes identification of either the company the interviewee works for or the interviewee by person possible. The transcripts of the interviewees that have given their consent to publishing their names have also been excluded due to the chance of having
misinterpretations regarding the things that have been disclosed in the interview to the reader. Where certain quotes are meant and understood in one way during an interview, it may be understood in a totally different way in a transcript. Or since part of the quotes will be able to trace back it can lead to identification of the other interviewees. The first and second reader have been given the coded transcripts of the interviews as well as access to the audio files of the conducted interviews, but will not be archived within Leiden University and thus they will not become public.
3.5 Methodological Constraints: Validity and Reliability
For this research interviews, open source studies, and reports on the zero-day attacks named above will be used. Open sources that will be used are: the information on the company’s websites, press statements, news media, expert interviews and situational rapports. Given the fact that the field of zero-day attacks is relatively new, and a lot is yet to be discovered new sources may be published monthly. This new information may affect the underlying assumptions of this research in some way. The reliability of this research will depend strongly on the systematic consistency of the analysis, in order to allow for reproducible results that can be applied in other research.
A different issue affecting the reliability of this research addresses the content derived from the semi-structured interviews. As with all social science research, it is important to recognize that the content of the interviews has a level of subjectivity and is affected by a number of indicators affecting both the interviewer and the interviewee. Also, by choosing elite interviewing the interviewee holds a certain amount of power to make or resist certain outcomes through the responses to the questions. While this risk can never be completely eliminated, it is reduced to a minimum by using personal contacts of the interviewer in order to obtain the interviewees. These personal contacts are either the result from existing personal contacts, or through the use of the networks of these personal contacts. Due to this connections to the interviewee, the risk of people using this power is considered to be low.
When looking at the validity of this research, it is important to assess the internal as well as the external validities of the research. The internal validity of the research looks at the measuring of the right values according to the proposed theoretical framework, this case being the Cyber Crisis Management framework. By using the framework described by Kovoor-Misra & Misra (2007) as a starting point for the interviews and the analysis the internal validity is accounted for. The external validity focuses on the possibility of being able to generalize the conclusions of the research to other contexts. This research focusses on multiple cases in order
to be able to generalize the results and thus account for the external validity. However, due to the selected method of elite interviewing the number of people interviewed is rather low. Given the amount of knowledge the interviewees hold that is necessary for this research this is considered to be acceptable. In order to be able to generalize the results the limited number of interviews is complemented with open source information. Also all interviewees are responsible for private actors which excludes the governmental point of view. However, policies by the Dutch government regarding cybersecurity practices are accessible online. This way the efforts the government takes in becoming more cyber secure as a society are included in some way in this research.
4. Analysis
In this section the results of the interviews will be used in order to analyse the questions at hand. Alike the interviews the analysis will follow the 5 phases of Cyber Crisis Management by Kovoor-Misra & Misra (2007), the prevention, preparation, containment, recovery, and learning phases. Within these phases there have been identified several steps that can be taken in order to improve the process of Cyber Crisis Management. This classifications are the result of the data derived from the 9 interviews. These steps will be discussed below per phase of the Cyber Crisis Management process.
4.1 Prevention
The first step in the process of Cyber Crisis Management is the prevention of zero-day attacks from being able to happen by taking measures against such an occurrence. This phase is focused on keeping hackers out of your systems. By taking technical measures and cultural measures companies try to do so. But through cooperation between various actors extra measures are taken in order to be even more successful. Therefore, in this phase three types of measures are being distinguished: technical measures, cultural measures, and cooperation.
4.1.1 Technical measures
There are various ways to look for breaches in the systems that are being used for zero-day attacks. One of these ways is through using penetration tests (pen tests in short) on your products and services in order to see where the breaches in the system are. Pen testing is a way to find out if there are ways to penetrate the systems used by actually using these vulnerabilities in order to find out if valuable data can be retrieved from a company. In large companies, whom are normally more aware of the threats of lacking cybersecurity and face attacks on a daily basis this is done by employees of the company. But in smaller organizations, who do not have the resources to have these employees in house this can be outsourced to companies like Fox-IT and Northwave. This way all sorts of companies can use this method in order to try and prevent cyber incidents from occurring. A number of companies have already made it common practice to do a pen tests before launching a new product. Some have done this as a result of cybersecurity awareness, others do so out of compliancy. For instance products using a DigiD, the Dutch digital identity of citizens, are obligated to do a pen test annually.
