The recent Atlassian Confluence remote code execution bug is just the latest example of zero-day threats targeting critical vulnerabilities within major infrastructure providers. The specific threat, an Object-Graph Navigation Language (OGNL) injection, has been around for years but took on new significance given the scope of the Atlassian exploit. And OGNL attacks are on the rise.
Once bad actors find such a vulnerability, proof-of-concept exploits start knocking at the door, seeking unauthenticated access to create new admin accounts, execute remote commands, and take over servers. In the Atlassian case, Akamai’s threat research team identified that the number of unique IP addresses attempting these exploits grew to more than 200 within just 24 hours.
Defending against these exploits becomes a race against time worthy of a 007 movie. The clock is ticking and you don’t have much time to implement a patch and “defuse” the threat before it’s too late. But first you need to know that an exploit is underway. That requires a proactive, multilayered approach to online security based on zero trust.
What do these layers look like? Consider the following practices that security teams — and their third-party Web application and infrastructure partners — should be aware of.
Monitor Vulnerability Repositories
Mass vulnerability scanning tools like Nuclei’s community-based scanner or Metasploit penetration testing are popular tools for security teams. They are also popular among bad actors who are looking for proof-of-concept exploit code that will help them probe for cracks in the armor. Monitoring these repositories for new templates that may be designed to identify potential exploit targets is an important step to maintain awareness of potential threats and stay a step ahead of the black hats.
Make the Most of Your WAF
Some may point to Web application firewalls (WAFs) as ineffective against zero-day attacks, but they can still play a role in mitigating the threat. In addition to filtering traffic for known attacks, when a new vulnerability is identified, a WAF can be used to quickly implement a “virtual patch,” creating a custom rule to prevent a zero-day exploit and give you some…