As Zero Days Increase, SMBs Need More Help With Fast-Moving Risks
Now more than ever, small and midsize businesses (SMBs) need a fast and reliable way to stay informed about zero-day vulnerabilities.
The rapid increase in zero days in 2024 has magnified the importance of process and velocity when alerting SMBs to an emerging cyber threat. Traditionally, cybersecurity vendors are the ones sending these alerts. However, due to their deeply aligned interests and unique risk insights, cyber insurance providers are now tackling this head-on.
Managing cyber risk at scale is no small feat, especially with time-sensitive risks like zero days. It requires a critical eye for cybersecurity, process automation, and meticulous coordination. The manual processes that were once enough to notify businesses about dynamic cyber threats are no longer sufficient.
Let's go under the hood of Coalition’s Zero-Day Alerts. We’ll explore why they’re essential in today’s risk landscape, all of the work that goes into every alert, and what businesses can do to be prepared for an alert before it arrives.
Why zero days are a big deal
A zero-day vulnerability is a security flaw in software that has no patch available at the time of discovery. The term "zero day" refers to the vulnerability’s newness and the fact that developers have zero days to fix it. With no available patch, the vulnerability is highly susceptible to exploitation.
When a new zero day is published, it’s essentially a race between attackers looking to exploit the vulnerability and defenders trying to mitigate it. Zero days pose a significant risk to all businesses, but especially SMBs that may be less prepared or unsure of how to protect themselves.
Zero-day vulnerabilities are becoming increasingly common. In 2023, 97 zero days were published, an 80% increase from 2022, and the surge has continued into 2024 with 87 zero days thus far. These vulnerabilities can take many forms, affecting specific technologies, particular software versions, or unique configurations.
Compared to other cyber threats, zero days are less common than funds transfer fraud and business email compromise events. However, they have the potential to be much more prolific: The MOVEit zero day in June 2023 evolved into multiple vulnerabilities and resulted in more than 2,600 cyber attacks, 88% of which were experienced by U.S. businesses.
How Zero-Day Alerts work
Coalition has a tremendous amount of skin in the game when it comes to policyholders’ security posture. Critical vulnerabilities represent billions of dollars in potential losses, and new threats emerge every single week.
Every vulnerability is different, but our three-step response typically goes like this:
Identify new threats and investigate what’s happening
Assess policyholder exposure and prioritize among other risks
Notify policyholders and provide support to mitigate issues
Complicating matters further, the events surrounding a zero day are often fluid. Security researchers frequently update advisories to reflect their latest findings, and those updates must, in turn, be effectively communicated to at-risk businesses.
The urgency with which Coalition responds to zero days and other critical vulnerabilities is paramount, underscoring the importance of validating our findings and exercising strong judgment without sacrificing speed.
Step 1: Identifying and investigating new threats
Every critical vulnerability starts with a simple question: Can we see it? If the answer is yes, then threat actors can also see it.
Being able to “see” or identify a new vulnerability is essential because we can’t protect what we can’t see. Generally, we must be able to scan for the impacted technology or software and, ideally, confirm that it’s exploitable. Sometimes, that means scanning our policyholder base; other times, it’s scanning the entire internet.
“Every vulnerability has a slightly different starting point,” said Scott Walsh, Principal Security Researcher at Coalition. “If few details are available initially, we may need to go wide and perform a global scan to see what else we can discover on our own. But if enough information is available, we can take immediate action to protect policyholders.”
“If our honeypots show traffic trying to access a certain path, or we get enough signal that something is under attack, then we know it’s time to mobilize.” — Scott Walsh, Principal Security Researcher at Coalition.
Keeping up with emerging risks is a largely human and manual process. Security researchers often need to develop a vast network of threat intelligence resources and build trust within these communities to stay in the know. Technology can help aggregate and distill this information, but it still requires a discerning and expert eye of a security researcher to assess the information and go on the offensive.
“When a new threat is identified, we may have built-up inventories for certain products or vendors that have a history of being compromised. That gives us a head start in our reconnaissance,” said Walsh. “If our honeypots show traffic trying to access a certain path, or we get enough signal that something is under attack, then we know it’s time to mobilize.”