Another way to make sure that a zero-day can be prevented is by red teaming your system and your employees. Red teaming goes further than pen testing since this way various ways of entering the system are tried. It is not restricted to just the systems being tested, but the employees are tested to. Within the practices of red teaming the idea of a lazy hacker, who uses only what is necessary to get in and does this the cheapest way possible, is being used. When a hacker can get into a system without using zero-day attacks which are costly to acquire these days he or she will take this easy way in. Not only to save the costs of using a zero-day vulnerability, but also since using a zero-day vulnerability means it will become public knowledge. This means owners of a zero-day vulnerability will want to keep the zero-day vulnerability a secret if they do not have to use it. Therefore, the sending of phishing mails is a very common practice in red teaming exercises since in the real world attackers are most likely to use this method if it is enough to get access to the network.
That phishing mails are a regular occurrence is shown by the Global Information Security Survey 2018/2019 that has been conducted by EY (2018c) which shows that approximately 6,4 billion fake emails are sent on a daily basis worldwide. But not only the amount of phishing mails sent is high, they also become more advanced. One of the interviewees has mentioned phishing mail attacks in which up to 7.000 unique phishing mails have been sent out to employees of a company. These unique emails made it hard for antimalware software to detect these emails to be phishing mails. Also other interviewees have stressed the amount of preparation that goes into phishing mails before they are sent out. An example is a company which uses a particular software version which alerts you every 3 months to change your password. When a hacker knows around which time an employee will receive the next reminder to change its password this information can be used in a phishing mail. Zero-day vulnerabilities are less likely to be used in red teaming exercises since it is a very costly way to attack a company. Especially since in a lot of cases it is not even necessary to use these vulnerabilities because there are other ways to get into the system that are actually cheaper.
Another form of technical measures that can be taken are the use of signatures. Digital signatures are mathematical schemes which can verify the source of a message or document. Valid signatures let the recipient know that the message is most likely authentic and that the message was not altered after sending it out. But signatures can also be used in order to block malicious messages from entering your system. Knowing these signatures is vital in order to know which signatures to block in your system and keeping malicious hackers out of your systems. Companies that are targeted on a daily basis have a lot of experience in not only implementing these signatures, but also in discovering new malicious signatures.
The use of antimalware can help to keep hackers outside of your system. By looking for certain patterns antimalware prevents, detects and removes malware from your system. One of the ways to do this is through the use of signatures. But it can also work on a behavior based way in which differences in behavior are being noticed. These antimalware programs are mostly working with the use of signatures which makes it possible to detect malware only after these signatures have been found. However, vendors are looking into the option to use machine learning and Artificial Intelligence (hereafter AI) in this area to and to go beyond the use of signatures to looking at the effects certain lines of code can have on your system by duplicating possible malicious software to a safe and isolated cloud system in which it will be opened in order to find out if it is malware. This way malicious software can be blocked at first sight and malware can be detected before it is running in your system.
Another way to prevent a zero-day attack from happening is the attempt to make products and services with the least amount of zero-day vulnerabilities possible through secure coding. This way extra care has been given to the process of coding. Secure coding is a part of the secure development which sets up a process in the secure development lifecycle of creating products even while coding to ensure that you have as few vulnerabilities in the code as possible.
Also, the coding of computers can be done through AI. This way the process of coding has less errors then when it is done by a human, which is known to make mistakes once in a while. Computers on the other hand do not have this margin of error.
4.1.2 Cultural measures
To be able to properly prevent a zero-day attack from happening it is important to acknowledge the threat of having a zero-day attack to be a real threat. This acknowledgement is mostly the result of having experienced multiple cybersecurity incidents which have resulted in a very advanced handling of cybersecurity practices within a company. Once a company has been a target for a longer period of time, they are more likely to take their cybersecurity more serious. Banks are able to block numerous attacks a day simply due to their experiences in doing so, and also other big MNO’s are able to do so. But MNO’s are not the only victims of cybersecurity incidents. Also smaller companies can be targeted or even be the victim of an opportunistic hacker. When such companies have experience with cyber-attacks they take the threat of cybersecurity more serious than companies who do not have this experience. However, one cyber-attack is not in all cases enough to become more aware of the threats posed by the use of cyberspace. As long as companies can convince themselves that they are not that
