Understanding Zero-Days: Vulnerabilities vs. Exploits vs. Attacks
What are Zero-Day Vulnerabilities?
Zero-day vulnerabilities are published security flaws or bugs in software, firmware, or hardware for which the vendor does not have an official patch or update to address the vulnerability. In others, vendors and users are not aware of the existence of a vulnerability unless reported by the researcher or discovered as a result of an attack.
What is a Zero-Day Exploit?
A zero-day exploit is the technique or proof of concept (PoC), which bad actors use to attack systems that have the zero-day vulnerability. Researchers use zero-day exploits to demonstrate the impact of leveraging the flaw to gain unauthorized access or compromise the underlying system.
What are Zero-Day Attacks?
When bad actors are able to successfully develop and deploy a proof of concept (PoC) or an actual malware that exploits a zero-day vulnerability, then that PoC or malware becomes a Zero-Day attack. As a result of exploiting the zero-day vulnerability, the bad actors get unauthorized access to sensitive data and or critical systems- this is considered as a zero-day attack.
According to the Ponemon Institute, 80% of successful breaches were Zero-Day attacks.
Zero-day attacks are very difficult to defend against because data about the exploit is generally only available for analysis after the attack has completed its course. These zero-day attacks can take the form of polymorphic worms, viruses, Trojans, and other malware.
The most effective attacks that avoid detection are polymorphic worms. This malware avoids detection by frequently changing its identifiable characteristics. When a vulnerability becomes public and the vendor has deployed a patch, then it becomes a known or “n-day” vulnerability.
According to the Ponemon Institute, 80% of successful breaches were Zero-Day attacks. In addition, organizations also anticipate zero-day attacks to become more prevalent. (source: Ponemon Institute, Third Annual State of Endpoint Security Report, January 2020)
When zero-day exploits become public- meaning that security researchers have posted a blog and advisory- it typically includes information about the payload and the identity of the threat actors behind it. Security researchers are therefore also focusing their efforts on understanding the attackers exploit methodology. Their goal is to gain information that would help security teams develop enhanced and new detection, as well as preventative methods.
How are zero-day exploits used in an attack?
These are multiple methods for launching and executing a zero-day attack. Examples of common methods include:
- Spear phishing with social engineering. This technique is used by threat actors (usually nation states) to get a specific individual target to open a specially designed malicious email. These actors may spend some time stalking and surveilling the target in social media prior to launching the malicious email. The objective is to get this individual to open the email, then download the malicious payload.
- Spam emails and phishing- In this scenario, attackers are playing a numbers game by sending emails to a very large number of recipients across multiple organizations, with the expectation that a small percentage will open the email and click on the link that is embedded in the message. Clicking on the link will download the malicious payload or takes the user to a site that would automatically download the malware. This technique is often used by organized cyber-criminal organizations.
- Embedding exploit kits in malvertisements and malicious sites. In this scenario, bad actors have successfully compromised a web site and injected a malicious code that would redirect a visitor to the exploit kit server.
- Compromising a system, network, or server, for example applying brute force and then using the exploit to execute the attack. MITRE offers a more comprehensive list of attack tactics and techniques that bad actors use to launch and execute a zero-day attack.
What are well-known examples of successful Zero-Day Attacks?
- Stuxnet (a worm that exploited multiple zero-day vulnerabilities)
- Aurora (an organized attack that exploited several zero-day vulnerabilities)
- BlueKeep Vulnerability (CVE-2019-0708)
What are the best practices for protection against Zero-Day Attacks?
Practicing secure software lifecycle development to ensures code security and secure design architecture minimizing potential vulnerabilities.
- Have a solid vulnerability management program and a patching program. For example, update software ASAP, especially critical security release updates.
- Security awareness training- focus on social engineering, recognizing phishing and spear-phishing campaigns, and on avoiding malicious websites.
- Deploying layered security controls including perimeter firewalls, IPS/IDS, and other data-center security controls as well as endpoint security controls.
- Applying micro-segmentation and least privilege, especially in high-value systems, to make it more difficult and expensive for attackers to reach their targets.
- Threat intelligence, auditing and monitoring of connectivity and user activity, and anomaly detection.
- Have a solid disaster recovery and back-up plan.
What is the role of real-time visibility and micro-segmentation in responding to a Zero-Day Attack?
Even if software is vulnerable, a bad actor may not necessarily be able to deploy its exploit successfully if the target had well-designed, access control issues in place.
- Real-time visibility enables security, IT ops, and networking teams to model and understand the normal traffic and application behavior. It helps them get better at detecting new connectivity and unusual, multiple failed attempts to connect to a workload which could be indicators of an attack.
- Micro-segmentation is a preventative control. Micro-segmentation’s default-deny approach reduces the attack surface. This limits the attack pathways of an exploit and makes it more expensive for a bad actor to propagate their attack inside their target’s network.
- Micro-segmentation as a compensating control in the event of an attack. When a zero-day is publicly disclosed, and no patch is available or if patching is not operationally feasible, an organization can use process-level segmentation to lock down traffic between workloads and between workloads and users only to specific ports, protocols and services.