• Home
  • Categories
    • Protection
    • Hostile Environment
    • Industry News
    • Intel
    • Career Advice
    • Surveillance
    • Cybersecurity
    • Maritime
    • Risk Management
    • Fitness
    • Medical
    • Training
    • Equipment
    • Reviews
  • Daily Briefing
  • Subscription
  • The Magazine
  • Podcast
  • Contribute
  • Advertise
  • Contact Us

Circuit Magazine

For Security & Protection Specialists

Get free circuit subscription with BBA membership
You are here: Home / Archives / Zero Days, How Do You Stop a Threat You Can’t See Coming?

Zero Days, How Do You Stop a Threat You Can’t See Coming?

This past March, WikiLeaks dumped 8,761 CIA documents collectively known as “Vault 7.” These documents contained information about what was essentially the government agency’s armory of cyber threats.

They included malware, viruses and Trojans used for espionage purposes. More importantly, they had information about zero day vulnerabilities the CIA had been using to hack computers, tablets, smartphones and other devices for intelligence gathering purposes.

Frighteningly, all of it was made available to hackers in one fell swoop. Wired called it “a one-stop guide to zero day exploits.”

On the bright side, cyber security researchers have access to the same information, which means they have some time to steel the rest of us against any fallout that could ensue from these previously undisclosed cyber weapons. Nevertheless, these zero day threats are out in the open now, and they can be used against us.

With that in mind, there’s no better time than now to dive into the world of zero day exploits. This post looks at how zero days behave, assesses some of the most infamous examples of them, and perhaps most importantly, provides best practices for how to deal with these elusive threats.

Part 1: The Evolution of Zero Days

A Sinister and Growing Cyber Threat
A zero day threat is a vulnerability that developers and security researchers have known about for less than a day. In many cases, these threats are first identified by penetration testers and white hats, which gives them time to issue emergency patches. In other cases, such as the CIA example, they’re leaked, which puts the good guys and the bad guys on even footing. Then, there are occasions in which hackers find the vulnerability first. They can thereby exploit the flaw in code for nefarious purposes, and in doing so, incidentally tip off researchers of its existence.

In the past few years, the prevalence of these threats has spiked. In 2012, 14 zero day vulnerabilities were discovered. This number jumped to 23 in 2013, and then inched up to 24 in 2014. But in 2015 – the most recent year for data – 24 became 54, which is the equivalent of a 125 percent year-over-year increase. Part of the reason for this increase, according to Ars Technica, is that in 2015, a spyware contractor known as The Hacking Team was infiltrated. Among the casualties were six then-undisclosed zero day threats.

Perhaps even more ironic than a firm called “The Hacking Team” getting hacked is that Adobe Flash, and other programs that are known for being sources of zero day threats, improved its patching speed. Common sense tells us that this is a good thing, and in a way, it is. However, Adobe still accounted for 19 percent of the year’s zero days, according to Symantec. The faster these holes get patched, the quicker cyber attackers come back to find new ones. It’s worth noting that Adobe Flash is no longer supported by Google, Mozilla, Facebook and most other prominent internet technology companies.

Building on this irony, the targets of zero day threats aren’t companies with poor security posture. Rather, according to a comprehensive study about zero day threats – researched and written by the RAND Corporation – zero day exploits are primarily used against organizations that are diligent about patching for newly discovered threats. Companies that procrastinate on applying existing patches are the low-hanging fruit since they can be breached using older, simpler vulnerabilities.

In other words, as companies improve their overall computer management, zero day exploits may actually become more popular. This makes perfect sense upon closer examination: If hackers can’t use known vulnerabilities against organizations, then they’ll have to find new, unknown, and more complex ones.

That’s exactly what they’re doing. These brand new threats are by far some of the most difficult cyber attacks to defend against. Half the time, we never see them coming. Even when we do, we are too late.

Zero day threats are becoming more prevalent.

Discovering the Vulnerability First Helps, But It’s Not a Panacea
In many cases, hackers will sniff out a vulnerability before the white hats do. The most recent example of this occurred after a cyber security firm announced April 8, 2017 that hackers had been exploiting a zero day vulnerability in Microsoft Word since January. The attack starts as a phishing scam involving Word Documents sent via email. This type of social engineering is par for the course in today’s cyber-threat landscape. But in this case, all the user needs to do is click on the .rtf attachment.

