Zero Day Exploit Protection

They say what you don’t know can’t hurt you — but that’s not really true. One example is a zero-day exploit. This is a network vulnerability that hasn’t been identified yet, at least not by the people who need to fix it. These IT professionals have zero days to fix the problem because they don’t even know that it exists. Zero-day attacks are extremely dangerous because computer networks can be totally blindsided by them. There are no warnings or patches for an exploit that no one knows about.

The Element of Surprise

A zero-day exploit is perfect for hackers. They can use the element of surprise, and until the vulnerability is discovered they have time to develop a delivery system for the attack. Don’t be fooled:  The hacker community has sophisticated tools and a well-developed communications infrastructure. They use the dark web to share information, and they even use brokers in the exploit market for the buying and selling of vulnerabilities.

Once a vulnerability is known, it is added to the database at the Common Vulnerabilities and Exposures (CVE) website. They call themselves “The Standard for Information Security Vulnerability Names”. But until a potential weakness is identified, it may remain unknown to anyone. The worst case is that the vulnerability is known only to those in the hacking community who are preparing to use it against defenseless computer systems.

The Battle Is On

Symantec offers a sample list of zero-day vulnerabilities in their “Guide to Zero-Day Exploits”. The list includes exposures for Adobe/Flash, Apache, Internet Explorer, Java, Mac, Microsoft Word, Microsoft Windows, and WordPress. One example is CVE-2015-0008. According to Symantec, “The CVE-2015-0008 bug could allow an attacker to easily hijack a domain-configured Windows computer if it is connected to a wireless or wired malicious network.”  They say it took Microsoft almost a year to issue the necessary patches.

Zero-day exploits can take the form of viruses, polymorphic worms, Trojans, or other malware.

Zero-day exploits can take the form of viruses, polymorphic worms, Trojans, or other malware. Experts say that hackers are getting better and faster at launching attacks to take advantage of zero-day vulnerabilities. They are developing knowledge bases and increasing their own expertise. There is a real battle going on between hackers and software security personnel.

Show Me the Money

When someone discovers an exposure in web application software, they have a choice. They can report it to the software vendor, they can put it on the market with a broker, or they can sell it directly to a buyer. There is actually a market on the dark web for these vulnerabilities, and they are sold to the highest bidder. There is also a more open market for those who report issues properly.

Who participates in this commercial market? First, the hackers themselves are involved. White hackers (the good guys) will report issues to vendors and may actually be paid for their efforts. Black hackers have no ethical constraints and will sell them on the black market. Grey hackers could go either way. Brokers may work with unethical companies, individuals, or even governments to take a cut from sales of these exploits. And some of them could go for $150,000+.

Mitigation Techniques

David Hammarberg wrote a white paper called “The Best Defenses Against Zero-day Exploits for Various-sized Organizations”. He says that smaller organizations are at a distinct disadvantage because they may not have the same resources for network security that are available to larger organizations. He identifies four basic approaches to the mitigation of zero-day exploits.

Statistical-based defense technique

Using data from previous attacks, this approach attempts to detect exploits based on statistical analysis. It uses thresholds to determine when certain internet traffic has exceeded what might be normal for those parameters. There is always the chance for false positives using this approach, but the thresholds can be adjusted.

Signature-based defense technique

This technique is further divided into content-based, semantic-based and vulnerability-based signatures. The idea here is that virus software vendors compile a library of different malware signatures. These require constant updates. The approach involves using different characteristics to identify a potential vulnerability.

Behavior-based defense technique

As the name suggests, this approach looks out for suspicious activity. “The goal of such techniques,” writes Hammarberg, “is to predict the future behavior of a web server, server or victim machine in order to deny any behaviors that are not expected.”

Hybrid-based defense technique

This is a combination of the three previous techniques. One model uses this technique to create a Suspicious Traffic Filter (STF). “ These three main components will work together as interrelated process,” according to researchers Kaur and Singh.

Abhay Joshi of Top Layer Networks covers zero-day exploits in an article for ComputerWorld. He says to look for unexpected traffic on a particular server or port. And he outlines a security plan that includes adequate prevention, real-time intrusion prevention systems (IPS), planned incident response, and methods to limit the spread of an exploit once discovered.

Conclusion

Awareness and education are the keys to successful network security. The sooner that software providers and users become aware of an exploit, the sooner they can do something about it. If you know that you have a month to fix something, you can get your plan in order and make preparations. But if you actually have zero days because you are suddenly hit with a vulnerability, then you should be ready to spring into action. The potential for zero-day exploits — unknown vulnerabilities — in your network highlights the need to have an emergency security response plan in place. In some situations, there is just no time to waste.

Consider protection your application or API with Total Uptime’s Web Application and API Protection suite.