2. Zero day exploits: what are they & how do I stop them?

Zero day exploitsIn the wake of a Windows 10 zero day exploit that had Microsoft all a-flutter, we explore these insidious threats - and how to combat them.

In the last blog in this series, we looked into ransomware, what it is, and how you can stop it. In this blog, we put another cyber-threat under the microscope – the zero day exploit.

We’ve looked into what the zero day exploit is and how it ticks – and we’ve “zeroed” in (sorry!) on some things businesses and their security partners need to consider in order to confront the danger head-on.

Zero day exploits: what are they?

Perhaps no other threat is guaranteed to drive software vendors’ marketing departments into public fits of bluster and defensiveness quite like the zero day exploit (see Microsoft’s recent performance in this piece in Ars Technica, for example!)

This is because zero day exploits are all about urgency and panic. Typically, they attack newly released software through vulnerabilities even its designers often don’t yet know exist (although legacy software can also sometimes be a target).

They are so called, as Wikipedia explains, because the hapless software vendor has “zero days” to fix the problem, or communicate helpfully about it, before it goes public – since the hackers themselves have usually already publicised it for them!

Zero day exploits love targeting browsers and office applications like Word and others (because we all use them) and they also hijack the common SMTP email protocol to find their way into these vulnerable applications in the first place.

But what makes zero day exploits so dangerous is that they tend to evade typical security software defences.

Why? Because many of the latter rely on triggers like malware signatures and known URL blacklists – intelligence that accumulates over time. And by definition, a zero day exploit has none of this history behind it!

What damage can zero day exploits do?

Here’s just a short list of zero day threats and the havoc they can potentially wreak, curated from various sources covering the last year or two:

  • Suspected North Korean State threat actors were observed exploiting a vulnerability in a word processing application
  • A targeted attack unveiled vulnerabilities in Microsoft Office and Windows, hidden within a Microsoft Word document
  • Adobe and Windows zero day exploits were made use of by Russia’s APT28 gang in a highly-targeted hack
  • Vulnerabilities in Microsoft font drivers were found to allow remote code execution, potentially rendering businesses open to ransomware, data theft, etc.

And, at the time of writing, a memory corruption bug affecting several Windows operating systems was declared capable, in this advisory, of remotely causing a denial of service (DDoS) attack!

Zero day – how do you defeat an enemy you can’t see?

But what defence is possible if security software can’t even recognise a zero day exploit when it’s sitting on top of one?

One effective response to this is to choose security solutions that don’t go hunting for known malware signatures, but instead zoom in on the structural behaviour of the applications that are likely to be targeted by zero day exploits.

Unexpected behaviours in those applications can indicate that they are being asked to do something they shouldn’t – and in tests, this approach has led to security vendor Bitdefender being able to block all Flash player exploits, including zero day, encountered in the space of a year.

It follows that the more extensive the analysis of these applications and the data they generate, the more effective a security solution is likely to be in recognising the signs that a zero day exploit is at work.

Enter Trend Micro, which has woven together an extraordinary mesh of vulnerability intelligence sources that include behavioural, statistical, heuristic and protocol analyses, all drawing on a constantly updated and monitored worldwide threat intelligence network.

Backed up by artificial intelligence (AI) and machine-learning techniques that extend through multiple different security layers, analyses of the entire possible zero day attack surface can be interlinked.

In other words, a more holistic understanding of which of the business’s applications are being asked to do what, and whether this is likely to constitute risky behaviour, is formed.

It’s less about putting a name and face to the exploit itself, and more about spotting changes across the business’s often very complex IT environments that aren’t explicable in any healthy way!

Anti-zero day solutions – what the industry says

An enlightening read for those investigating this area is industry analyst Gartner’s recent Magic Quadrant for endpoint security (which you can download here, and in which Trend Micro, incidentally, is positioned highest and furthest amongst the contenders).

It hits on many of the points we’ve mentioned above – application and process analysis, behaviour monitoring, machine learning, browser and office software vulnerabilities, memory manipulation – to paint a pretty comprehensive picture of what the industry is doing to address the fundamental difficulty of stopping a threat that is, initially at least, invisible.

Meanwhile, keep your eyes peeled for our next topic in this blog series – viruses!