This tactic departs from macro-malware methods, which require the user to enable macros for the malware to unpack its payload.

With this new exploit (called CVE-2017-0199), opening the document automatically triggers a remote code execution vulnerability in the Windows Object Linking and Embedding (OLE) API. This allows the hacker to connect to Word via a remote server, and then download a .hta file. Just like that, the hacker will have access to the infected endpoint. According to DarkReading, cyber criminals have already used this access to distribute the notorious Dridex banking Trojan.

This is hardly the first time hackers have leveraged vulnerabilities before they made it on the good guys’ radar. One Internet Explorer bug from 2013 was only discovered after researchers found evidence that cyber criminals had already used on multiple occasions to break into Windows PCs. According to security researcher Brian Krebs, the actual fix, MS13-008, was released two weeks after the first signs of foul play were detected as an emergency patch. During those two weeks, it was difficult to say how many more businesses and users were affected by the vulnerability or to put a value on the amount of productivity that was lost in remediation efforts. 

To be certain, finding the threat first is the best way to make sure an emergency patch takes less than two weeks to deliver (or in the case of CVE-2017-0199, it took three months). Even then, there are no guarantees. There were plenty of examples of zero days that hackers used to their advantage mere hours after they were announced, whether it’s because the patch didn’t come soon enough or because not everyone updated quickly enough to prevent an intrusion.

One of the most notable examples of this occurred April 2014 with the Heartbleed bug, which was born of a programming mistake. This was a serious flaw on the OpenSSL cryptographic software library that allowed anyone on the web to read the memory of the systems protected by versions 1.01 and 1.02. But it didn’t stop at memory; the primary and secondary SSL keys themselves could also be stolen.

“This data could then, in theory, be used as skeleton keys to bypass secure servers without leaving a trace that a site had been hacked,” ZDNet contributor, Steven J. Vaughan-Nichols, wrote.

The bug was initially announced to the public on April 7. Within 24 hours, hackers used it to breach what the New York Times would later refer to only as “a major corporation.”

The Heartbleed bug was among the most infamous of zero day threats.

Zero Day Malware Is Also on the Rise
Code vulnerabilities aren’t the only attack path that organizations struggle to adequately defend. There’s also the issue of brand new or mutated malware that does not have a known signature.

The problem with these strains, which can exist in the wild for months before finally being discovered by researchers, is that traditional anti-virus software cannot detect them by signature. This increases the likelihood that the malware will evade firewalls and web filters.

According to a recent study cited by DarkReading, 30 percent of malware in the fourth quarter of 2016 either leveraged zero day vulnerabilities or was brand new. On top of that, the report found that many of the pre-existing attacks had been repackaged and distributed in new ways.

A separate report published by McAfee corroborated these findings, noting that the same trend prevailed in 2015: Three quarters of decline for new malware were followed by three quarters of growth. The pendulum swung once again, and after a slow first three quarters in 2016, we can expect an uptick in malware innovation and zero day exploits for the remainder of 2017.

One bright spot is that ransomware saw a decline in Q4. Unfortunately, that was almost exclusively attributed to the fall of Locky and Cryptowall. Other strains, such as Cerber, are still at large. With malware innovation on the rise, no one knows what new strains of ransomware will emerge during the time left in 2017.

Cyber security must be layered, and inclusive of multiple controls.
Part 2: Layered Cyber Security for Prevention

First and Foremost: Streamline Patch Management
At this point, the risk of not having the ability to swiftly patch a computing environment should be obvious. Within hours of the Heartbleed bug’s release, hackers were already exploiting it. In some cases, patches were released well after hackers ferreted out the vulnerabilities. Nevertheless, time is of the essence with zero day vulnerabilities: The sooner you patch, the better.

Further, it’s worth noting that zero day vulnerabilities never actually go away. According to the RAND Corporation, the average life expectancy of a zero day vulnerability is nearly seven years. A quarter of zero days become obsolete within a year of discovery. However, just as many survive for more than 9.5 years.

In other words, zero days can survive until they become obsolete by nature of evolving IT. Alternatively, they can be eradicated from your computing environment the moment a fix becomes available if you have a reliable methodology in place for streamlined patching.

