While you’ve taken steps to secure your network and sensitive data, you’re still at risk of a zero-day vulnerability. Maybe you’ve heard the term before but don’t have a deep understand of how “zero-day exploits” work. Or perhaps, you know about “zero-day exploits” but need actionable insights on how to prevent them.
This post provides an overview of zero-day exploits; zero-day statistics; watering-hole attacks; how zero-day attacks happen; how to detect and identify a zero-day attack; how to prevent zero-day attacks; the economics of zero-day exploits; recent zero-day vulnerabilities; and ways you can protect your organization.
The Basics: What is a zero-day exploit?
A zero-day exploit is an undisclosed application vulnerability that could be exploited to negatively affect the hardware, applications, data or network. The term “zero day” refers to the fact that the developers have “zero days” to fix a problem that has just been exposed and may have been already exploited. Hackers seize on that security vulnerability to launch a cyber attack on the same day a weakness is discovered. Basically, the vulnerability is exploited before a fix becomes available.
Zero-day exploits can take the form of viruses, polymorphic worms, Trojans, and various types of malware. All of these can be bought, sold, and traded. Hacker groups often post zero-day exploits as organizations under attack scramble to release patches against the security holes.
Statistics on zero-day exploits
The Symantec 2015 Internet Security Threat Report (ISTR), Vol 20 revealed that 2014 was a record-setting year for zero-day vulnerabilities.
The ISTR Vol 20 report found the following zero-day attack trends:
- It took software companies an average of 59 days to create and roll out patches—up from only four days in 2013.
- There was a four percent increase in vulnerabilities in 2014 compared 2013.
- There were 24 zero-day vulnerabilities discovered in 2014, which left an open playing field for cyber attackers to exploit known security gaps before they were patched.
Some of these types of vulnerabilities were leveraged in targeted attacks through the use of watering-hole attacks, which will be covered in the following section.
What are watering-hole attacks?
In a watering-hole attack, the attacker targets websites a group often uses. The overall goal is to infect one or more of them with malware. When a member of the targeted group gets infected, the malware spreads and infects other members.
Adobe Flash Player and Microsoft Windows ActiveX Control vulnerabilities were widely used in targeted watering-hole attacks, and Microsoft-related products and technologies accounted for more than a third of the zero-day vulnerabilities disclosed in 2014.
How does a zero-day exploit happen?
There are several ways a zero-day exploit can occur. In most cases, attackers use exploit code to take advantage of a zero-day vulnerability by sneaking past the defenses to plant a virus or other malware onto a computer or device. Email or other similar means can also be used to entice unsuspecting users to visit a hacker-created web page. Once the page is viewed, the attacker-supplied malicious code runs undetected. Basically, they’ve gained access to your system without you knowing it.
Steps attackers take for a zero-day attack usually involve the following phases:
- Looking for vulnerability: Attackers search through code looking for vulnerability. In some cases, zero-day exploits are sold (and purchased) by hackers.
- Vulnerability determined: Attackers find a hole in the security system that is unknown to the original developers.
- Exploit code created: Attackers create the exploit code.
- Infiltration: Attackers sneak past the defenses without the developer’s knowledge.
- Zero-day exploit launched: Armed with their exploit code, the attackers plant a virus or malware.
Zero-day attacks occur because of a zero-day vulnerability window that exists between the time a threat is discovered and the time a security patch is released. A patch (aka “code fix”) can be released to combat the threat within hours, but in other cases, it can take days or even weeks.
Sometimes an individual who discovers a zero-day vulnerability notifies the developer about the risk. But not all discoveries are altruistic. Frequently, hackers with malicious intent find the vulnerability. As mentioned earlier, these hackers can use a zero-day vulnerability to cause damage or sell the exploit on the underground hacker market.
How do you detect a zero-day attack?
Detection techniques for zero-day exploits include:
- Statistical-based: This approach to detecting zero-day exploits in real time relies on attack profiles built from historical data.
- Signature-based: This detection approach is dependent on signatures made from known exploits.
- Behavior-based: This model defense is based on the analysis of the exploit’s interaction with the target.
- Hybrid-based: As the name suggests, this approach is a blending of different approaches.
