Dec 21, 2020
A zero-day is a weakness in hardware, software or firmware that is not known to the parties responsible for patching or fixing the flaw. The term zero refers to an attack that has zero days between the time the vulnerability is discovered and the first attack. Once a zero-day vulnerability is known to the public, it’s known as a one-day or n-day vulnerability.
Normally, when someone discovers that a software program has a potential security risk, the organization or the person will notify the software company so that necessary action can be taken. The software company can fix the code and distribute a software or patch update. Even if potential hackers know about the vulnerability, it may take some time to exploit it. Hopefully, the fix will be available before an attacker attacks the system. However, an attacker may be the first person to discover the vulnerability. Since the vulnerability is not known in advance, there is no way to safeguard the exploit before it occurs. Organizations exposed to such exploits can institute processes for early detection.
Security researchers cooperate with vendors and normally agree to withhold all details of zero-day vulnerabilities for a reasonable period before publishing those details. For instance, Google Project Zero follows the industry guidelines that give vendors up to 90 days to patch a vulnerability before the finder of the vulnerability discloses the weakness. For vulnerabilities deemed critical, Project Zero allows only 7 days for the vendor to patch before publishing the vulnerability. If the vulnerability is being exploited, Project Zero may limit response time to less than 7 days.
Zero-day exploits tend to be hard to detect. Anti-malware software and some intrusion detection systems (IDSes) and intrusion prevention systems (IPSes) are most times ineffective because no attack signature yet exists. This is the reason why the ideal way to discover a zero-day attack is user behavior analytics. Most of the entities authorized to access networks exhibit particular usage and behavior patterns that are known to be normal. Activities falling outside of the normal scope of operations may be an indicator of a zero-attack.
For instance, a web application server typically responds to requests in certain ways. If outbound packets are discovered exiting the port assigned to that web application and those packets do not match anything that would ordinarily be generated by the application, it’s a good indication that an attack is happening.
Some zero-day attacks have been attributed to advanced persistent threat (APT) actors, hacking or cybercrime groups affiliated with or a part of national governments. Cyber attackers, especially organized cybercrime groups, are known to reserve their zero-day exploits for high-value targets.
N-day vulnerabilities are subject to exploits after the vulnerabilities have been fixed or patched by vendors. Also, researchers continue to find zero-day vulnerabilities in the Server Message Block protocol, implemented in the Windows OS for many years. Once the zero-day vulnerability is made public, users should patch their systems. However, attackers continue to exploit the vulnerabilities for as long as unpatched systems remain exposed on the internet.
Zero-day exploits are hard to defend because they are difficult to detect. Vulnerability scanning software depends on malware signature checkers to compare suspicious code with signatures of known malware. When the malware makes use of a zero-day exploit that has not been encountered, such vulnerability scanners will fail to block the malware.
Since a zero-day vulnerability cannot be known in advance, there is no way to guard against a particular exploit before it occurs. But, there are some things that organizations can do to reduce their level of risk exposure:
While maintaining a standard for information systems may not stop all zero-day exploits, it can help defeat attacks that make use of zero-day exploits after the vulnerabilities have been patched.
Multiple zero-day attacks normally occur every year. For instance, in 2016, there was a zero-day attack (CVE-2016-4117) that exploited a previously undiscovered flaw in Adobe Flash Player. Also in 2016, more than 100 organizations succumbed to a zero-day bug (CVE-2016-0167) that was exploited for an elevation of privilege attack targeting Microsoft Windows.
In 2017, a zero-day vulnerability (CVE-2017-0199) was discovered in which a Microsoft Office document in rich text format was shown to be able to trigger the execution of a visual basic script containing PowerShell commands upon being opened. Another 2017 exploit (CVE-2017-0261) used encapsulated PostScript as a platform for initiating malware infections.
In this article, we have analyzed what a zero-day vulnerability is and ways to prevent cyber attackers from having access to sensitive data and confidential information. Do you need help in managing zero-day vulnerabilities? If yes, reach out to the team of security experts at Vicarius today.
Vicarius offers a vulnerability management software that targets cybersecurity officers and operators, as well as IT managers and operators from the U.S. market. You can make use of our product TOPIA for accurate cybersecurity and ensuring your assets are well protected. You can check our product page to learn more about TOPIA.
Challenges of Cybersecurity AutomationKent Weigle May 07, 2021
Security Automation Best PracticesKent Weigle May 07, 2021
Part Human, Part Machine: Leverage Automation To Bolster Your DefenseKent Weigle May 07, 2021
Benefits of Automation in CybersecurityKent Weigle May 07, 2021
Will Automation Save the Security Team?Kent Weigle May 07, 2021