Leverage Active Protection and Application Whitelisting
When it comes to preventing zero day threats and new, signatureless, or mutated malware from executing, the most effective method is application whitelisting. Consider, for instance, that web browsers are some of the most prolific sources of zero day exploits. A non-suspecting user may visit a rogue website, at which point malicious code on that site can exploit vulnerabilities in a web browser. From here, it’s much easier for malware to execute on a system, seemingly without the user having taken any noticeable action.

This is why active, layered protection with application control is so crucial. In addition to a firewall, which is useful for blocking known threats, a layered approach utilizes real-time scanning on the internet and on individual machines to identify suspicious activity. This builds another key layer of defense, making infiltration twice as difficult to achieve.

This past March, WikiLeaks dumped 8,761 CIA documents collectively known as “Vault 7.” These documents contained information about what was essentially the government agency’s armory of cyber threats.
They included malware, viruses and Trojans used for espionage purposes. More importantly, they had information about zero day vulnerabilities the CIA had been using to hack computers, tablets, smartphones and other devices for intelligence gathering purposes.

Application control takes this a step further by creating a repository of allowed executables. Rather than blacklisting known malicious software (technically, your firewall should already do this), an application whitelist prevents any executable program (known or unknown) that does not have explicit administrative authorization from launching. All program executions on computers and servers are hereby monitored in real-time and, ideally, in conjunction with an active protection tool that can spot unusual or malicious activity, even in programs that are otherwise trustworthy.

As a result, malware that has previously undiscovered or undocumented signatures cannot run. Likewise, even if a zero day vulnerability or advanced persistent threat somehow enables the injection of malware into the system, it won’t actually be able to launch. The situation is effectively diffused.

Lastly, IT administrators require a simplified process to make all of this happen and the ability to customize privileges and application access by user. Specifically, they need:

  • Granular control: Refine and organize application control through publisher-based approvals, policy-based control, and protection at the local machine level.
  • Flexibility: The freedom to create tailored policies for different users and groups for their unique computer usage requirements.
  • Centralized management: Deployment and configuration must be possible via a single web-based or on-premises console.

A tangential benefit of these capabilities is that organizations can make
sure computers, servers, and bandwidth are used only for their intended purposes and not as vessels for malicious activity. More importantly, sophisticated threats that would otherwise cut through perimeter defenses like a hot knife through butter can be stopped before they ever cause harm to your organization.

The Cyber War Is Only Just Beginning

Relative to the scope of human history, the use of conniving cyber attacks (for good or for evil) is in its infancy. In the coming years, we expect hackers to become smarter and more conniving.

Moreover, we foresee their targets becoming more dynamic as endpoints evolve. For that matter, we expect the stakes of an intrusion to spike as critical infrastructure is digitized.

However, we also believe that even in the face of sophisticated advanced persistent threats, never-before-seen malware, and of course, dangerous zero day threats, layered cyber security will always act as the basis for the safeguarding of computers, servers, and the sensitive data within. The sooner you lay this foundation, the sooner you can begin future-proofing your organization’s cyber security.

 


Zero Days, How Do You Stop a Threat You Can’t See Coming?
By: 
Matt Williams

Matt Williams. A self-proclaimed ‘tech geek’, Matt has worked in technology for a decade and divides his time between blogging at Faronics and working in IT. A huge New York Giants fan, when not watching football Matt gets his game on playing Call of Duty with his friends and other tech bloggers.

Buy The Latest Issue

Sign Up For News and Updates

We respect your privacy and will not share your information with anyone.
We will only message you when we have something relevant and of value to share with you.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Latest Issue

Circuit magazine cover issue 55

Issue 55

Buy Now

Latest Industry News

Industry News October 2020

We cast our eye over the main stories impacting the security industry. Here’s what’s appeared on the radar since the last issue.

Security industry News Brought to you by the Circuit Magazine

Industry News

We cast our eye over the main stories impacting the security industry, including, Kanye West’s former bodyguard is calling the rapper a “bully” and is threatening to sue for damages after West accused him of breaking a confidentiality agreement.

Industry News

We cast our eye over the main stories impacting the security industry. Here’s what’s appeared on the radar since the last issue.