The traditional approach for detecting zero-day exploits often involves relying on disparate network and endpoint protection technologies, which may cause gaps in the security system. Unfortunately, this may not be enough to combat attackers using advanced attack methods. Detecting advanced targeted attacks requires an integrated, multi-layered approach.
How can you prevent zero-day exploits?
Zero-day vulnerabilities can leave you susceptible to zero-day attacks with disastrous results to your business. We know this sounds a little daunting—and it is—but you can take proactive and reactive security measures.
Here are a few tips to keep your organization protected from security risks associated with zero-day vulnerabilities:
- Use top-rated security software. Be sure your security software doesn’t just cover known threats because zero-day attacks are, by definition, attacks not yet known.
- Update software. Software updates often contain security measures against any intrusion. Be sure to have your software updated regularly.
- Use updated browsers. Browsers are favorite targets for zero-day attacks. Updates to browsers are often automatic, but make sure your browsers are all updated as they often contain patches to vulnerabilities. Check these sites for specific browser update instructions:
- Establish security best practices. Make sure you set an example of personal online security best practices and have all your employees do the same.
In the next section, we’ll examine the zero-day market and its economics.
What is a zero-day market?
The marketplace for buying and selling zero-day vulnerabilities and exploits is thriving. Since zero-day vulnerabilities and exploits are extremely rare, these codes are highly valuable not only to criminal hackers, but also to government intelligence agencies.
In some cases, a public-minded “white hat” hacker quickly reports a bug to the software developer for patching discovered vulnerability. Often it’s an altruistic gesture; other times, the hacker is rewarded financially.
But there’s also an obvious darker side to the zero-day market.
Hackers who discover vulnerabilities will sell the zero-day exploit to other people and organizations. In short, these zero-day exploits are sold as weaponized code.
And it’s big business. According to an article published on Forbes.com, zero-day exploits can sell from $5K to $250K. These prices factor in how widely used the target is as well as how difficult it was to find the zero-day exploit.
The zero-day market has three parts:
- The black underground market: Criminal hackers trade in exploit code.
- The white market: Researchers and hackers disclose vulnerability information to vendors in exchange for money.
- The grey market: Researchers sell zero-day exploits and vulnerabilities to military, intelligence agencies, and law enforcement to use for surveillance.
List of zero-day vulnerabilities
The following is a sample list of recent zero-day vulnerabilities by category:
- TrueType Font Handling Remote Code Execution Vulnerability (CVE2014-4148)
- OLE Package Manager Remote Code Execution Vulnerability (CVE 2014-4114)
- Open Type Font Driver Remote Code Execution Vulnerability (CVE 2015-2426)
- Microsoft Windows Group Policy Remote Code Execution Vulnerability (CVE 2015-0008)
While this is only a sampling of zero-day vulnerabilities, the list shows the variety of methods, targets, and tactics attackers use. Security-focused blogs, such as the Symantec Threat Intelligence Blog, can provide actionable insights on these vulnerabilities to protect enterprises and users from these threats.
Unfortunately, zero-day attacks aren’t going away anytime soon; in fact, it’s likely there will be an increase in zero-day exploits as attackers and the underground zero-day exploit market grow bolder. Furthermore, the targeted developers may hesitate in disclosing the vulnerability for a variety of reasons, such as to save a company’s reputation. This is detrimental to the developers, users of the software/application, and the entire industry because it will only encourage more attackers to exploit zero-day vulnerabilities.
Organizations need to stay constantly vigilant to the developing tactics and methods used by hackers. Enterprises also need to continually educate themselves with the latest defense techniques to fight against these zero-day exploits. Zero-day vulnerabilities are not only an industry-wide concern, but they are also an issue for all of us as collective end-users.
Overall, education, preparation and a swift response to zero-day vulnerabilities need to be a company-wide concern—from the top executives, board members, and IT security teams to all employees.
How does Symantec help fight zero-day attacks?
Symantec is addressing the needs of organizations to accelerate detection. Symantec Advanced Threat Protection helps minimize the potential business impact of advanced targeted attacks by enabling users to rapidly uncover, prioritize, and quickly remediate advanced threats across endpoints, networks and email gateways.
Learn more by downloading the following Symantec Advanced Threat Protection product data sheets:
Advanced Threat Protection: Endpoint
Advanced Threat Protection: Network
Advanced Threat Protection: Email