Zero-day Attack Protection: Difficult to Achieve Yet Essential for Network Security

Zero-day Attack Protection: Difficult to Achieve Yet Essential for Network Security

Zero-day Attack thumbThe greatest threats are typically the ones that you don’t see coming. This is especially true when it comes to zero-day attacks, which have been growing rapidly. As the number of these zero-day threats increases, so too does the need to take additional steps to protect your business. But how can you defend against a threat that nobody has ever seen before?

Zero-Day Attacks Are On The Rise

A zero-day attack is one that exploits a vulnerability that was unknown on the day the attack was launched. Typically, the vendor whose software is being exploited learns of the vulnerability as a result of the attack. When the notoriously prolific ransomware “WannaCry” cost organizations an estimated $4 billion in 2017, it was due to the exploit of a zero-day vulnerability.

Approximately 30% of malware attacks are zero-day malware. Many of these attacks are distributed through browsers or web services, making every organization potentially vulnerable to attack. As businesses increasingly use web-based services, they become more likely to be compromised. End users who are not aware of security best practices may inadvertently compromise a network via their mobile devices, and the Internet of Things opens up a new security landscape that must be protected.

When compared with the prior quarter, zero-day malware instances rose 167% in Q4 2017, according to a WatchGuard study released in March 2018. Cybercrime is becoming an industry that is as well structured and organized as legitimate businesses, with cybercriminals working regular 9-to-5 hours, complete with lunch breaks. New threats can be created faster than they can be feasibly identified, which complicates things for security solutions that rely upon having identified a malicious program in the past.

All of this requires better, more advanced zero-day protection.

Best Practices for Zero-Day Attack Protection

So how does a company protect itself from something that, by definition, has never been seen before? There are a number of cybersecurity best practices that can help reduce your organization’s chances of falling victim to a zero-day attack:

  • Update software ASAP especially updates marked “critical security release.” In some cases, a fix for a recently discovered vulnerability is developed within hours of it first appearing. Immediately updating your software will, therefore, make your device immune to attacks exploiting that vulnerability.
  • Utilize threat intelligence. This will alert your company as soon as a new threat is identified, allowing you to take steps in order to defend against it.
  • Reduce your endpoints. The smaller your attack surface, the less vulnerable you are.
  • Regular employee training. Naturally, if your company’s employees have been kept up to date on the latest threats and can identify potentially malicious websites, links, or file attachments, you’re less likely fall victim to a new strain of malware.

Solutions for Zero-Day Attack Protection

Even if you follow all of the advice above, there is still the possibility that you fall victim to a zero-day attack as a result of a drive-by download from a compromised website, or through social engineering, or through a personal device compromised off-site. To effectively defend against previously unseen attacks, organizations need to invest in the right zero-day protection solution.

An advanced breach detection suite needs to be able to identify attacks, not based on their signatures (which can only be generated for malicious files that have previously been analyzed), but rather on their behaviors. And it needs to use machine learning to establish a baseline for normal network activity, against which it can compare new activity to detect anomalies.

Anomalous behavior can include:

  • New programs suddenly being installed
  • Adding new users to the system, or changing the privileges of existing users
  • Data being deleted or modified in unusual ways
  • Any type of data encryption
  • Users accessing files or systems that they typically don’t need to in their regular day-to-day, or doing so at odd hours
  • A connection being a suspicious website
  • Unusual network connections, both internal and external
  • Data being sent out of the network to unusual or malicious destinations

But how do you identify anomalous behavior in time to do something about it? The answer is to use a network traffic analysis product that utilizes machine learning so spot anomalies, and then separates the malicious from benign anomalies through the knowledge of malicious behavior. After all, not all anomalies are malicious, and not all malware generates an anomaly.

Once the software identifies a potentially malicious attack, it can then automatically send out security alerts before data exfiltration occurs, allowing analysts to examine and mitigate a zero-day attack.

Should your network be infected with a new strain of malware, an advanced breach detection solution will be able to identify the malicious element and quarantine it before it can do serious damage. New malware programs may try to detect when they are being sandboxed or may delay any malicious activity until after they believe that they are no longer under scrutiny.

However, by putting a potentially malicious piece of code into a modern sandbox environment (one that replicates the entire network environment down to the hardware level), the breach detection solution can examine how the code behaves when it “thinks no one is looking.” By looking at both signatures and behaviors, as well as network traffic anomalies, the solution can quickly identify a new threat, even if it has never been seen before, and quarantine it before it does any damage.

True Zero-Day Attack Protection

Only solutions that focus on detecting anomalous network behavior—consisting of network traffic analysis plus an understanding of malicious behavior—can provide true zero-day attack protection. Products that rely on signatures alone will not be able to identify or stop a zero-day threat.

Zero-day attacks are only going to become both more plentiful and more advanced as cybercriminals discover vulnerabilities faster than vendors can patch them, especially as the attack surface expands as a result of IoT devices. In order to protect your business, you need to invest in products that detect behaviors and don’t rely on signatures, to determine if something is malicious or benign.

Bert Rankin

Bert Rankin

Bert Rankin has been leading technology innovation for over 25 years including over 5 years in security solutions that prevent cybercrime. He is a frequent blogger and is often quoted in security-related articles. Bert earned his BA from Harvard University and an MBA at Stanford University.
Bert Rankin