Zero-Day Attacks: You Can’t Always Prevent Them, But You Can Detect Them

Detecting zero-day attacks

Malicious actors are increasingly turning to zero-day attacks as a means of preying upon both organizations and users. Every Microsoft vulnerability exploited in 2017 began with a zero-day attack. This marked an increase over 2012 and 2008 where bad actors used zero-day attacks to exploit just 52 percent and 28 percent of Microsoft-based vulnerabilities, respectively.

Clearly, we need to take zero-day attacks seriously if we are to defend against them. But some of us might lack a clear understanding of how zero-day attacks differ from other campaigns involving vulnerabilities. With this said, I’ll use this post to describe what zero-day attacks are, provide some examples and discuss how organizations can defend against them.

What Are Zero-Day Attacks?

Kaspersky Lab defines a zero-day exploit as “a cyber attack that occurs on the same day a weakness is discovered in software”. This definition is accurate, but it’s missing the reality of many zero-day attacks.  Bad actors commonly exploit a flaw well before a software provider or anyone in the security community knows about it. In so doing, digital criminals can seize upon a gap to execute attacks that prey upon vulnerable users in the absence of a security patch.

So why does all this matter?

Ultimately, zero-day attacks stand out for two reasons. First, they are usually very difficult to detect. Many traditional security solutions rely on signature-based tools such as intrusion detection and prevention systems (IDPS) to keep an eye out for incoming threats. However, zero-day attacks don’t have signatures; no one in the security community has analyzed the exploited vulnerability yet. This means that these attacks can fly under the radar of signature-based tools.

Second, sophisticated actors are known to stockpile undocumented vulnerabilities for the purpose of conducting zero-day attacks. Per SearchSecurity, advanced persistent threat (APT) actors, particularly organized digital crime groups, like to hoard these types of security flaws. This practice maximizes the chance of a successful attack and is frequently used against high-value targets.

5 Examples of Zero-Day Attacks at Work

It’s not surprising that the security community has witnessed several zero-day attacks recently. Let’s look at four attack campaigns that have made headlines.

  • In July 2019, ESET revealed that it had detected a zero-day attack as part of a targeted attack in Eastern Europe. The campaign consisted of exploiting a local privilege escalation vulnerability in Microsoft Windows to target systems running older Windows systems.
  • Just a few months later, Confiant reported that a threat actor called eGobbler had leveraged two zero-day vulnerabilities in the Chrome and WebKit browsers on iOS devices to bypass built-in browser protections. Exploitation of these vulnerabilities enabled eGobbler to serve pop-up ads and forcefully redirect users to malicious sites.
  • In October, Google Project Zero member Maddie Stone published a technical analysis on a zero-day vulnerability that allowed malicious actors to gain full control over 18 different Android phone models. This analysis found evidence suggesting that Israeli-based NSO Group Technologies was responsible for having used and/or sold the bug.
  • It was around the same time as Stone’s analysis came out that news emerged of a serious OpSec failure for SandCat, a threat actor believed by Kaspersky Lab to be Uzbekistan’s intelligence agency. Per Kim Zetter’s reporting for VICE, the group installed Kaspersky’s software on the same machines it was using to write new malware. This misstep helped Kaspersky to find multiple zero-day vulnerabilities used by SandCat.

Organizations Need More than Prevention to Stay Safe

While solutions using signature-based detection won’t do much in terms of defense, we can do multiple things to try to prevent a zero-day attack:

  • First and foremost, we need to make sure we’re running antivirus software on our machines. Sure, these tools can’t detect zero-day attacks. However, they can help spot known malware samples that might be leveraging undocumented bugs in a new attack.
  • Per Norton, we also need to figure out the best way to update our systems with known patches. It’s not as easy as applying every patch as soon as it comes out, however. This is why it’s important for us to craft a comprehensive vulnerability management program through which we can use a risk profile to prioritize security flaws.
  • Finally, we stand to benefit by deploying a web application firewall (WAF) on the network edge. Imperva explains that using a WAF can help us validate inputs without encountering the issues inherent in vulnerability scanning and patch management.

However, it’s impossible to prevent every zero-day attack. For instance, digital attackers can use social engineering techniques to trick users, bypass defenses and ultimately conduct a zero-day attack.

Computer security specialist Anton Chuvakin is aware of the limitations of prevention. But he also knows that we can do even more to keep safe. As he wrote for LinkedIn:

“No amount of prevention will help you when prevention fails… Layered prevention is still prevention, and when prevention fails you need detection.”

It’s important to detect a zero-day attack before malicious actors exploit an undocumented vulnerability on one of our IT assets, use it to move laterally throughout the network and steal our sensitive information. Fortunately, we can detect these types of network events using an AI-based network detection and response platform. This should ideally leverage network traffic analysis to help us spot attackers attempting to move laterally across the network and exfiltrate our data.

Learn how Lastline’s AI-powered Network Detection and Response can help you stop zero-day attacks.

Teresa Wingfield

Teresa Wingfield

As a cyber security evangelist at Lastline, Teresa Wingfield enjoys sharing new perspectives on top security challenges such as SOC efficiency, sophisticated threats, network visibility, and hybrid data center protection.Teresa has more than ten years of security experience at leading companies such as McAfee (cloud and data center security), VMware (mobile security) and Symantec (virtual machine protection and website security).She has also worked at several startups in the endpoint detection and response and compliance fields.Teresa holds a M.S. in Information Technologies from the Massachusetts Institute of Technology.
Teresa Wingfield