Step 2: Assessing and prioritizing policyholder exposure
Once a threat has been thoroughly vetted, we take everything we know and cross-reference it with policyholders. This means determining how many businesses are at risk, as well as all of their impacted technologies and aggregate policy limits.
In some cases, a critical vulnerability might only impact a handful of policyholders and total a few thousand dollars. But in others, we’ve seen vulnerabilities instantaneously put thousands of businesses at risk with billions of dollars in losses at stake — this is when it’s most crucial to send policyholders a Zero-Day Alert.
“There are two main criteria for alerting businesses to a zero day. First, we must be able to scan for the impacted software. Second, we must have high confidence that the risk of exploitation is imminent,” said Joe Toomey, Head of Security Engineering at Coalition. “The decision to send an alert is backed by Coalition’s extensive claims history.”
This is what makes Zero-Day Alerts unique: We notify policyholders about the critical threats that present the greatest potential for financial loss. We won't send alerts for every zero day, but we will send them even after a patch is available.
“The decision to send an alert is backed by Coalition’s extensive claims history.” — Joe Toomey, Head of Security Engineering, Coalition
Some vulnerabilities may also escalate over time. Once a vulnerability is added to CISA’s catalog of Known Exploited Vulnerabilities (KEV), it means a threat that was previously theoretical or less critical has been observed in the wild. At this point, it may no longer be a true zero day but still warrants notification.
“We don’t send nebulous alerts, and we don’t take outreach lightly,” added Toomey. “Alert fatigue is a very real thing, and SMBs aren’t always equipped to address dozens of issues every week. That’s why we reserve Zero-Day Alerts for the most critical risks.”
Step 3: Notifying policyholders and mitigating critical risks
With a firm understanding of both the vulnerability and its potential impact on policyholders, Coalition issues a clearly labeled Zero-Day Alert in Coalition Control®, notifying policyholders both within our risk management platform and by email.
Every alert provides a detailed explanation of the vulnerability, potential business impacts, and instructions on how to mitigate the issue.
“Zero-Day Alerts are for vulnerabilities that are either threatening a critical business system/application or a network/security administration device,” said Ryan Gregory, Security Support Center Lead at Coalition. “If we’re sending a Zero-Day Alert, the exposed technology is almost certainly vital to a policyholder’s operations.”
“If we’re sending a Zero-Day Alert, the exposed technology is almost certainly vital to a policyholder’s operations.” — Ryan Gregory, Security Support Center Lead, Coalition
Inside Control, policyholders can indicate whether the vulnerability has been addressed or that remediation is in progress. In some cases, they may also say they were not impacted. Coalition then rescans the exposed assets to validate the remediation and marks it resolved.
Zero-Day Alerts are actively pursued until all alerts are resolved. Policyholders may receive multiple alerts for the same vulnerability, either because it has yet to be resolved or because new information has arisen that requires additional action.
Preparing for a Zero-Day Alert before it arrives
Every business makes cybersecurity decisions differently. SMBs may outsource security and IT support to third parties, while larger businesses are more likely to have those resources internally.
Policyholders can prepare for new threats by staying engaged with their unified cyber risk management and cybersecurity hub, Coalition Control.
Every business can invite its security or IT teams to Control to ensure that swift and direct action can be taken at a moment’s notice to resolve a new Zero-Day Alert — and there’s no limit to how many people you can sign up to receive alerts.
“One of the best things about Control is that it’s really a third-party risk management platform,” Gregory added. “I don’t know of any other platform that will tell you how dangerous a given cyber threat is in terms of liability.”
When time is of the essence, businesses can rely on Coalition Security to notify them about Zero-Day Alerts in Coalition Control in a matter of minutes, unlocking more time for remediation and reducing the likelihood of a cyber attack.
This article originally appeared in the November 2024 edition of the Cyber Savvy Broker Newsletter. Subscribe to the newsletter to receive future editions directly in your inbox as we explore the most up-to-date and noteworthy topics in cyber insurance.
