Palo Alto CVE-2024–3400: Stop chasing your tails!

We have daily reminders about the creativity and patience of malicious actors. Palo Alto Network’s recent disclosure about a critical flaw (CVE-2024–3400 with CVSS score of 10.0) impacting PAN-OS software used in its GlobalProtect gateways is just another in a long and endless set of vulnerabilities announcements.

So, why do we keep chasing our tails? Isn’t it time to look ourselves in the mirror and say, “What can I do differently?” Is there a better way to provide more durable protection (and confidence) even when another zero-day is found?

Of course, there is. Maybe not perfect, but what is? Teams must seek proactive techniques to manage persistent ransomware attacks, zero-day exploits, and insider threats. Adversarial emulation and detection engineering stand out as obvious techniques in offensive cyber security, enabling organizations to anticipate and effectively counter these evolving threats.

Adversarial emulation allows organizations to simulate sophisticated cyber attacks, including those that exploit zero-day vulnerabilities like the recent CVE-2024–3400. By mimicking the behavior of real-world adversaries, regardless of how they get it, organizations can evaluate and assess their security efficacy. This proactive approach helps identify exposures in their current security posture before they can be exploited maliciously.

Detection engineering not only complements this but is essential because it focuses on optimizing malicious behavior detections. It involves creating and refining detection rules that identify suspicious activity based on the behaviors exhibited during emulation exercises. This discipline is critical because it translates the insights gained from adversarial emulation into actionable detection strategies, enhancing the security team’s ability to spot and respond to attacks in real-time.

The core value of focusing on post-breach adversarial behavior is particularly crucial. In many cases, the initial breach might go undetected, but the subsequent activities — such as lateral movement, data exfiltration, or ransomware deployment — offer another opportunity to thwart the attackers. By preparing to detect and respond to these post-compromise behaviors, organizations can significantly mitigate the impact of an attack, preserving their integrity and continuity. Additionally, you can react to new zero-days more pragmatically than lighting a fire drill.

This strategy is especially pertinent in dealing with zero-day exploits. While patching is crucial, it is often reactive and can only be implemented after a vulnerability is known and the patch is available (and tested). Strong internal security controls that detect, isolate, and block malicious activities initiated via undisclosed vulnerabilities (backdoors) can reduce the dependency on swift patch deployment. For instance, even if a zero-day exploit such as CVE-2024–3400 is used against an organization, robust detection mechanisms can prevent the exploit from achieving its intended effect, thereby limiting its impact.

Moreover, focusing on adversarial emulation and detection engineering promotes a culture of continuous improvement within the security operations center (SOC) or Managed Security Service Providers (MSSP). It ensures that security teams are equipped to handle known threats and continuously evolve their capabilities to face new and unforeseen challenges.

Fitness and agility are core to all of us and our organizations. Chasing our tails is not. Develop an offensive cyber security strategy, explore BAS+ tools (e.g., scythe.io), and learn new detection engineering techniques via online forums such as Zack Allen’s (@techyteachme) Detection Engineering Weekly. Doing so allows organizations to stay a step ahead of cybercriminals, transforming their security practices from reactive to proactive. This shift is essential to protect against persistent ransomware attacks, zero-day exploits, and insider threats, ensuring that security infrastructures are resilient and robust.

Author Attribution:

Written by Marc Brown (@marc_r_brown), SCYTHE’s VP Product & Sales, dynamic leader with diverse executive roles, startup enthusiast, lover of technology, innovation, and all things ‘nerdy’ cool.