FACING THE UNKNOWN: ZERO-DAY THREATS
March 27, 2019
Zero-day malware presents a huge cybersecurity challenge for organizations. These threats are undiscovered – targeting weaknesses that developers haven’t yet found. So, by nature, zero-day threats don’t have a signature – they are ‘unknown’ threats – and won’t be found in any existing database – rendering traditional, detection-based security solutions powerless to stop them. A zero-day attack will easily evade detection and rapidly breach an organization, leaving a trail of destruction behind it – unless another solution is used that will prevent the malware from getting to the organization at all.
Behind-the-scenes: the making and breaking of a zero-day threat
First, let’s look at the term ‘zero-day’. This implies that the threat exists on the ‘zeroth day’ – the day before the ‘first day’ – in other words, the day before the vulnerability becomes known. While hackers often exploit existing, known vulnerabilities – zero-day threats are different. They are the products of hackers looking to exploit “security holes” – system vulnerabilities that have not yet been discovered at all. If a system is compromised, and up-to-date security detection software doesn’t recognize it, it’s a zero-day attack.
When a new security vulnerability is discovered, usually by a security expert, they will notify the software vendor. Then the ball is in the vendor’s court – it’s their job to create a patch that will fix it. Sometimes, however, hackers – who are often just as skilled as security experts – will be the first to discover a vulnerability. With their own ulterior motives, at heart – they’ll set to work on this ‘opportunity’ – creating zero-day malware to exploit the weakness – as a new, effective way of breaching organizations. Unfortunately, hackers don’t even need to look for vulnerabilities – zero-day knowledge can be bought on the dark web, albeit for a hefty price.
Zero-day threats have a specific lifetime – from the moment of their development until the vulnerability is fixed – when either a security patch is released, or a signature is available – after that, their zero-day days are over – and they become ‘known threats’ that can be detected. The time period in which the vulnerability still exists is known as the ‘window of vulnerability’ – and can last anything from a few days to a few years, during which the malware will remain unknown.
Finding their way in
Zero-day threats have a few different attack vectors through which they breach organizations. They can exist as a script running on a browser, from a compromised website, or as malicious code injected into database queries. However, most zero-day attacks come from infected files. Often, hackers will use common, frequently shared file types to compromise systems and steal data – these files can be sent through email attachments, downloaded from the web or a cloud-based application, or shared between devices.
REAL LIFE EXAMPLE
Microsoft DDE – Dynamic Data Exchange is a feature built into all Microsoft Office products, designed to allow Word to use data from other Office applications. This feature can be exploited to run malicious code when an Office file is opened, even if macros are disabled.
Find out exactly how to stop zero-day threats – here.