Sadly, taking steps to avoid becoming the victim of a cyber-attack and putting measures in place to respond to one in the event that it occurs isn’t the entire story in preparing a strategy for cyber-security.
There’s a major class of vulnerability that’s capable of causing serious damage, but for which specific preparations can’t be made – zero-day threats.
What are Zero-Day Threats?
When a new computer program, component, or piece of equipment is first released, it will have undergone rigorous testing by its manufacturer or developers – at least to the extent that their budget and expertise would allow. However stringent the tests, there’s always the possibility that some glitch or flaw has made it past the testing process, and could manifest with bad results in the field or on the market.
Since these flaws were undiscovered, there’s no way that the developer or manufacturer could have put counter-measures in place before the product was released.
Zero-day threats are the collective set of undiscovered vulnerabilities in software and hardware which may be exploited as the target or basis for developing malware and methods of staging cyber-assaults. The name refers to the first or “zero” day of a developer or manufacturer’s awareness of the vulnerability, a throwback to the days when exploits were at the height of malware fashion.
Zero-day threats are sometimes known as “day-zero attacks” or “zero-hour attacks”.
Zero-day Threats – The Vulnerability Window
There’s a timeline associated with zero-day vulnerabilities, sometimes known as the vulnerability window: the period between the first successful exploitation of a flaw or glitch, and the release or application of a successful security patch to counter it.
Though the most newsworthy zero-day attacks are engineered to inflict the maximum damage within a 24-hour period, the actual window of vulnerability for a threat can be anything from a single day to several months or even years. The timeframe is dependent on how long it takes for the exploits to be discovered, and for the required counter-measures to be deployed.
Ignorance of a threat isn’t always the deciding factor. Sometimes, developers may discover a vulnerability before an attack takes place, but are unable to construct a suitable patch before the first assaults occur. Also, sometimes production schedules and market demands may cause the release of a patch to be delayed so as to coincide with other updates. This may occur if the vulnerability is not judged to be mission-critical or overly dangerous.
The end result is the same: as long as the vulnerability remains undetected, compromised systems and software can’t be patched and anti-virus packages can’t flag the threats based on existing signature databases.
Zero-day Threats – The Attack Vectors
The origins and tools of zero-day threats are both numerous and varied. Hardware, application software, operating systems: anywhere a vulnerability can be detected, malware coders may have an opportunity. And their handiwork may present itself as a virus, Trojan, email attachment, defective web browser, or a sub-process within an operating system to name but a few.
The originators of an attack now often go beyond the stereotype of a lone maverick or a political hacktivist group. On the darker side of the web, there’s a flourishing black market in newly discovered zero-day exploits. For example, TheRealDeal Market came to light in 2015, using Tor anonymity software and Bitcoin trading to offer zero-day attack kits – some for as little as $5,000.
Based on the number of reported incidents, cyber-criminals had access to over 85 zero-day vulnerabilities each day over the past five years. These could have targeted products from leading brands like Adobe, Apple, Microsoft, or Oracle – and the true number of exploits may be greater than this. Perhaps surprisingly, a Reuters investigation suggests that governments are the biggest customers for zero-day exploit sales.
Zero-day Threats – What are The Attacks Like?
Zero-day attacks cover a full spectrum in terms of scale, effect, and ambition.
The CVE-2014-4148 exploit, uncovered by cyber-security firm FireEye in 2014, used a flaw in Microsoft Windows handling of True Type fonts to deliver malicious code embedded in a font to an (unnamed) international organization. Other notable assaults have targeted the South Korean Army and the U.S. Department of Labor.
CVE-2013-0422 (spotted in 2013) exploited a vulnerability in version 7 of Java to allow cyber-criminals to attach the ransomware known as Tobfy to downloaded files. The malware locked affected users out of their machines, and kept them out – even if they paid the ransom. The malware coders neglected to include a communication link between themselves and the ransomware.
Zero-day Threats – How Do You Guard Against Them?
There’s no hard and fast set of rules for guarding against zero-day threats, but here are some recommendations and best practices:
- Configure Your Firewalls: You should set rules to allow only the necessary transactions.
- Assign Limited Network Privileges: Users should be given access only to what’s necessary for them to do their jobs. This reduces the opportunity for some attack vectors, which require high-level network privileges to operate.
- Keep Work Units Separated: Use different risk profiles to limit access between different segments of your network. This will reduce the chances of vulnerabilities being exploited across work groups.
- Limit and Whitelist Your Applications: Create a list of approved applications and restrict installations to these. Try to keep down the number of applications you use, as this reduces the risk of vulnerabilities being found across a wide suite of software.
- Stay Up to Date with Patches: This won’t guard against newly discovered exploits, but it may protect you from existing ones of which you were unaware.
- Use the Latest Operating System Version: The newer versions of most operating systems have enhanced security measures on board that may assist in preventing the execution of malicious code.
- Use Threat Intelligence: Subscribe to security forums and threat intelligence services, to be informed about the latest threats and counter-measures.
- Use Your Own Intelligence: Intimate knowledge of your own networks can help in spotting abnormal behaviors.
- Develop an Incident Response Plan: Use the information and tools you have to create a robust prevention and remediation strategy.
Share this Post