A zero-day exploit is any attack that takes advantage of a previously unknown vulnerability and so hits targets that have had zero days in which to fix that security hole.
True zero-day exploits are rare: there are, more often than not, plenty of people who are perfectly aware of the existence of a vulnerability, but the chances are they don't work for you — they're inhabitants of the demi-mondes of cybercrime and hacktivism. The wholesome developers of software and websites, along with the users of their products and services, are the ones that remain blissfully unaware of the coming security storm until it strikes on day zero.
Any zero-day exploit should, you'd think, have a limited opportunity to infect software and systems. This is known as the 'vulnerability window' and applies to the time between the zero day being first launched and the time when developers issue a patch to fix the security problem. Unfortunately, many zero days have remarkably long vulnerability windows, for three main reasons:
1. Exploits can be distributed, launched and active long before the vulnerability is discovered and work begins on a patch. Some Microsoft Windows vulnerabilities are thought to have had a window of opportunity spanning many years, with no high-profile exploits forcing a fix.
2. Securing the vulnerability can be a long process depending on the precise nature of the vulnerability itself and the complexity of the code that needs to be rewritten; modern operating systems are complex and changes need intensive testing — otherwise the risk is that the fix is unstable, creates incompatibilities, or opens up new vulnerabilities that could be worse than the one being fixed.
3. Exploits can continue long after the vulnerability window has been closed when some users fail to install security updates, effectively leaving the window ajar.
Detect and protect
If zero-day attacks exploit unknown vulnerabilities, how can the enterprise protect against them?
By definition you cannot prevent an attack if it exploits an unknown vulnerability, but that doesn't mean you cannot mitigate against zero-days. Anyone remember Conficker, the worm that exploited a zero-day vulnerability and managed to infect over a million computers within the first 24 hours alone?
So what should you be doing in order to be both ready for such an attack, and able to react to these zero-day threats when they surface? You cannot rely upon signature-based detection strategies as they can only prevent known exploits. Heuristic or behavioural driven defences offer more hope, but they can have a heavy resource overhead — even so, employing an intrusion detection system (IDS) that uses heuristics is still recommended.
Efficient patching of software with security updates as they are released and educating end users regarding unsafe activity are both worth their weight in gold in helping to prevent infection.
Reducing the attack surface
The principle of least privilege is equally effective in dealing with zero-day fallout, and as such should be part of any security risk containment strategy. If services are configured so that they run with the least rights required to perform their tasks, damage from an exploit can be minimised.
Reducing the attack surface always makes security sense, but especially so in the case of the zero-day threat.
Combine this with the principle of privilege separation, dividing a program into parts limited to whatever specific privileges are required to perform specific tasks, and potential damage is mitigated further. This reduction in the attack surface will reduce the reach of a successful zero-day exploit.
Segregation of network traffic, by the implementation of a Virtual LAN for example, speeds your ability to contain the spread of any threat to a single LAN segment rather than exposing the entire enterprise network to that risk. Reducing the attack surface always makes security sense, but especially so in the case of the zero-day threat.
Maintaining good situational awareness is also extremely valuable: keep knowledge of and regular exposure to those parts of the internet where some of the more creative approaches to security are exposed. The best way into these areas is by scrupulously monitoring the news from security conferences such as Defcon. You can be sure that your would-be attackers are paying close attention too.
Two techniques that are also often mentioned as being effective against zero-day exploints are whitelisting and fuzzing. Whitelisting, although it sounds good, is not the answer. Only allowing access to
'good' applications assumes they will remain 100-percent secure, an assumption
that can never be safely made.
Rather than relying upon prevention of
the zero-day attack, a sensible mitigation approach is one that looks to
detect and protect instead. Whitelisting also encourages users to circumvent enterprise security policies, as little is more infuriating than knowing you have a tool to do your job but being unable to use it. It's even more frustrating if the tools you are given are inadequate or flawed.
Fuzzing, where deliberately corrupted data is thrown at a system to make it disgorge dangerous reactions, is more useful, but requires considerable technical skill to deploy usefully. Fuzzing tools such as the CERT Basic Fuzzing Framework (BFF) can be
effective in discovering vulnerabilities in software that could
potentially be exploited by zero-day attackers. Software vendors can
then use the debugging information collected, along with the BFF
analysis, to find and fix those vulnerabilities,
Conclusion
The only strategy that is going to be of any use to your enterprise in dealing with zero-day attacks is one that is both proactive and reactive at the same time, that applies a multi-layer approach to the problem, and has the ability to respond rapidly when an attack is detected.
So do not overlook the importance of your incident response policy and be sure to practise the procedures contained within it. And the more you know about the cutting edge of the security scene, the better you'll be able to prepare and react.
