Zero-day is a flaw in software, hardware or firmware that it has the potential to be exploited by cybercriminals. In other words, zero-day is a vulnerability in a system or device that has been disclosed but is not yet patched. A zero day exploit is a cyber-attack that occurs on the same day a weakness is discovered in software. At that point, it’s exploited before a fix becomes available from its creator.
Source: us.norton.com
Initially when a user discovers that there is a security risk in a program, they can reports it to the software company, which will then develop a security patch to fix the flaw. Sometimes hackers hear about the flaw first and are quick to exploit it. When this happens, there is little protection against an attack because the software flaw is so new.
A zero day exploit occurs as follows:
- A company’s developers create software, but unbeknownst to them it contains a vulnerability.
- The threat actor spots that vulnerability either before the developer does or acts on it before the developer has a chance to fix it.
- The attacker writes and implements exploit code while the vulnerability is still open and available.
Source: fireeye.com
Typical targets for a zero-day exploit include:
- Government departments
- Large enterprises
- Individuals with access to valuable business data
- Large numbers of home users
- Hardware devices, firmware and Internet of Things (IoT)
Zero-day Vulnerability Detection
There are several ways to detect previously unknown software vulnerabilities.
- Vulnerability scanning: Security vendors who offer vulnerability scanning solutions can simulate attacks on software code, conduct code reviews, and attempt to find new vulnerabilities. Of course, this approach cannot detect all zero-day exploits.
- Patch management: This way also cannot prevent zero-day attacks but with quickly applying patches and software upgrades can significantly reduce the risk of an attack.
- WAF: One of the most effective ways to prevent zero-day attacks is deploying a web application firewall (WAF) on the network edge. A WAF reviews all incoming traffic and filters out malicious inputs that might target security vulnerabilities.
- RASP: A runtime application self-protection (RASP) agents sit inside applications, examining request payloads with the context of the application code at runtime, to determine whether a request is normal or malicious- enabling applications to defend themselves.
- Zero-day initiative: This is a program established to reward security researchers for responsibly disclosing vulnerabilities, instead of selling the information on the black market. Its objective is to create a broad community of vulnerability researchers who can discover security vulnerabilities before hackers.
Source: imperva.com
Detection a Zero-Day Attack
Anyway several strategies have emerged for zero-day attack detection:
- Statistics-based detection: This strategy employs machine learning to collect data from previously detected exploits and create a baseline for safe system behavior.
- Signature-based detection: This strategy uses existing databases of malware and their behavior as a reference when scanning for threats.
- Behavior-based detection: This strategy detects malware based on its interactions with the target system.
- Hybrid detection: This strategy combines the above three techniques.
Source: forcepoint.com
How Do We Protect Ourselves From These Vulnerabilities?
- Installing a powerful anti-malware that it always up-to-date.
- Installing new software updates each all applications which installed on computer. Especially we must install OS updates immediately.
- Installing all hardware driver’s updates.
- Installing security patches fixes bugs that the previous version may have missed.
- Configuring security settings for operating system, internet browser, and security software.
Sources:
