What is Zero-Day Vulnerability and How Do You Prevent it?

What is A Zero-Day Vulnerability?

The key difference between zero-day vulnerabilities and other types of security vulnerabilities is that they must be dealt with as soon as they are identified. It should be noted, however, that even if a zero-day vulnerability has been identified and patched in a timely manner, that doesn’t automatically mean that the threat is over.

It’s quite possible that attackers have already exploited the vulnerability and have installed some form of backdoor, which they will use to gain access to the system at a later date. Upon discovering a vulnerability, companies must remain vigilant and monitor all facets of their IT environment for suspicious behaviour.

Fortunately, most zero-day bugs are found and patched before they become known to the public. In some cases, organizations offer bounties to members of the public who find zero-day bugs in their software. For example, both Microsoft and Google offer cash rewards of up to $100k to those who successfully identify and report a bug that may have lead to a serious breach.

What Is A Zero-Day Exploit?

A zero-day exploit will typically arrive in the form of a malware application that is designed to exploit a zero-day vulnerability. A zero-day attack can exploit vulnerabilities found in a variety of systems, including operating systems, web browsers and other applications. They can also be found in hardware, such as routers, switches and Internet of Things (IoT) devices.

Perhaps the most well-known example of a zero-day exploit was the WannaCry ransomware attack that arrived in May 2017, which took advantage of a vulnerability found in Microsoft Windows. Zero-day exploits are difficult to block as they are often able to evade even the most sophisticated signature-based threat detection technologies.

Since they are brand new attack vectors, little or nothing is known about them, and there will be no software patches available to install. Given that it is very difficult to detect zero-day exploits, companies must rely on data-centric solutions that are able to detect, alert and respond to anomalous events in real-time – often by detecting events that match a threshold condition. In some cases, a zero-day vulnerability can manifest in the form of a zero-day exploit if it is not found and patched in a timely manner. Either way, a failure to act quickly could result in a lot of damage.

How to Prevent Zero-Day Attacks

As mentioned previously, zero-day exploits are very difficult to detect at the point of infection. As such, you must ensure that you are able to detect and respond to anomalous events as they unfold.

However, to do this, you must be able to identify a typical usage patterns, which first requires an understanding of the patterns of behavior that are considered “normal”. You will need to monitor all of your critical assets and resources, including your user accounts, files, folders, emails accounts, VPN, DNS, and Web Proxies.

In some cases you will need to respond to events that match a pre-defined threshold condition, which can help to prevent the spread of ransomware. For example, if X number of files have been encrypted within Y seconds, a custom scripts can be executed to stop the attack in its tracks. This might include disabling user accounts, restricting access permissions, stopping specific processes, backing up data, or simply shutting down the affected server(s).

As always, the principal of least privilege (PoLP) should be applied to prevent a successful attacker from moving laterally throughout the network. In addition to monitoring and reporting on important system events, you should also consider the following tools and techniques to help you protect yourself from zero-day threats.

Automated Patch Management

Naturally, the best way to address software vulnerabilities is to ensure that all systems and software are kept up-to-date. This includes any operating systems, web browsers, network hardware and IoT devices used. However, keeping these systems up-to-date manually is a time consuming and error-prone task. A better option would be to use a sophisticated patch management solution which can source patches from vendors, install, test and deploy the patches automatically.

Have An Incident Response Plan (IRP) in Place

All companies should have a tried and tested incident response plan in place. There are seven widely cited stage of incident response, you can read more about the seven stages of incident response here.

Use Windows Defender Exploit Guard

Windows Defender Exploit Guard (available in Windows 2010 and later) can help you detect and block malicious code entering your network. It can block potentially malicious macros, including JavaScript, VBScript and PowerShell scripts from being downloaded and executed – either via a website or via a user clicking on an email attachment. Exploit Guard can also monitor and respond to file changes made by applications and prevent malware from communicating with a command-and-control server (C&C).

Use a Next-Generation Antivirus (NGAV) solution

As new and improved strains of malware emerge that are capable of evading most traditional anti-virus solutions, we must ensure that we have the latest and greatest threat detection technologies available. In addition to leveraging threat intelligence, Next-Generation Antivirus (NGAV) solutions use machine learning techniques to learn activity patterns which can be tested against in order to identify potential malware infections. If any anomalous activity is detected, they can automate a response to prevent the attack from spreading to other endpoints.

Security Awareness Training

As with any cyber-security strategy, we must remember that our employees are often the first line of defence. We must ensure that they have received adequate cyber security awareness training to be able to identify and report on suspicious emails, anomalous account activity, hardware irregularities, and anything else that might suggest that the network has been compromised.