A zero-day vulnerability is a weakness in a computer system that can be exploited by an attacker, and which is undetected by affected parties. A zero-day attack is an attempt by a threat actor to penetrate, damage, or otherwise compromise a system that is affected by an unknown vulnerability. By nature of the attack, the victim will not have defenses in place, making it highly likely to succeed.
How can organizations prevent zero-day attacks? While complete prevention is impossible, there are several defensive measures which can protect you against zero-day threats. We cover four such measures in this article: zero-day protection integrated with Microsoft Windows 2010, Next-Generation Antivirus (NGAV), patch management, and putting in place an incident response plan.
In this article:
Software vendors continuously check for new vulnerabilities in their products and upon discovery, issue a patch to protect their users. White hat researchers are also constantly on the lookout for new vulnerabilities, and when they find one, report them to the vendor so they can issue a patch.
A zero-day (or 0-day) vulnerability is a software vulnerability that is discovered by attackers before the vendor has become aware of it. By definition, no patch exists for zero day vulnerabilities and user systems have no defenses in place, making attacks highly likely to succeed.
A zero-day exploit is a method or technique threat actors can use to attack systems that have the unknown vulnerability. One method is zero-day malware – a malicious program created by attackers to target a zero-day vulnerability.
A zero-day attack is the actual use of a zero day exploit to penetrate, cause damage to or steal data from a system affected by a vulnerability.
Security researchers Bilge and Dumitras identify seven points in time which define the span of a zero day attack:
The window of exposure in which systems may be vulnerable to attack is the entire period of time between #1 and #7. A zero-day attack can occur between #2 and #4 – this is the most dangerous period in which attackers know about the vulnerability while others do not.
Even after the zero day, follow-on attacks can and will happen. Once the vulnerability is disclosed, there is a race between attackers, vendors and users – if attackers make it to the affected system before antivirus has been updated or a patch has been deployed, they have a high likelihood of success.
A zero-day attack can exploit vulnerabilities in a variety of systems:
By nature, zero day attacks are difficult to defend against. But there are many ways to prepare and reduce the effective threat to your organization. Here are four best practices that will help reduce or remove the threat posed by many, if not all, zero day attacks.
As of Windows 2010, Microsoft introduced the Windows Defender Exploit Guard, which has several capabilities that can effectively protect against zero day attacks:
Traditional antivirus solutions, which detect malware using file signatures, are not effective against zero day threats. They can still be useful, because when the vulnerability is publicly announced, the antivirus vendor will quickly update their malware database, and antivirus will then be effective against the threat.
Nevertheless, organizations need the ability to block zero-day malware which is as yet unknown. Next Generation Antivirus (NGAV) solutions leverage threat intelligence, behavioral analytics, which establishes a behavioral baseline for a system and identifies suspicious anomalous behavior, and machine learning code analysis, to identify that a system is infected with an unknown strand of malware. Upon detecting such malware, NGAV is capable of blocking malicious processes and blocking the attack from spreading to other endpoints.
Today’s NGAV technology cannot detect all zero-day malware, but it can significantly reduce the chance that attackers can penetrate an endpoint with unknown malware.
To see an example of a holistic security platform, which provides NGAV integrated with other security capabilities, read about Cynet’s NGAV feature.
Any organization should have a patch management policy and process, clearly communicated to all employees and coordinated with development, IT operations and security teams.
In larger organizations, it is important to use automation to manage and patches. You can use patch management solutions to automatically source patches from software vendors, identify systems that require updates, test the changes introduced by the patch, and automatically deploy the patch to production. This avoids delays in deployment or patches, and prevents the inevitable legacy system that is forgotten or left behind when systems are updated.
Patch management cannot prevent zero-day attacks, but it can significantly reduce the exposure window. In case of a severe vulnerability, software vendors might issue a patch within hours or days. Automated patch management can help you deploy it quickly, before attackers can identify the vulnerability in your systems and exploit it.
Organizations of all sizes will benefit from having an incident response plan, that provides an organized process for identifying and dealing with a cyberattack. Having a specific plan focused on zero-day attacks will give you a huge advantage in case of an attack, reduce confusion and increase your chances of avoiding or reducing damage.
When drafting your plan, follow the SANS Institute’s six stages of incident response. The plan should specify:
The Cynet 360 Advanced Threat Detection and Response platform gives protection against threats such as zero-day attacks, advanced persistent threats (APT), advanced malware, and trojans, which may evade traditional signature-based security processes.
Cynet monitors endpoints memory to find behavioral patterns that are typically exploited, including unusual process handle request. These patterns are features of the vast majority of exploits, whether known or new. Cynet is able to provide effective protection against zero-day exploits and more, by identifying such patterns.
Cynet uses multi-layered malware protection that includes process behavior monitoring, ML-based static analysis, and sandboxing. Cynet also provides fuzzy hashing and threat intelligence. This ensures that even if a successful zero-day exploit establishes a connection with the attacker, and downloads additional malware, Cynet will stop this malware from running, thus preventing any damage.
Cynet uses an adversary-centric methodology to accurately identify threats throughout the attack chain. Cynet thinks like an adversary, detecting indicators and behaviors across users, endpoints, files, and networks. They supply a holistic account of the workings of an attack, irrespective of where the attack may attempt to penetrate.
Cynet uses a powerful correlation engine, and produces its attack findings free from excessive noise and with near-zero false positives. This simplifies the response for security teams so they can attend to key incidents.
You can carry out manual, or automatic remediation, so your security teams have a highly effective yet straight-forward way to disrupt, detect, and respond to advanced threats before they do harm.