The Real Danger of 0 Day Exploits

By Lee Gitzes ·

Zero day has become a term that has become part of the information security lexicon over the last several years. As we all know, a zero-day exploit is something that takes advantage of an unknown vulnerability. However, beyond that, it has become a term that we all see as a watered down marketing term used by security companies to demonstrate the strength of their offerings. This brings us to the topic of this article. Are zero-day threats a real danger? If so, what are they and how do I defend myself against them?

A zero-day flaw is a term given to an unpatched software vulnerability that has been discovered by a person other than the developer. Zero-day exploits are a result of the attacker taking advantage of the vulnerability in the software code and exploiting it before the developer is aware and/or able to fix the issue. Hence, the application developer has zero days to resolve the issue before it may be exploited.

The real danger associated with these threats is that there is no public knowledge available about the possible attack vector. This renders many layers of defense from IDS to the endpoint useless as they are not able to stop attacks using vectors that they are not aware of. Even vulnerability detection systems cannot identify the hole because it is not aware of its existence. Until the exploit is successful it remains unknown.

Defense for zero-day exploits come in the form of intelligence. Since they are attacks taking advantage of unknown vectors, the only way to identify them is through behavior and analytics. This also must be a multi-layered approach as the exploit is a process and compilation of activities, not a single event. While next-generation firewalls provide excellent capabilities for sandboxing and identifying unknown malware and is a good place to start, it is not the end all be all. As a matter of fact, in today’s world it really is the last line of defense, as it likely means that an operating system or application has already been exploited if malware activity is detected at the perimeter. It is also likely that the compromise has been living in the network for a significant amount of time as attackers gain a foothold on the network before attempting to communicate outside.

An effective zero-day prevention strategy includes endpoint intelligence. Having the availably to detect and identify unusual behavior and activity at the endpoint is key to early detection.

Network analyst tools on the LAN are also beneficial to help detect behavior and activity that are indicative of malware. However, as important as it is to have intelligence at every defense layer; it is equally important, if not more important, to have the ability to integrate both these solutions and the data that they produce.

Integration allows the tools to work together. Through API’s and communication channels, an endpoint detection system can make the next generation firewall aware of potential malware it detects before the malware actually reaches the perimeter. The firewall can sandbox and identify an application as malware faster as a result of this integration. Another example is the reverse, if the firewall discovers malware, it can create a new definition and “push” that information immediately to the endpoint protection platform allowing it to stop the pivoting and expansion of an attack in its tracks.

Aggregation of log data and metadata allows for the information gathered to be correlated, producing actionable intelligence. Finding suspicious activity on an endpoint is one thing, but it alone may not conclusively mean that an attack is occurring. However, if that data can be correlated with other activity on the network, at the perimeter or even on other endpoints and servers, an attack can be identified far more efficiently. This actionable intelligence means that zero-day attacks can be discovered and mitigated before they are able to cause significant damage. SIEM technology is what makes this aggregation possible, centralizing intelligence and allowing security analysts to have a complete picture of suspicious activity within the environment.

Zero-day exploits are in fact a very real danger and without the proper tools and visibility they can wreak havoc on an infrastructure. However, as with all modern security strategies, an effective, integrated, multi-layered approach can give the good guys a significant leg up on attackers looking to take advantage of these vulnerabilities.