Complete N-Day Testing in 24 Hours
You can shorten the critical timeframe for testing for N-day exposure even in large organizations by pre-configuring runners for each of your major network segments. Then when a widespread N-day emerges, you can run those preconfigured segments concurrently, so that your full environment is tested within 24 hours. The NodeZero platform scales to support the largest networks and can run 100+ N-day tests concurrently.
Reveals the true impact of the Veeam N-day
The Veeam N-day is an example of the additional value that NodeZero provides when you are evaluating the urgency of your organization’s response to an N-day.
Veeam disclosed a vulnerability (CVE-2023-27532) affecting Veeam Backup and Replication software that enables attackers to dump highly privileged credentials in clear text was disclosed in March 2023. The Horizon3.ai Attack Team determined that this was a critical issue and took action.
The National Vulnerability Database (NVD) rates this CVE as a 7.5 (High). In many organizations, however, a vulnerability with a High rating would not be prioritized for patching relative to other Critical vulnerabilities. The reality, as proven here by NodeZero, is that exploiting this vulnerability can lead to full compromise, raising its priority level to a 10 (Critical) on the NodeZero scoring system.
NodeZero has been able to successfully exploit the Veeam CVE in many environments. In this example, NodeZero leveraged the Veeam vulnerability to fully compromise a client’s on-prem environment and AWS infrastructure.
The team reverse-engineered the vulnerability, released a blog post and the proof-of-concept on GitHub for public access in March 2023. NodeZero engineers added a targeted N-Day test for the Veeam CVE to NodeZero months before it was reported to be exploited in the wild.
The Veeam CVE was added to the Cybersecurity Infrastructure and Security Agency (CISA) Known Exploited Vulnerabilities Catalog list on Aug. 22, 2023.
In the attack path to domain compromise shown above, the Veeam CVE provided NodeZero initial access, and the subsequent weaknesses enabled NodeZero to take over the domain.
NodeZero helps you get ahead of N-day exploitation in these key ways:
Early identification of N-days and zero days:
The Horizon3.ai Attack Team proactively researches potential zero days and N-days and identifies which vulnerabilities are likely to be exploited in the wild — even if they haven’t made the Cybersecurity Infrastructure and Security Agency (CISA) list.
N-day testing is part of standard operating procedure:
NodeZero pentests identify emerging N-days within your environment as part of the autonomous internal and external pentesting process.
Prioritizes N-days by impact:
When they identify vulnerabilities that are likely to be exploited, the Horizon3.ai Attack Team reverse-engineers them and creates a proof of concept exploit to understand the impact of the vulnerability. This understanding is embedded into NodeZero and is paired with contextual understanding of your environment to help you prioritize your remediations and understand when you should patch outside of your regular cycle for a particular threat.
Targeted testing for high-impact N-days:
NodeZero offers targeted testing for major N-days to simplify your efforts.
What are zero days?
A vulnerability or security flaw in software or systems that is unknown to the vendor or developer.
It is called “zero day” because the vendor has had zero days to fix or patch the unknown vulnerability. Zero day vulnerabilities are valuable to attackers because they can be used to launch targeted attacks without detection.
What are N-days?
An N-day is a software or hardware vulnerability that is already publicly known, (n days since disclosure) but there may or may not be a security update available to remediate the vulnerability.
The goal of vendors, distributors, and administrators is to have systems patched as quickly as possible to avoid N-day attacks.
N-day exploits are continually added to NodeZero
NodeZero proactively tests and updates NodeZero users about N-days and zero days based on their system architecture and cyber terrain maps.
The Horizon3.ai team continually researches the types of vulnerabilities that are likely to be exploited by threat actors. When Horizon3.ai researchers find a vulnerability themselves, a zero day, they alert affected NodeZero users, disclose it to the vendor, develop a proof of concept to test its impact, and release the exploit module as an update to NodeZero. See Disclosures for the list of zero days found to date. The process for N-days is very similar.
Our goals are to help you discover where your organization is vulnerable to these new threats and also determine what the outcome would be if a system was exploited due to the N-day in question.
Horizon3.ai N-Day Process
- 1. Identify critical N-days
- 2. Alert users
- 3. Add to the NodeZero platform
- 4. Find the N-day in your environment
- 5. Fix your environment
- 6. Verify that your fixes work
The Horizon3.ai Attack Team continually researches the global threat environment to identify new N-days that have been exploited in the wild or are likely to be exploited in the wild.
The Horizon3.ai team determines if any NodeZero users are affected by the N-day, and if they are, they are alerted.
The Horizon3.ai Attack Team develops a new attack module for the N-day, using a production-safe variant of a proof of concept if one exists or developing one from scratch if it does not. The new module is added to the NodeZero platform, and runs automatically as part of NodeZero’s internal and external pentests. For very significant N-days, NodeZero also breaks out specific targeted N-day tests.
You use NodeZero to assess which assets in your organization are impacted. For maximum efficiency and scale, you can set up pre-configured tests ahead of time in all your network segments.
If your organization is impacted, you receive detailed remediation guidance. If a patch isn’t yet available, NodeZero will offer guidance about mitigating controls, such as quarantining the server, changing your firewall rules, or increased monitoring.
Once you’ve remediated the vulnerability, use NodeZero to run a quick verification test to ensure the vulnerability is no longer present.