Security industry News Brought to you by the Circuit Magazine

Security Industry Association Announces New SIA Women in Security Scholarship Opportunity

“The SIA Women in Security Forum works to grow and retain leaders in the security industry,” said Gloria Salmeron, director of human resources at Brivo and co-chair of the scholarship committee. “With the addition of this new scholarship, we look forward to helping bring opportunities for further education and advancement to as wide a spectrum of people as possible and inviting individuals to participate in the Women in Security Forum.”

Product Review earHero

Product Review – Ear Hero

Designed by an audiologist, earHero’s speakers are so tiny they will never block your ear canal giving you the ability to literally talk on a separate phone without removing the earHero tactical earpiece from either ear.

You can literally hear whisper level sounds from yards away, while identifying the sounds’ precise location. The earHero tactical headsets have wires so thin and clear, they are virtually undetectable, and the design is so comfortable, you’ll barely know the earpiece is there.

Introduction to Cybersecurity Part 4

Insecure Smart Houses

They are only of limited relevance today, but as the technologies involved become more widespread and implemented into every facet of life they will only become more prevalent. While it sounds like the stuff of science fiction, these threats exist now and are not going to go away.

For simplicity, we’ll say that a ‘smart’ device is anything which connects to the internet (or a network) and is not intended to be a computer interface. Intended is the key word there, as many of these devices are insecure for the simple reason that they are a computer. The problem is that it is now cheaper and easier to put a general purpose computer into a device and run some software to, for example, turn lights on and off than it is to design a single-purpose lightbulb which also connects to a network.

Behavioral Analysis

Turning Habitual Habits into a Positive

Being an instructor for Tony Scotti’s Vehicle Dynamics Institute has forwarded the opportunity to observe how a large section of professionals interact and function from different niches of the industry. Military, transnational EP teams, US based teams, Federal LEO’s or with civilians this theme shows through. Even in the larger training arena the change can be seen as more of the schools are starting to focus on classes or blocks of instruction such as client management and behavioral analysis. The discussion forms are flooded with conversations relating to how to work in a team dynamic. It doesn’t matter if its a 28 day school or a three day school, they will be touching on and teaching these topics.

Global Risk

Global Situation report provided by Stratfor

Global Situation Report October, 2020

Having informed insight in today’s increasingly complex international environment is more important than ever. That’s why we’ve partnered with Stratfor, the worlds leading geopolitical intelligence platform, to bring readers regular analysis and accurate forecasting of global trends from someone you can trust.

Popular Tags

Afghanistan armed attack Bodyguard Bodyguarding Celebrity client Close Protection Close Protection Officer Elijah Shaw Executive Executive Protection fight firearm gun Intelligence Iraq Law Enforcement Medical military News online police Prevention professional protect protection PTSD Risk Risk Assessment Risk Management Safety Security Security Incidents Security Industry Authority SIA Social Media Surveillance terror Terrorism terrorist Threat train Training VIP

On The Frontline

Armchair Quarterbacks

I think it’s no secret that I love our industry, the business is rewarding on so many different levels.  While not easy, … >>>

The Relationship Between Protector and Venue Security

You notice him as he walks into the venue on autopilot.  One of the security personnel walking, in a nonchalant manner, … >>>

How To Stay Present On Task

All attacks happen at the same time: Now. If you intend to meet the attack, you must be there mentally, not just … >>>

Follow us

  • Email
  • Facebook
  • Twitter

From The Archives

Five Methods for Defeating an Active Shooter

At the Point of Crisis

Five Methods for Defeating an Active Shooter By now many of you have seen the recent photo of the Dallas shooter … >>>

Kevin Ghee interview by Jose Casillas

Foot Steps Episode 1 – Kevin Ghee

How was your transition as a Philadelphia police officer to the private sector?  My transition was a tricky one. Coming … >>>

Escaping the Kill Zone

Escaping the Kill Zone   Everyone has their own strategy when it comes to vehicle gun fighting. Most of it is … >>>

Countering Snipers Part 2

Countering Sniper Operations The first step in countering snipers is for everyone to be aware of the threat. This is … >>>

  • Terms And Conditions
  • Magazines
  • Privacy Policy
  • Archives

© 2021 Circuit Magazine · Rainmaker Platform

This website or its third-party tools use cookies which are necessary to its functioning and required to improve your experience. By clicking the consent button, you agree to allow the site to use, collect and/or store cookies.
I accept