A zero-day vulnerability is a weakness in a computer system that can be exploited by an attacker, and which is undetected by affected parties. A zero-day attack is an attempt by a threat actor to penetrate, damage, or otherwise compromise a system that is affected by an unknown vulnerability. By nature of the attack, the victim will not have defenses in place, making it highly likely to succeed.
How can organizations prevent zero-day attacks? While complete threat protection is impossible, there are several defensive measures which can protect you against zero-day threats. We cover four such measures in this article: zero-day protection integrated with Microsoft Windows 2010, Next-Generation Antivirus (NGAV), patch management, and putting in place an incident response plan.
Software vendors continuously check for new vulnerabilities in their products and upon discovery, issue a patch to protect their users. White hat researchers are also constantly on the lookout for new vulnerabilities, and when they find one, report them to the vendor so they can issue a patch.
A zero-day (or 0-day) vulnerability is a software vulnerability that is discovered by attackers before the vendor has become aware of it. By definition, no patch exists for zero-day vulnerabilities and user systems have no defenses in place, making attacks highly likely to succeed.
A zero-day exploit is a method or technique threat actors can use to attack systems that have the unknown vulnerability. One method is zero-day malware – a malicious program created by attackers to target a zero-day vulnerability.
A zero-day attack is the actual use of a zero day exploit to penetrate, cause damage to or steal data from a system affected by a vulnerability.
The Zero-Day Exploit Timeline
Security researchers Bilge and Dumitras identify seven points in time which define the span of a zero day attack:
Vulnerability introduced – vulnerable code is released as part of a software application, or the software is deployed by users.
Exploit released in the wild – attackers have discovered the vulnerability and found a technique they can use to attack vulnerable systems.
Vulnerability discovered by vendor – the vendor becomes aware of the vulnerability, but a patch is still not available.
Vulnerability disclosed publicly – the vendor, or security researchers, announce the vulnerability, making both users and attackers widely aware of it.
Anti-virus signatures released – if attackers have created zero-day malware, anti-virus vendors can identify its signature relatively quickly and protect against it. Systems could still be exposed because there may be other ways of exploiting the vulnerability.
Patch released – the vendor eventually releases a fix for the vulnerability; this could take between a few hours to months, depending on the complexity of the fix and the vendor’s prioritization of the fix in their development process.
Patch deployment completed – even after a patch is released, users can take a long time to deploy it. Organizations may not have an organized patch management and deployment process, and home users might ignore software update notifications.
The window of exposure in which systems may be vulnerable to attack is the entire period of time between #1 and #7. A zero-day attack can occur between #2 and #4 – this is the most dangerous period in which attackers know about the vulnerability while others do not.
Even after the zero day, follow-on attacks can and will happen. Once the vulnerability is disclosed, there is a race between attackers, vendors and users – if attackers make it to the affected system before antivirus has been updated or a patch has been deployed, they have a high likelihood of success.
Systems Targeted by Zero Day Attacks
A zero-day attack can exploit vulnerabilities in a variety of systems:
Operating systems – possibly the most attractive target for zero day attacks, due to their ubiquity and the possibilities they offer attackers to gain control of user systems.
Web browsers – an unpatched vulnerability can allow attackers to perform drive-by downloads, execute scripts or even run executable files on user machines.
Office applications – malware embedded in documents or other files often exploit zero day vulnerabilities in the underlying application used to edit them.
Open source components – some open source projects are not actively maintained or do not have sound security practices. Software vendors may use these components without being aware of the vulnerabilities they contain.
Watering holes – software programs that are widely used by organizations or home users are under close scrutiny by attackers who search for unknown vulnerabilities.
Hardware – a vulnerability in a router, switch, network appliance, or a home device such as a gaming console, can allow attackers to compromise these devices, disrupting their activity or using them to build massive botnets.
Internet of Things (IoT) – connected devices, from home appliances and televisions to sensors, connected cars and factory machinery are all vulnerable to zero-day attacks. Many IoT devices do not have a mechanism for patching or updating their software.
4 Best Practices for Protection Against Zero-Day Attacks
By nature, zero day attacks are difficult to defend against. But there are many ways to prepare and reduce the effective threat to your organization. Here are four best practices that will help reduce or remove the threat posed by many, if not all, zero day attacks.
1. Use Windows Defender Exploit Guard
As of Windows 2010, Microsoft introduced the Windows Defender Exploit Guard, which has several capabilities that can effectively protect against zero day attacks:
Network protection – Exploit Guard blocks all outbound connections before they are used, preventing malware from connecting with a command-and-control server (C&C). Outbound network traffic is evaluated based on hostname and IP reputation, and any network connection to untrusted destinations is terminated.
