N-Day Vulnerabilities: Minimizing the Risk with Self-Learning AI
Responding to the latest critical vulnerability has become a regular routine in the daily life of cyber security professionals.
In the last two years, there has been a carousel of patches for vulnerabilities affecting email servers (ProxyLogon), remote working infrastructure (Atlassian Confluence), third party tools (Kaseya), and supply chain software (Log4j).
In the days following the public disclosure of such vulnerabilities, any associated exploit is referred to as an “N-day”. The release of a patch marks day 1, but over the following days any unpatched systems are at risk of attack from exploits which target the vulnerability. This contrasts with zero-day attacks, which exploit vulnerabilities for which no patch is available, often because knowledge of the vulnerability isn’t yet in the public domain.
N-days occupy a unique space in cyber risk analysis. Headline-grabbing zero-day attacks have the potential to be high impact, but in reality such attacks are rare and have a low likelihood. A more common cyber-attack, using commodity malware which has been well documented in the wild, may have a high likelihood but will have a low impact when faced with a mature security stack. But in the hours and days following the publication of a new vulnerability, there is a high likelihood of a high impact attack against an organization which makes use of a new exploit.
After a critical vulnerability is published, security teams battle against time and resourcing constraints to apply the appropriate patch or patches, all the while trying to protect assets without a playbook of what an attack may look like. Darktrace has found that 85% of high-risk vulnerabilities are not patched within one week and 70% remain unpatched after a month. In the meantime, threat groups have become armed with a new attack method: an N-day exploit.
In their latest research, Darktrace’s Inside the SOC team detail how the techniques used by Self-Learning AI to detect zero-day attacks can also be leveraged by organizations to Detect and Respond to N-day attacks.
But with Darktrace PREVENT, defenders can go one step further, enabling security teams to harden defenses before the next attack vector is even published.
The Darktrace PREVENT product family empowers defenders to model likely attack paths, intelligently prioritize critical servers or highly exposed people in the organization, and test vulnerable pathways by emulating real-world attacks. Darktrace PREVENT then feeds data back into Darktrace DETECT + RESPOND to harden defenses around critical attack paths or assets and further enhance cyber resilience. For example, if Darktrace PREVENT discovers that a critical database is serving high-risk users, it can feed that information back into Darktrace DETECT, which in turn increases the level of scrutiny around that asset.
While Darktrace DETECT + RESPOND wrap what amounts to an ‘AI safety blanket’ around vulnerable assets and attack paths, Darktrace PREVENT presents prioritized recommendations for long term risk mitigation. Stretched security teams therefore know, based on Darktrace’s deep and evolving understanding of the entire business, where to focus their time and resources in order to reduce risk to the greatest extent.
As a result, when the next N-day vulnerability comes around, defenders have the confidence that any prospective impact has already been minimized and the potential cyber risk is low.