Zero Day Attacks

What are Zero-Day Vulnerabilities?

Zero-day vulnerabilities are unknown security flaws or bugs in software, firmware, or hardware which the vendor does not know about, or does not have an official patch or update to address the vulnerability. Often vendors and users are not aware of the existence of a vulnerability unless reported by a researcher or discovered as a result of an attack.

What are Zero-Day Attacks?

\When bad actors are able to successfully develop and deploy malware that exploits a zero-day vulnerability, then that malware becomes a Zero-Day attack. As a result of exploiting the vulnerability, the bad actors get unauthorized access to sensitive data and/or critical systems.

What is a Zero-Day Exploit?

A zero-day exploit is the technique which bad actors use to attack systems that have the vulnerability. Researchers use exploits to demonstrate the impact of 'exploiting' the flaw to gain unauthorized access or compromise the underlying system.

Zero-Day Exploits get their name because they have been known publicly for zero days. It is possible that malicious actors create exploits and wait to use them strategically. In this case, even though the attacker knows the exploit, it is still not known publicly, and is still considered a zero-day exploit.

According to the Ponemon Institute, 80% of successful breaches were Zero-Day attacks.

The threat of a Zero-Day Exploit

Exploits are very difficult to defend against because data about the exploit is generally only available for analysis after the attack has completed its course. These attacks can take the form of polymorphic worms, viruses, Trojans, and other malware.

When a vulnerability becomes public and researchers have discovered a solution or the vendor has deployed a patch, then it becomes a known or “n-day” vulnerability instead of a ‘zero-day exploit.’

How are Zero-Day Exploits used in an attack?

These are multiple exploit methods for launching and executing an attack. Examples of common methods include:

• Spear phishing with social engineering. This technique is used by threat actors (usually nation states) to get a specific, usually high-ranking, individual target to open a specially designed malicious email. These actors may spend some time stalking and surveilling the target in social media prior to launching the malicious email.
• Spam emails and phishing. In this scenario, attackers send emails to a very large number of recipients across multiple organizations, with the expectation that a small percentage will open the email and click on the link that is embedded in the message. Clicking on the link will download the malicious payload or takes the user to a site that would automatically download the malware. This technique is often used by organized cyber-criminal organizations.
• Embedding exploit kits in malvertisements and malicious sites. In this scenario, bad actors have successfully compromised a web site and injected a malicious code that would redirect a visitor to the exploit kit server.
• Compromising a system, network, or server. For example, applying brute force and then using the exploit to execute the attack.

What are well-known examples of successful Zero-Day Attacks?

• Heartbleed
• Shellshock
• Stuxnet (a worm that exploited multiple vulnerabilities)
• Aurora (an organized attack that exploited several vulnerabilities)
• BlueKeep Vulnerability (CVE-2019-0708)

What are the best practices for protection against Zero-Day Attacks?

Practicing secure software lifecycle development to ensure code security and secure software to minimize potential risk or vulnerabilities.

• Have a solid vulnerability management program and a patching program. For example, update software ASAP, especially critical security release updates.
• Cyber security awareness training focused on social engineering, recognizing phishing and spear-phishing campaigns, and avoiding malicious websites.
• Deploying layered security controls including perimeter firewalls, IPS/IDS, and other data-center security controls as well as endpoint security controls.
• Applying micro-segmentation and least privilege, especially in high-value systems, to make it more difficult and expensive for attackers to reach their targets.
• Threat intelligence, auditing and monitoring of user activity, connectivity, and anomaly detection.
• Have a thought-out disaster recovery and back-up plan.

What is the role of real-time visibility and micro-segmentation in responding to a Zero-Day Attack?

Even if software is vulnerable, a bad actor may not necessarily be able to deploy its exploit successfully if the target had well-designed, access control issues in place.

• Real-time visibility enables security, IT ops, and networking teams to model and understand the normal traffic and application behavior. It helps them detect new connectivity and unusual failed attempts to connect to a workload, which could be indicators of an attack.
• Micro-segmentation is a preventative control. Micro-segmentation’s default-deny approach reduces the attack surface. This limits the attack pathways of an exploit and makes it more expensive for a bad actor to propagate their attack inside their target’s network.
• Micro-segmentation as a compensating control in the event of an attack. When a zero-day is publicly disclosed, and no patch is available or if patching is not operationally feasible, an organization can use process-level segmentation to lock down traffic between workloads and between workloads and users only to specific ports, protocols and services.