Security Operations (SecOps) continues to evolve in significant ways. This year marks the seventh anniversary of the “Stuxnet” virus, which provides a good opportunity to reflect on how it fundamentally changed the state of information security operations.
While Stuxnet’s impact received little attention outside of security circles, its ripple effects still impact security operations in several critical ways.
The level of sophistication and complexity used by Stuxnet was unprecedented and stunned the Symantec security team that worked on analyzing the virus. Liam O’Murchu, Director of the Security Technology & Response group at Symantec, had this to say:
“A threat using one zero-day vulnerability by itself is a quite an event, however a threat using four zero-day vulnerabilities is extraordinary and is unique to this threat. This is the first time we have ever encountered a threat using so many unknown and unpatched vulnerabilities…which shows the extraordinary sophistication, thought, and planning that went into making Stuxnet.”1
But Stuxnet’s level of sophistication was only a glimpse into its far-reaching implications.
From Cyber Threats to Physical Threats
To begin with, the Stuxnet virus marked the first obvious use of cyberwarfare by a nation-state to cause physical destruction, specifically centrifuges being used as part of Iran’s nuclear enrichment program. Prior to the discovery of Stuxnet in 2010, cyberattacks were just beginning to evolve from glory-seeking “joy-riding hackers and cybercriminals” to also include high-stakes espionage with the goal of stealing sensitive data over time while remaining undetected. Stuxnet, however, “wasn’t an evolution in malware but a revolution.”2 Stuxnet opened an entirely new front for security operations to defend from attack: physical devices linked to industrial control systems.
A Stockpiling of Exploits
Stuxnet also illustrates the threat from a cyber arms race and stockpiling of zero-day exploits stockpile rather than identifying exploits and patching them. Once a zero-day vulnerability is exploited, it runs the risk of discovery, as happened with Stuxnet. Nation-state cyberwarfare has created a gray market where governments and government contractors work to create and purchase zero-days to stockpile for future use. While non-government cyberattacks may make use of a zero-day vulnerability, it is rare. However, governments will pay as much as $1 million for an exclusive zero-day exploit.3 The net effect of this is that rather than the vulnerability coming to light and being addressed by the software publisher, it may remain hidden for years. The current average lifespan of a zero-day vulnerability is 6.9 years according to a March 2017 Rand Corporation study.4 This statistic becomes even more sobering when compared to a July 2007 statistic indicating that the average zero-day lifespan was 348 days, indicating more than a seven-fold increase over the last ten years.5
Today, Breaches Are a Matter of When, Not If
All this plays into the ongoing and ever-increasing difficulties faced by SecOps teams around the globe. This is why ServiceNow, along with partners like Aptris, are investing heavily in new solutions and processes to help enterprises prepare for and effectively respond to security breaches when (not if) they occur.
Recently, we conducted a webinar on ways within ServiceNow you can deliver a more efficient and immediate response to a breach. You can view that webinar on-demand here. If you have questions or are considering getting in-depth guidance for a more robust SecOps solution, don’t hesitate to reach out to us!
Contributor: Brian Huber, Vice President – Professional Services
1 Liam O’Murchu. “Stuxnet Using Three Additional Zero-Day Vulnerabilities”, Symantec, September 14, 2010.
2Kim Zetter. “Countdown to Zero Day”, Crown Publishers, 2014.
3Sebastion Anthony. “The First Rule of Zero-days Is No One Talks About Zero-days (So We’ll Explain)”, arstechnica, October 20, 2015.
4Lillion Ablon and Timothy Bogart. “Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits”, RAND Corporation, March 9, 2017.
5Sumner Lemon. “Average Zero-Day Bug has 348-Day Lifespan, Exec Says”, IDG News Service, July 9, 2007.