While most malware attacks and hacking can be addressed with up to date security software solutions such as antivirus products, there are some vulnerabilities that are not addressed immediately creating an opportunity for successful attacks. Zero day attacks take advantage of security flaws in a program that developers either don’t know about or have not yet addressed. For an unprepared developer or software vendor, a successful zero day attack can be catastrophic, resulting in leaked data, stolen assets, or a loss of customer trust. Though these sorts of attacks are impossible to anticipate and hard to address, there are zero day attack prevention practices and security vulnerability management strategies that developers and software owners can use to limit the damage.
Detecting a Zero Day Attack
In most cases, developers won’t have a chance to stop a zero day attack before it happens. If there’s a vulnerability in the code of their program that they don’t know about, they likely won’t know about it until the attack has already occurred. For this reason, it is important that application owners stay on top of known vulnerabilities and fix them as soon as possible.
Zero day attacks can be detected by monitoring network activity when possible and watching for irregularities. Artificial intelligence tools can be used to automatically keep an eye on network traffic and notify system owners of unusual activity.
Specific Strategies: Efficient Patch Management
Containment is arguably the most important step an incident response plan, as it prevents further damage from spreading following an attack. At the heart of containing an incident is patching the flaw that allowed the attack to occur in the first place. The sooner that patch is deployed, fewer losses will be sustained.
In order to patch a flaw as quickly as possible without disrupting workflow, patches can be outsourced to custom software providers. This process can even be partially automated, so that as soon as a breach is identified, a request to identify and patch its source is immediately placed. Large enough organizations might consider maintaining a dedicated team to patch any bugs or flaws as they are identified.
Zero Day Exploit Prevention
Though zero day attacks are by definition nearly impossible to prevent once a flaw exists, there are methods by which an organization can limit the number of zero day exploits they are affected by.
First, organizations must thoroughly test systems and software before they are put into active use, and to hire white hat hackers to probe security so that any vulnerabilities are discovered and patched before release. There are times when certain project timelines won’t allow for software testing to occur before release. In these situations, all efforts must be made to test the system as soon as it is in use.
Another method to avoid a zero day attack is to prevent a discovered exploit from being released onto the market. When a hacker discovers a flaw, they have the choice to either report it to the developer, or to sell it to a dark net broker. By incentivizing hackers to report their findings directly to the developer, that developer can preempt an actual attack. A developer might offer a reward for any flaws that are discovered, though this also feeds into the economy of exploit trading, and rewards malicious activity.
Though file signature identification techniques won’t work on a zero day attack until after it’s been identified, if the owners of the first system affected by a particular attack strategy identify and report the program’s signature, attacks on other systems can be prevented.
Specific Strategies: Next Generation Antivirus
Next generation antivirus, or NGAV, is useful for preventing and responding to zero day attacks in ways that traditional antivirus cannot. Because traditional antivirus services identify threats only as new files are introduced to the system, zero day attacks using macros, remote logins, or those manipulating system memory are invisible to them. Next generation antivirus instead records and analyzes events that happen within a system to detect unusual behaviors. This makes it a powerful tool to detect and respond to zero day attacks, and possibly prevent some from taking full effect.
Responding to a Zero Day Attack
No software is immune to zero day attacks, so it’s essential to have a zero day policy in place to thwart attacks, and to ensure that all team members managing a system are familiar with that policy. A good zero day policy will mitigate damage, minimize the vulnerability exploit window, and ultimately patch the flaw that may allow an attack to occur and be successful.
The six step incident response protocol outlined by the SANS institute provides a good outline around which an effective policy can be built. The six steps are as follows:
This step should be performed before an incident even occurs, and should be updated along with any major software changes. It involves creating a list of all the assets that might be at risk from an attack, such as networks and servers. This list of assets should be prioritized according to which are most important to protect.
After finishing prioritization, a list of possible incidents should be created. Any attacks that seem likely to occur should be planned for, and guidelines should be put in place for who to contact in the event of each one.
Once a security breach has been detected, as much information as possible must be collected about it. What flaw did it exploit? What was its objective? Is it continuing to spread? Collect all the data provided by security tools and analyze it.
The attack’s entry point must be sealed off. The flaw that was identified in the previous step should be patched as quickly as possible. If possible, stop any remnants of the attack from spreading farther than they already have by temporarily closing off the connections between infected systems and those that are yet to be affected.
Any remaining activity resulting from the attack needs to be stopped. The threat may have spread between systems, and will need to be removed from any that have been affected.
Return the affected systems to normal operations. If data was stolen or a third party was otherwise harmed, they must be notified.
- Lessons Learned:
In this step, the incident is analyzed. Was the response to the attack effective? Where did it fall short, and how could it have been improved? How could similar attacks be prevented in the future, or at least dealt with more quickly?
Which Strategies are Right for Your Organization?
Some of the strategies listed above are absolutely essential for any organization, such as creating a policy for preventing zero day attacks and responding to zero day incidents. The more expensive strategies, such as NGAV or automating and outsourcing patch management, won’t be feasible for smaller organizations, and might not fit into limited budgets. Whether it’s wise to use them depends on what is at stake in the event of a successful attack. If millions of dollars could be lost, or millions of lives affected, then every possible step to avoid zero day dangers should be taken.