We hear often from media and blog sites that the world of computing is doomed and there is nothing anyone can do about it – apart from wait to see if you are an unlucky target… Or you might be lucky and survive just long enough for the all important vendor patch to be released.
Meanwhile behind closed doors a malware developer or black hat writes an exploit to target as many systems as they can.
The most common cause of this fear uncertainty and doubt is the menace of Zero Day.
What is a Zero-Day?
In the context of Cyber Security, the term Zero-Day is jumped on by the media. Zero-day is in effect an exploitable vulnerability found in a piece of software where there is no published, verified publicly known code.
For attackers, a Zero-Day exploit is a sure way of gaining system access;
For vendors, a Zero-Day vulnerability is a serious security risk for their clients with equally serious repercussions for the vendors;
For businesses and security professionals, a Zero-Day vulnerability found in software is a serious security threat.
Lifecycle of a Zero-Day
For a Zero-Day exploit to exist, developers needs to know about the associated vulnerability. There is an increasing trend for experts to look for Zero-Day vulnerabilities because vendors, Governments and criminal organisations pay large amounts of money for them. This practice is known as bug bounties. https://bugcrowd.com/list-of-bug-bounty-programs
Until a Zero-Day vulnerability is made public, attackers will try to use it with caution so as to avoid detection.
Once it has been made public a race ensues, defenders will try to fix it (develop further and install patches) as quickly as possible while attackers will try to use the exploit as fast and often as possible to exploit as much tagret bounty as they can before systems become systematically patched. Those without effective patch management systems stay vulnerable for longer and become increasingly at risk as the exploit kits become more widely spread, easier to use and often become automated to anyone can try their luck.
So what can we do about Zero days?
Given the Zero Day nature means that vendors are rushing to patch and signatures have yet to be written, there is no border control as such until these are in place. Protection needs to come from a set of monitoring measures along with a vigilant security team.
Cycept’s tips on how to prepare your monitoring capabilities for Zero Days:
Monitoring for anomalies, like system crashes or changes in performance can uncover exploitation attempts;
Internal network segmentation helps mitigate the propagation, by only allowing traffic between systems that must be connected to the vulnerable system.
Follow us @cycept
Make use of Cycept’s Managed SIEM Content Service to help detect Zero Day attacks. Cycept’s Cyber Defence Research Center (CDRC) detects the presence of new malware, or Zero Days, in the wild and our team of experts develops new monitoring content and hunting indicators for your SOC to deploy.
Expertly written, up to date content helps make your analysts highly proficient without having to finding the needle in the haystack of false anomaly indicators.