A zero-day exploit is a type of attack where the attacker takes advantage of an unknown security vulnerability in the computer software or application. Zero-day exploits are highly successful because there is no patch available for the exploit, or application developers are unaware of the vulnerability. Security solutions which rely on a signature directory or known bad behaviors are unable to distinguish the malicious code, giving attackers the ability to stay undetected and spread unchecked to other devices which share the vulnerability.
The Danger of Zero-Day Exploits
A zero-day exploit can be extremely damaging, as hackers manage to exploit the vulnerability even before the programmers or developers have time to react. This basically leaves companies completely defenseless. In many cases, the breach is discovered after several days/weeks, which gives hackers enough time to move laterally and exfiltrate sensitive data.
One of the most notable zero-day attacks in recent times was the DNC hack of 2016. Attackers stole a collection of emails from the Democratic National Committee using at least six zero-day vulnerabilities.
Similarly, a zero-day attack on Sony in 2014 led to hackers stealing and releasing sensitive corporate data on public file-sharing sites. The data included four unreleased feature films, business plans, contracts, and personal emails of top executives.
Unfortunately, the threat of zero-day attacks is only expected to increase with time. According to Steve Morgan, founder and editor-in-chief at Cybersecurity Ventures, zero-day exploits will rise from one per week in 2015 to one per day by 2021. This is not surprising when you consider the number of software vulnerabilities that are being discovered every year.
According to the Cybersecurity Ventures’ 2017 Q1 Report, 135 vulnerabilities were discovered in Adobe products during the first 11 months of 2016 and 76 in Microsoft products. With the increasing use of open source code by developers, any flaw in a single block of open source code used in multiple devices can multiply the attack surface in the event of a zero-day attack.
How to Prevent Zero-Day Exploits
Zero-day exploits exploit software flaws in vulnerable endpoints to gain access to the network, usually through phishing or spear-phishing campaigns. Genuine-looking emails with malicious links or attachments ensure safe passage through firewalls. Once an employee clicks on the link or opens an unsuspecting document, the code executes to establish a link with the C&C and the malware is downloaded onto the endpoint.
Traditional antivirus solutions rely on a known set of signatures or behaviors to identify and stop malicious code. However, in the case of zero-day attacks, the malware signature is not listed in the database; because the malware takes over the existing applications, distinguishing it becomes impossible for the security system.
If businesses want to secure their endpoints against zero-day and other unknown attacks, they need to take a completely different security approach. Instead of deploying reactive security solutions which scan, detect, and then prevent, enterprises need to adopt a zero-trust approach which allows only known and approved processes to run.
This approach flips the traditional security model on its head by eliminating dependency on an ever-expanding signature directory and the need for regular patches and updates. Going signature-less will also require having complete visibility and control over all processes running on your endpoints, allowing security operators to run only the known whitelisted processes while ‘disallowing’ any other process, The result is complete endpoint lockdown and system protection from known and unknown threats, without the need for antivirus and SIEM products.
As the threat of zero-day increases, adopting a zero-trust security architecture will help enterprises defend against both known and unknown threats while significantly reducing the attack surface.
Help your business defend against zero-day attacks by trying Xprotect, ColorTokens’ endpoint protection solution. Xprotect takes a robust signature-less approach that works at the kernel level to detect, alert, and prevent unauthorized processes running on your endpoints and critical servers. Get started with a free trial today!