Zero-day Attack | Causes & mitigations

 


Introduction

We may have multiple layers of defense in place either on hosts or servers including anti-virus, anti-malware, Next-Generation firewalls with application-layer inspection, and more in order to protect our environment, however, most of these solutions can recognize already known attacks through the signature databases for example; if an attacker uses an unaddressed or unknown vulnerability (unknown to the vendors or general public) such as a new malware or tech method or combination of both, this is referred to as “zero-day attack”.

Definition

A zero-day attack is called to a scenario when an actor exploits a new vulnerability (software or hardware flaw) known only by the attacker himself before the release of a patch or an update for it; once the exploit occurs and it’s been corrected, it’s no longer called a zero-day attack.

The most known malware that exploited zero-day vulnerability is the STUXNET worm in 2010. STUXNET targets industrial control systems that aimed at four zero-day exploits causing considerable damage to the Iranian nuclear program. This malware is evidence of the potential harm that can zero-day attacks cause.

Why Zero-day attacks are dangerous

Shortage of Signatures:

A lot of cybersecurity solutions such as anti-viruses and IPS (intrusion prevention systems) depend on signatures to detect and prevent malware and other threats. In the case of zero-day vulnerabilities, vendors and researchers have not yet had the time to create and issue a signature for the exploit, so these solutions are not adequate for this case of threats.

Delayed updates development: 

The life cycle of development begins with the vulnerability discovery, programmers and software engineers need to understand the problem then develop, test, and publish a patch to install it on vulnerable systems. This process can take a long time to finish, so all non-updated systems are exposed to exploitation. [1]

Delayed updates deployment: 

Even after a patch is released, companies and clients required some time to install it to their systems, due to the large number of devices that need to be updated; plus the lack of awareness of clients because not all of the software customers are up to date with the released patches.

High-value targeting: 

Some cybercriminals groups use zero-day exploits for sensitive targets only such as medical institutions like hospitals and clinics or government, military, and financial organizations. This strategy minimizes the likelihood of a vulnerability being found by the victim.

Zero-day attacks mitigation

It’s not easy to protect yourself from the chance of a zero-day attack because any type of security vulnerability could be used as a zero-day if a patch is not released in time.
There are a few techniques you can use to protect your company from zero-day
attacks:

Update your system and software: 

Search for systems in need of patching; obtaining and deploying them rapidly is a great way to avoid zero-day attacks. The best approach is to enable automatic updates so your software is updated regularly.

Keep track of CVEs: 

CVE, short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws. [2]  A great way to protect your business is to investigate CVEs in order to apply appropriate work-around countermeasures. 

There are many vendors and products like anti-viruses that have tons of devices listening to the network and the goal is to look for malware, bugs . . . etc, and report it to a form of large databases; part of that is proprietary which is controlled solely by vendors and the other part is open source. One example is “TALOS intelligence” from Cisco which acts as a cloud intelligence arm for some Cisco products and addresses several vendors’ zero-day reports. 

There is a large number of inventories available publicly done by researchers all around the world, zerodayinitiative.com is one such example.

deploy additional security measures:

Make sure you’re using security solutions that defend against zero-day attacks, as classic methods alone may not be enough to keep you safe from a zero-day attack. These are some of the solutions:

  • Threat Intelligence Platforms: High-quality threat intelligence is a great way to protect against zero-day widespread attacks for it offers rapidity in defense by using artificial intelligence technics.
  • Threat Prevention Engines: To defend against them, you’ll need tools that could also turn this information operational and stop the attack from achieving. Leading companies like PaloAlto, McAfee, and Checkpoint have a TPE product
  • Next-Generation Antivirus (NGAV): Traditional antivirus is worthless facing zero-day exploits because they utilize vulnerability information from existing software (known file-based signatures), on the other hand, NGAV uses predictive analytics driven by machine learning and artificial intelligence and combines with threat intelligence to detect and prevent malware and file-less non-malware attacks.[3]


Reference

[1] checkpoint.com. What is Zero-Day Attack? accessed 14 june 2021. url: https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-zero-day-attack/?fbclid=IwAR3dypgwEEZTNYrckaALfDM8IeevEDunfufNxc9_oalOrpPwOyV3SGrc96M.

[2] redhat.com. What is a CVE? accessed 26 june 2021. url: https: //www.redhat.com/en/topics/security/what-is-cve?fbclid=IwAR0_XNc0pyMC7oTXx8beubhTa

[3] vmware.com. What is Next-Generation Antivirus (NGAV)? accessed 29 June 2021. URL: https://www.vmware.com/topics/glossary/content/next-generation-antivirus-ngav?fbclid=IwAR0MXvWwlPcdt3Dg53lM5RLDt15XLtxr-gK-b3wke__WgpOGZlf_Jzv31hY.

Comments

Post a Comment

Popular posts from this blog

OpenVas: Vulnerability Scanning | Installation Guide

Image
  Introduction: OpenVAS is a vulnerability scanner that analyzes endpoints and web apps to uncover and detect flaws. Corporations frequently employ it as part of their mitigation strategies to initially identify any weaknesses in their operational or testing servers and apps. This isn't an ultimate solution, but it can assist in the elimination of any common weaknesses that may have sneaked through the gaps. Installation: There are three methods to install GreenBone openVas: 1- Install from Kali/OpenVas repositories:  This way varies in difficulty because of the needed configurations, you can simply install it with apt. sudo apt-get update -y &&  sudo apt-get upgrade -y &&  sudo apt-get dist-upgrade -y sudo apt-get install openvas sudo gvm-setup sudo gvm-check-setup 2- Install from source (Manually): This way is not the best for beginners due to prerequisite installations and error handling can be challenging. github.com/greenbone/openvas-scanner 3- R...
Read more

Nmap | TryHackMe Walkthrough

Image
  An in-depth look at scanning with Nmap, a powerful network scanning tool. This room was created by DarkStar  and  MuirlandOracle , as it provides a great way to learn and start practicing nmap. I encourage you to give it a try by yourself since the hands-on practice will give you more understanding of the topic (take advantage of the manual page man nmap ). Task2: What networking constructs are used to direct traffic to the right application on a server? Ports How many of these are available on any network-enabled computer? 65535 [Research] How many of these are considered "well-known"? (These are the "standard" numbers mentioned in the task) 1024 Task3: What is the first switch listed in the help menu for a 'Syn Scan' (more on this later!)? -sS Which switch would you use for a "UDP scan"? -sU If you wanted to detect which operating system the target is running on, which switch would you use? -O Nmap provides a switch to detect the version of the...
Read more

Wireshark for Security Analysis | Customization & Common features

Image
1/ Introduction What is Wireshark? Wireshark is a network packet analyzer. A network packet analyzer presents captured packet data in as much detail as possible. You could think of a network packet analyzer as a measuring device for examining what’s happening inside a network cable, just like an electrician uses a voltmeter for examining what’s happening inside an electric cable (but at a higher level, of course). In the past, such tools were either very expensive, proprietary, or both. However, with the advent of Wireshark, that has changed. Wireshark is available for free, is open source, and is one of the best packet analyzers available today.  wireshark.org/docs/ Some intended purposes Here are some reasons people use Wireshark: Network administrators use it to troubleshoot network problems Network security engineers use it to examine security problems QA engineers use it to verify network applications Developers use it to debug protocol implementations People use it to learn n...
Read more