Horizon3.ai
Horizon3.ai

N-Day Testing

with NodeZero

Time is the Enemy When N-Day Threats Emerge

When a significant N-day vulnerability is disclosed, time is of the essence and you must quickly verify that your organization is not exploitable. When vulnerabilities become public, attackers weaponize them within days and even hours.

In 2022, half of all widely exploited N-days were exploited within seven days of public disclosure and the median time to exploitation was just one day.

Your ability to swiftly identify and remediate the emerging N-day threats that can have the greatest impact on your organization is key to your cyber resilience. In fact, N-day vulnerabilities are among the top 10 impacts revealed by NodeZero pentests. Find and fix N-day vulnerabilities with NodeZero, and verify that your fixes are effective before attackers begin exploiting the N-days en masse.

Get a Head Start on N-Days

Begin finding, fixing, and verifying N-day vulnerabilities in your environment before widespread exploitation with NodeZero. And if it’s a zero day that the Horizon3.ai team discovers, you will be notified PRIOR to public disclosure if your environment is impacted.

6

You’ll receive alerts in the NodeZero portal when new N-day tests are available.

NodeZero N-Day Testing Segmentation

Complete N-Day Testing in 24 Hours

You can shorten the critical timeframe for testing for N-day exposure even in large organizations by pre-configuring runners for each of your major network segments. Then when a widespread N-day emerges, you can run those preconfigured segments concurrently, so that your full environment is tested within 24 hours. The NodeZero platform scales to support the largest networks and can run 100+ N-day tests concurrently.

NodeZero

Reveals the true impact of the Veeam N-day

The Veeam N-day is an example of the additional value that NodeZero provides when you are evaluating the urgency of your organization’s response to an N-day.

Veeam disclosed a vulnerability (CVE-2023-27532) affecting Veeam Backup and Replication software that enables attackers to dump highly privileged credentials in clear text was disclosed in March 2023. The Horizon3.ai Attack Team determined that this was a critical issue and took action. 

The National Vulnerability Database (NVD) rates this CVE as a 7.5 (High). In many organizations, however, a vulnerability with a High rating would not be prioritized for patching relative to other Critical vulnerabilities. The reality, as proven here by NodeZero, is that exploiting this vulnerability can lead to full compromise, raising its priority level to a 10 (Critical) on the NodeZero scoring system.

6

NodeZero has been able to successfully exploit the Veeam CVE in many environments. In this example, NodeZero leveraged the Veeam vulnerability to fully compromise a client’s on-prem environment and AWS infrastructure.

The team reverse-engineered the vulnerability, released a blog post and the proof-of-concept on GitHub for public access in March 2023. NodeZero engineers added a targeted N-Day test for the Veeam CVE to NodeZero months before it was reported to be exploited in the wild.

The Veeam CVE was added to the Cybersecurity Infrastructure and Security Agency (CISA) Known Exploited Vulnerabilities Catalog list on Aug. 22, 2023. 

In the attack path to domain compromise shown above, the Veeam CVE provided NodeZero initial access, and the subsequent weaknesses enabled NodeZero to take over the domain.

NodeZero helps you get ahead of N-day exploitation in these key ways:

Early identification of N-days and zero days:

The Horizon3.ai Attack Team proactively researches potential zero days and N-days and identifies which vulnerabilities are likely to be exploited in the wild — even if they haven’t made the Cybersecurity Infrastructure and Security Agency (CISA) list.

N-day testing is part of standard operating procedure:

NodeZero pentests identify emerging N-days within your environment as part of the autonomous internal and external pentesting process.

Prioritizes N-days by impact:

When they identify vulnerabilities that are likely to be exploited, the Horizon3.ai Attack Team reverse-engineers them and creates a proof of concept exploit to understand the impact of the vulnerability. This understanding is embedded into NodeZero and is paired with contextual understanding of your environment to help you prioritize your remediations and understand when you should patch outside of your regular cycle for a particular threat. 

What are zero days?

A vulnerability or security flaw in software or systems that is unknown to the vendor or developer.

It is called “zero day” because the vendor has had zero days to fix or patch the unknown vulnerability. Zero day vulnerabilities are valuable to attackers because they can be used to launch targeted attacks without detection.

What are N-days?

An N-day is a software or hardware vulnerability that is already publicly known, (n days since disclosure) but there may or may not be a security update available to remediate the vulnerability.

The goal of vendors, distributors, and administrators is to have systems patched as quickly as possible to avoid N-day attacks.

6

Run targeted N-day Tests to verify whether your organization has been impacted.

N-day exploits are continually added to NodeZero

NodeZero proactively tests and updates NodeZero users about N-days and zero days based on their system architecture and cyber terrain maps. 

The Horizon3.ai team continually researches the types of vulnerabilities that are likely to be exploited by threat actors. When Horizon3.ai researchers find a vulnerability themselves, a zero day, they alert affected NodeZero users, disclose it to the vendor, develop a proof of concept to test its impact, and release the exploit module as an update to NodeZero. See Disclosures for the list of zero days found to date. The process for N-days is very similar.

Our goals are to help you discover where your organization is vulnerable to these new threats and also determine what the outcome would be if a system was exploited due to the N-day in question.

Horizon3.ai N-Day Process

The Horizon3.ai Attack Team continually researches the global threat environment to identify new N-days that have been exploited in the wild or are likely to be exploited in the wild.

The Horizon3.ai team determines if any NodeZero users are affected by the N-day, and if they are, they are alerted.

The Horizon3.ai Attack Team develops a new attack module for the N-day, using a production-safe variant of a proof of concept if one exists or developing one from scratch if it does not. The new module is added to the NodeZero platform, and runs automatically as part of NodeZero’s internal and external pentests. For very significant N-days, NodeZero also breaks out specific targeted N-day tests.

You use NodeZero to assess which assets in your organization are impacted. For maximum efficiency and scale, you can set up pre-configured tests ahead of time in all your network segments.

If your organization is impacted, you receive detailed remediation guidance. If a patch isn’t yet available, NodeZero will offer guidance about mitigating controls, such as quarantining the server, changing your firewall rules, or increased monitoring.

Once you’ve remediated the vulnerability, use NodeZero to run a quick verification test to ensure the vulnerability is no longer present.

Be ready to understand the impact of the next N-day threat on your organization.

RESEARCH: The Long Tail of Log4Shell Exploitation

Log4Shell is far from dead.

RESEARCH: MOVEit Transfer CVE-2023-34362

Deep Dive and Indicators of Compromise

RESEARCH: PaperCut CVE-2023-27350

Deep Dive and Indicators of Compromise

RESEARCH: Veeam Backup and Replication

CVE-2023-27532 Deep Dive