In computing, the term zero day refers to the unknown. If a vulnerability, exploit, or threat of any kind is not known to security researchers, it can be classified as a “zero day attack”.
Threat actors actively look for existing zero day vulnerabilities they can exploit or to create these vulnerabilities. The goal? Launch malware or network attacks while victims are not aware, and are not prepared to protect themselves.
Zero day malware exploits unknown vulnerabilities. Traditional antivirus solutions rely on known quantifiers such as signature-based methods to detect malware. To protect against the unknown, organizations can leverage next-generation antivirus (NGAV) solutions, which leverage machine learning to detect zero day malware.
In this article, you will learn:
In IT security, the term zero day is used to describe vulnerabilities or threats that are not yet discovered or patched by the vendor or user. This term is used to define vulnerabilities after the fact; usually after a successful or attempted attack is discovered.
Zero day can also be applied to malware, although it may not be used consistently. Some references to zero day malware define it as malware that is used to exploit zero day vulnerabilities. Other references define zero day malware as malware that is not yet known by the security community or security solutions. This means there are no signatures or hashes that can be used to identify malware.
Based on how the term zero day is used to define vulnerabilities, it is more consistent to use this term to refer to unknown malware. This is because many zero day vulnerabilities can be exploited by well established malware that is repurposed. In these cases, the malware was not created specifically to exploit the unknown vulnerability. This definition of zero day malware (i.e. unknown malware) is the one used in the rest of this article.
Traditional antivirus (AV) solutions use signature-based methods to detect malware and attacks. Signatures are strings of characters found in metadata, file names, or inside of files that identify an item as malware or related to malware. This method requires knowing that malware exists, having a sample of malware to pull signatures from, and for solutions to have a list of signatures against which new files are compared.
Using these methods, legacy AV solutions can detect around 57% of attacks and malware. However, as attackers develop new methods for exploiting vulnerabilities this number is decreasing. New types of malware, such as fileless malware, operate outside of traditional file-based methods, instead relying on scripts, macros, and system processes. Since there is no specific file associated with the malware, no signature can be created.
Because legacy AV solutions rely on signature-based detection, organizations are restricted to only being able to respond reactively. Organizations are also limited to whatever signatures or definitions their solution can ingest. This is fine for traditional malware but is inadequate for modern variations.
In contrast to legacy AV, next-generation antivirus (NGAV) technology combines machine learning and behavior detection technologies with signature-based methods. These technologies enable NGAV to identify zero day malware and other unknown threats based on suspicious patterns of events. Additionally, because NGAV incorporates machine learning, it is not restricted to reactive protections and can instead investigate activity as it occurs.
The unknown nature of zero day malware makes it unpredictable and challenging to both detect and defend against. To detect this type of threat, you need to implement proactive, in-depth security strategies. Below are a few practices and tools you can use to ensure that your systems are defended against zero day attacks.
Ensuring that your infrastructure, devices, and applications are up to date is essential to minimizing your risk. Even though zero day threats are by definition not yet patched, older patches may prevent these threats from being exploited. This is also true for zero day malware. Even if malware is unknown, protections against similar, known malware may prevent it from being used successfully.
Endpoint Protection Platforms are platforms that are designed to layer protections over your endpoints. These platforms often incorporate a range of security tools, including NGAV, web application firewalls (WAFs), and EDR.
The purpose of endpoint security is to help you centralize your security measures, enabling you to more effectively detect and investigate suspicious events. For example, unexpected processes, transfers of data, or downloads. It enables you to implement both traditional and modern methods of protection and layers reactive and proactive measures for greater security.
EDR solutions are proactive monitoring and response solutions that you can use to protect your perimeter and endpoint devices. These solutions specialize in providing visibility into endpoint activity and can enable you to automate responses to suspicious events before an attack occurs.
These solutions use machine learning and behavioral analysis methods to compare traffic and events to known acceptable and unacceptable behavior. This enables solutions to detect potential threats in real-time, including potential zero day malware. These threats can then be stopped at your perimeter, preventing malware from spreading beyond the affected device.
Consider segmenting your networks
Segmenting your network involves applying access controls to isolate your various services and components. It enables you to layer security measures and can significantly reduce the amount of damage a successful attack can cause.
Segmentation can be useful in mitigating the damage caused by zero day attacks since it prevents malware’s spread. When components are segregated, authorization and authentication measures prevent attackers from being able to easily move laterally through networks.
Additionally, segmentation enables easy sandboxing (strict isolation) of suspicious activity or files. This enables teams to investigate potential zero day malware without affecting the rest of the system.
Enforce the principle of least privilege
Regardless of the threats you are trying to protect against, enforcing the principle of least privilege is best practice. This principle requires that you only give users, devices, and applications the most basic permissions they need to operate. By restricting permissions, you limit the actions that can occur and prevent abuse of access.
In cases of zero day malware, minimal privileges are particularly important since this type of malware often exploits root or administrative privileges. By ensuring that only minimum privileges are provided, you can limit the ability of zero day malware regardless of whether it’s detected.
Learn more in our article about privilege escalation, which explains how threat actors exploit privileges to launch network attacks.
The Cynet 360 Advanced Threat Detection and Response platform provides protection against threats including zero-day attacks, advanced persistent threats (APT), advanced malware, and trojans that can evade traditional signature-based security measures.
Block exploit-like behavior
Cynet monitors endpoints memory to discover behavioral patterns that are typical to exploit such as an unusual process handle request. These patterns are common to the vast majority of exploits, whether known or new and provides effective protection even from zero-day exploits.
Block exploit-derived malware
Cynet employs multi-layered malware protection that includes ML-based static analysis, sandboxing, process behavior monitoring. In addition, they provide fuzzy hashing and threat intelligence. This ensures that even if a successful zero day exploit establishes a connection with the attacker and downloads additional malware, Cynet will prevent this malware from running so no harm can be done.
Uncover hidden threats
Cynet uses an adversary-centric methodology to accurately detect threats throughout the attack chain. Cynet thinks like an adversary, detecting behaviors and indicators across endpoints, files, users, and networks. They provide a holistic account of the operation of an attack, irrespective of where the attack may try to penetrate.
Accurate and precise
Cynet uses a powerful correlation engine and provides its attack findings with near-zero false positives and free from excessive noise. This simplifies the response for security teams so they can react to important incidents.
You can carry out automatic or manual remediation, so your security teams have a highly effective yet straight-forward way to detect, disrupt, and respond to advanced threats before they have a chance to do damage.Learn more about Cynet’s Next-Generation Antivirus (NGAV) Solution.