They say what you don’t know can’t hurt you — but that’s not really true. One example is a zero-day exploit. This is a network vulnerability that hasn’t been identified yet, at least not by the people who need to fix it. These IT professionals have zero days to fix the problem because they don’t even know that it exists. Zero-day attacks are extremely dangerous because computer networks can be totally blindsided by them. There are no warnings or patches for an exploit that no one knows about.
A zero-day exploit is perfect for hackers. They can use the element of surprise, and until the vulnerability is discovered they have time to develop a delivery system for the attack. Don’t be fooled: The hacker community has sophisticated tools and a well-developed communications infrastructure. They use the dark web to share information, and they even use brokers in the exploit market for the buying and selling of vulnerabilities.
Once a vulnerability is known, it is added to the database at the Common Vulnerabilities and Exposures (CVE) website. They call themselves “The Standard for Information Security Vulnerability Names”. But until a potential weakness is identified, it may remain unknown to anyone. The worst case is that the vulnerability is known only to those in the hacking community who are preparing to use it against defenseless computer systems.
Symantec offers a sample list of zero-day vulnerabilities in their “Guide to Zero-Day Exploits”. The list includes exposures for Adobe/Flash, Apache, Internet Explorer, Java, Mac, Microsoft Word, Microsoft Windows, and WordPress. One example is CVE-2015-0008. According to Symantec, “The CVE-2015-0008 bug could allow an attacker to easily hijack a domain-configured Windows computer if it is connected to a wireless or wired malicious network.” They say it took Microsoft almost a year to issue the necessary patches.
Zero-day exploits can take the form of viruses, polymorphic worms, Trojans, or other malware.
Zero-day exploits can take the form of viruses, polymorphic worms, Trojans, or other malware. Experts say that hackers are getting better and faster at launching attacks to take advantage of zero-day vulnerabilities. They are developing knowledge bases and increasing their own expertise. There is a real battle going on between hackers and software security personnel.
When someone discovers an exposure in web application software, they have a choice. They can report it to the software vendor, they can put it on the market with a broker, or they can sell it directly to a buyer. There is actually a market on the dark web for these vulnerabilities, and they are sold to the highest bidder. There is also a more open market for those who report issues properly.
Who participates in this commercial market? First, the hackers themselves are involved. White hackers (the good guys) will report issues to vendors and may actually be paid for their efforts. Black hackers have no ethical constraints and will sell them on the black market. Grey hackers could go either way. Brokers may work with unethical companies, individuals, or even governments to take a cut from sales of these exploits. And some of them could go for $150,000+.
David Hammarberg wrote a white paper called “The Best Defenses Against Zero-day Exploits for Various-sized Organizations”. He says that smaller organizations are at a distinct disadvantage because they may not have the same resources for network security that are available to larger organizations. He identifies four basic approaches to the mitigation of zero-day exploits.
Using data from previous attacks, this approach attempts to detect exploits based on statistical analysis. It uses thresholds to determine when certain internet traffic has exceeded what might be normal for those parameters. There is always the chance for false positives using this approach, but the thresholds can be adjusted.
This technique is further divided into content-based, semantic-based and vulnerability-based signatures. The idea here is that virus software vendors compile a library of different malware signatures. These require constant updates. The approach involves using different characteristics to identify a potential vulnerability.
As the name suggests, this approach looks out for suspicious activity. “The goal of such techniques,” writes Hammarberg, “is to predict the future behavior of a web server, server or victim machine in order to deny any behaviors that are not expected.”
This is a combination of the three previous techniques. One model uses this technique to create a Suspicious Traffic Filter (STF). “ These three main components will work together as interrelated process,” according to researchers Kaur and Singh.
Abhay Joshi of Top Layer Networks covers zero-day exploits in an article for ComputerWorld. He says to look for unexpected traffic on a particular server or port. And he outlines a security plan that includes adequate prevention, real-time intrusion prevention systems (IPS), planned incident response, and methods to limit the spread of an exploit once discovered.
Awareness and education are the keys to successful network security. The sooner that software providers and users become aware of an exploit, the sooner they can do something about it. If you know that you have a month to fix something, you can get your plan in order and make preparations. But if you actually have zero days because you are suddenly hit with a vulnerability, then you should be ready to spring into action. The potential for zero-day exploits — unknown vulnerabilities — in your network highlights the need to have an emergency security response plan in place. In some situations, there is just no time to waste.
Consider protection your application or API with Total Uptime’s Web Application and API Protection suite.
Imagine that a smooth operator convinces Barney Fife — the famous sheriff’s deputy on TV — to unlock a Mayberry jail cell. Barney has the keys. He has the authority. He wants to do the right thing, but he’s easily confused and manipulated. Your web browser has authority too. It can do a lot of […]
If you’re worried about computer hackers, you should be worried about SQL injection (SQLi). It keeps showing up on the top ten list of the Open Web Application Security Project (OWASP). In 2013, the year of their latest approved list, OWASP put injection at the top of the list. “Injection flaws such as SQL, OS, […]
You use web forms all the time. All across the internet, you are called upon to give certain information about yourself in order to access a site, use an application, or purchase a product. And the truth is most of us have become more open to these kinds of interactions as we have become immersed […]