Controlled folder access – monitors changes made by applications to files in protected folders. It can lock down critical folders and allow only authorized apps to access them. This can prevent encryption of files by ransomware.
2. Leverage Next-Generation Antivirus (NGAV)
Traditional antivirus solutions, which detect malware using file signatures, are not effective against zero day threats. They can still be useful, because when the vulnerability is publicly announced, the antivirus vendor will quickly update their malware database, and antivirus will then be effective against the threat.
Nevertheless, organizations need the ability to block zero-day malware which is as yet unknown. Next Generation Antivirus (NGAV) solutions leverage threat intelligence, behavioral analytics, which establishes a behavioral baseline for a system and identifies suspicious anomalous behavior, and machine learning code analysis, to identify that a system is infected with an unknown strand of malware. Upon detecting such malware, NGAV is capable of blocking malicious processes and blocking the attack from spreading to other endpoints.
Today’s NGAV technology cannot detect all zero-day malware, but it can significantly reduce the chance that attackers can penetrate an endpoint with unknown malware.
To see an example of a holistic security platform, which provides NGAV integrated with other security capabilities, read about Cynet’s NGAV feature.
3. Implement Patch Management
Any organization should have a patch management policy and process, clearly communicated to all employees and coordinated with development, IT operations and security teams.
In larger organizations, it is important to use automation to manage and patches. You can use patch management solutions to automatically source patches from software vendors, identify systems that require updates, test the changes introduced by the patch, and automatically deploy the patch to production. This avoids delays in deployment or patches, and prevents the inevitable legacy system that is forgotten or left behind when systems are updated.
Patch management cannot prevent zero-day attacks, but it can significantly reduce the exposure window. In case of a severe vulnerability, software vendors might issue a patch within hours or days. Automated patch management can help you deploy it quickly, before attackers can identify the vulnerability in your systems and exploit it.
4. Have an Incident Response Plan Ready
Organizations of all sizes will benefit from having an incident response plan, that provides an organized process for identifying and dealing with a cyberattack. Having a specific plan focused on zero-day attacks will give you a huge advantage in case of an attack, reduce confusion and increase your chances of avoiding or reducing damage.
When drafting your plan, follow the SANS Institute’s six stages of incident response. The plan should specify:
Preparation – perform a risk assessment and identify which are the most sensitive assets the security team should focus on. Prepare documentation that states the roles, responsibilities and processes.
Identification – define how to detect a potential zero-day attack (using tools and/or operational processes), validate it is really an attack, and which additional data needs to be collected to deal with the threat.
Containment – once a security incident is identified, what are the immediate steps that can be taken to contain the incident and prevent further damage from occurring, and what longer-term steps can be taken to clean and restore affected systems.
Eradication – how to identify the root cause of the attack and ensure steps are taken to prevent similar attacks.
Recovery – how to bring production systems back online, test them, and how long to monitor systems to ensure they are back to normal.
Lessons Learned – perform a retrospective no later than two weeks from the end of the incident, to review tooling and organizational processes, and see how to be better prepared for the next attack.
Zero-Day Attack Protection with Cynet
The Cynet 360 Advanced Threat Detection and Response platform gives protection against threats such as zero-day attacks, advanced persistent threats (APT), advanced malware, and trojans, which may evade traditional signature-based security processes.
Block exploit-like behavior
Cynet monitors endpoints memory to find behavioral patterns that are typically exploited, including unusual process handle request. These patterns are features of the vast majority of exploits, whether known or new. Cynet is able to provide effective protection against zero-day exploits and more, by identifying such patterns.
Block exploit-derived malware
Cynet uses multi-layered malware protection that includes process behavior monitoring, ML-based static analysis, and sandboxing. Cynet also provides fuzzy hashing and threat intelligence. This ensures that even if a successful zero-day exploit establishes a connection with the attacker, and downloads additional malware, Cynet will stop this malware from running, thus preventing any damage.
Uncover hidden threats
Cynet uses an adversary-centric methodology to accurately identify threats throughout the attack chain. Cynet thinks like an adversary, detecting indicators and behaviors across users, endpoints, files, and networks. They supply a holistic account of the workings of an attack, irrespective of where the attack may attempt to penetrate.
Accurate and precise
Cynet uses a powerful correlation engine, and produces its attack findings free from excessive noise and with near-zero false positives. This simplifies the response for security teams so they can attend to key incidents.
You can carry out manual, or automatic remediation, so your security teams have a highly effective yet straight-forward way to disrupt, detect, and respond to advanced threats before they do harm.