Security - Apr 10, 2017

Zero-day security exploits: Guarding against the unknown

For cybercriminals, they are the Holy Grail: security flaws in software that are otherwise unknown to the rest of the world.

Zero-day exploits potentially expose organizations to untold risks without their knowledge.

Using this exclusive information, hackers can develop ways to take control of corporate systems and steal company data without fear of detection or of getting blocked by security products.

Known as zero-day exploits, these attacks potentially exposing their organizations to untold risks without their knowledge. In the ceaseless cyber security war, zero-day exploits represent a strategic advantage for criminals — a secret weak point in even the most complete defense system.

Zero-day vulnerabilities circumvent a company’s usual defense of identifying and patching software flaws. They are able to do so because the victims have no knowledge of the issue.

Typically, security researchers privately inform the affected software vendor of a vulnerability. This lets them develop and release a patch at the same time as they reveal the vulnerability to the broader security community. However, this process isn’t possible with zero-day vulnerabilities, because the hackers are the only ones with knowledge of it.

In some cases, exploits reveal issues serious enough that they are publicly disclosed before a software vendor can release a patch.

According to the 2016 Trustwave Global Security Report, 21 such high-profile zero-day vulnerabilities were identified in 2015. Most troubling, 13 of them could have been used to gain remote access to corporate PCs through Web browsers or browser add-ons. The vulnerabilities affected widely used software such as Adobe Flash Player, Windows, Java, Internet Explorer, the PDF feature of the Firefox browser and a component of the Magento ecommerce platform.

A deeper level of vigilance

There is no bullet-proof solution to stop zero-day exploits. Protecting against them requires advanced strategies and a more comprehensive approach to information security to identify suspicious activity, says John Randall, Director of Product Marketing for Trustwave. “There’s no quick and easy answer,” he says, “but a lot of it starts with threat detection and how quickly you can take action.”

"Protecting against zero-day exploits requires advanced strategies and a more comprehensive approach to information security to identify suspicious activity" - John Randall, Trustwave

Trustwave advocates an approach it calls “defense in depth”, which incorporates standard security tools — Web and email gateways, antivirus, Web application firewalls (to ensure the website traffic is valid and secure), and network access control (to protect against rogue devices accessing your network) — but then adds a layer of intelligent network and system monitoring to analyze the data.

“Your boundaries have extended beyond where they were even five years ago, so you have this whole new world that you have to protect,” says Randall. “It has all these different points of protection and there’s no single solution that can take care of it all, but you have to be able to address each one of them wherever that vantage point is.”

The challenge is that antivirus and intrusion-detection systems (IDS) are signature-based, searching for patterns, like malware or blacklisted IPs, that have previously been identified as threats. Defending against unknown attacks like zero-day exploits requires solutions that detect deviations from a model of "good" traffic, which often relies on machine learning.

Analysis and correlation

Security Information and Exchange Monitoring solutions (SIEMs), both on-premise or in the cloud, aggregate and store data from all logs generated by multiple security tools. But that’s just the start. “The amount of data you’re searching has gone through the roof, and the number of things you should be concerned with has equally increased,” says Randall. “How do you know how to make sense out of all this noise?”

"The amount of data you’re searching has gone through the roof, and the number of things you should be concerned with has equally increased." - John Randall, Trustwave

Organizations need to conduct ongoing network and system monitoring, analyzing patterns for anomalies and “indicators of compromise” (IOCs). Sophisticated attacks increasingly rely on multiple points of entry that individually may appear innocuous, but together compromise your information security. In one case, organized cyber criminals placed follow-up phone calls to targeted employees to ensure they opened infected emails.

“You now have to put all these pieces together to understand that this is suspicious activity,” says Randall.

Rapid Incident Response

Once IOCs are identified, an organization turns to what should be an up-to-date and tested incident response process (IRP) to isolate the problem and remediate it. Internal security policies will determine the level of response necessary. Depending on an organization’s skillset, that may necessitate passing the IOCs along to a third-party managed security service provider for further analysis.

But when an organization is dealing with a zero-day exploit, time is of the essence. “If something is definitely happening, you have to continue to do analysis and research to find as much detail as you can,” says Randall. “Where are they targeting? Where is it coming from? Where is it going to? And how quickly can you close this particular gap, while minimizing the overall impact to your network? In a worst-case scenario, that can mean taking the entire organization off the network to stop a complete loss, until you completely mitigate the breach.”