A zero-day is a weakness in hardware, software or firmware that is not known to the parties responsible for patching or fixing the flaw. The term zero refers to an attack that has zero days between the time the vulnerability is discovered and the first attack. Once a zero-day vulnerability is known to the public, it’s known as a one-day or n-day vulnerability.
Normally, when someone discovers that a software program has a potential security risk, the organization or the person will notify the software company so that necessary action can be taken. The software company can fix the code and distribute a software or patch update. Even if potential hackers know about the vulnerability, it may take some time to exploit it. Hopefully, the fix will be available before an attacker attacks the system. However, an attacker may be the first person to discover the vulnerability. Since the vulnerability is not known in advance, there is no way to safeguard the exploit before it occurs. Organizations exposed to such exploits can institute processes for early detection.
Security researchers cooperate with vendors and normally agree to withhold all details of zero-day vulnerabilities for a reasonable period before publishing those details. For instance, Google Project Zero follows the industry guidelines that give vendors up to 90 days to patch a vulnerability before the finder of the vulnerability discloses the weakness. For vulnerabilities deemed critical, Project Zero allows only 7 days for the vendor to patch before publishing the vulnerability. If the vulnerability is being exploited, Project Zero may limit response time to less than 7 days.
Zero-Day Exploit Detection
Zero-day exploits tend to be hard to detect. Anti-malware software and some intrusion detection systems (IDSes) and intrusion prevention systems (IPSes) are most times ineffective because no attack signature yet exists. This is the reason why the ideal way to discover a zero-day attack is user behavior analytics. Most of the entities authorized to access networks exhibit particular usage and behavior patterns that are known to be normal. Activities falling outside of the normal scope of operations may be an indicator of a zero-attack.
For instance, a web application server typically responds to requests in certain ways. If outbound packets are discovered exiting the port assigned to that web application and those packets do not match anything that would ordinarily be generated by the application, it’s a good indication that an attack is happening.
Zero Exploit Periods
Some zero-day attacks have been attributed to advanced persistent threat (APT) actors, hacking or cybercrime groups affiliated with or a part of national governments. Cyber attackers, especially organized cybercrime groups, are known to reserve their zero-day exploits for high-value targets.
N-day vulnerabilities are subject to exploits after the vulnerabilities have been fixed or patched by vendors. Also, researchers continue to find zero-day vulnerabilities in the Server Message Block protocol, implemented in the Windows OS for many years. Once the zero-day vulnerability is made public, users should patch their systems. However, attackers continue to exploit the vulnerabilities for as long as unpatched systems remain exposed on the internet.
Defending Against Zero-Day Attacks
Zero-day exploits are hard to defend because they are difficult to detect. Vulnerability scanning software depends on malware signature checkers to compare suspicious code with signatures of known malware. When the malware makes use of a zero-day exploit that has not been encountered, such vulnerability scanners will fail to block the malware.
Since a zero-day vulnerability cannot be known in advance, there is no way to guard against a particular exploit before it occurs. But, there are some things that organizations can do to reduce their level of risk exposure:
- Implement IPsec, the IP security protocol, to apply encryption and authentication to network traffic.
- Use virtual local area networks to segregate some areas of the network or use dedicated physical or virtual network segments to isolate sensitive traffic flowing between servers.
- Use network access control to prevent rogue machines from gaining access to crucial parts of the enterprise environment.
- Deploy an IDS or IPS. Although signature-based IDS and IPS security products may not be able to identify the attack, they may be able to alert defenders to suspicious activity that occurs as a side effect to the attack.
- Perform regular vulnerability scanning against enterprise networks and lockdown any vulnerabilities that are discovered.
- Keep all systems patched and up to date. Although patches will not stop a zero-day attack, keeping network resources fully patched may make it more difficult for an attack to succeed. When a zero-day patch does become available, apply it as soon as possible.
- Lockdown wireless access points and uses a security scheme such as Wi-Fi Protected Access 2 for maximum protection against wireless-based attacks.
While maintaining a standard for information systems may not stop all zero-day exploits, it can help defeat attacks that make use of zero-day exploits after the vulnerabilities have been patched.
Examples of Zero-Day Attacks
Multiple zero-day attacks normally occur every year. For instance, in 2016, there was a zero-day attack (CVE-2016-4117) that exploited a previously undiscovered flaw in Adobe Flash Player. Also in 2016, more than 100 organizations succumbed to a zero-day bug (CVE-2016-0167) that was exploited for an elevation of privilege attack targeting Microsoft Windows.
In 2017, a zero-day vulnerability (CVE-2017-0199) was discovered in which a Microsoft Office document in rich text format was shown to be able to trigger the execution of a visual basic script containing PowerShell commands upon being opened. Another 2017 exploit (CVE-2017-0261) used encapsulated PostScript as a platform for initiating malware infections.
In this article, we have analyzed what a zero-day vulnerability is and ways to prevent cyber attackers from having access to sensitive data and confidential information. Do you need help in managing zero-day vulnerabilities? If yes, reach out to the team of security experts at Vicarius today.
Vicarius offers a vulnerability management software that targets cybersecurity officers and operators, as well as IT managers and operators from the U.S. market. You can make use of our product TOPIA for accurate cybersecurity and ensuring your assets are well protected. You can check our product page to learn more about TOPIA.