Zero-day exploits are vulnerabilities that are exploited straight after their discovery. These rapid attacks take place either before the infosec community knows about the vulnerability or has been able to repair it. They are the Holy Grail for hackers, because they take advantage of the vendor's lack of awareness and the lack of a patch to cause maximum havoc.
Vulnerabilities in products such as Microsoft's Internet Information Server and Internet Explorer, or in protocols such as the Simple Network Management Protocol, enable zero-day exploits to be disseminated rapidly, typically via internet relay chat channels or underground websites.
Why is the threat growing?
And these attacks are becoming ever more frequent. One reason is that although hackers once took months to exploit vulnerabilities – in January 2003, the SQL Slammer worm exploit appeared eight months after the vulnerability was disclosed – it is now a matter of days. For example, it took just two days for exploits to appear in Cisco Systems' Internetwork Operating System software after it disclosed a vulnerability; Blaster was exploited less than 25 days after the vulnerability was disclosed; and Nachi (a variant of Blaster) struck around a week later.
Another factor is that exploits are being designed to propagate faster and infect larger numbers of systems. Exploits have evolved from the passive, slow-propagating file and macro viruses of the early 90s to more active, self-propagating email worms and hybrid threats that can take only a few days or hours to spread.
Also, the knowledge of vulnerabilities is growing and more are being discovered and exploited.
For all these reasons, zero-day exploits are a scourge for most enterprises. A typical enterprise uses firewalls, intrusion-detection systems and anti-virus software to secure its mission-critical IT infrastructure. These systems offer good first-level protection, but despite the best efforts of security staffers, they cannot protect enterprises against zero-day exploits.
By definition, detailed information about zero-day exploits is only available after the exploit has been identified, but here is one example to illustrate how to determine whether your company has been attacked in this way.
In March 2003, a web server run by the U.S. Army was compromised by an exploit using a buffer-overflow vulnerability in WebDAV. This was before Microsoft was even aware of the problem. The targeted machine collected data on the network and returned it to the hacker.
Army engineers were able to detect it because of the unexpected increase in network scanning activity originating from the compromised server. So they started to rebuild the exploited machine, only to find that it was hacked again.
After the second attack, the engineers realized that they had encountered a zero-day exploit. The Army notified Microsoft, which subsequently developed a patch for the vulnerability.
So what are the key signs to look for? First, any unexpected potentially legitimate traffic or substantial scanning activity originating from a client or a server; second, unexpected traffic on a legitimate port; and finally, similar behavior from the compromised client or server even after the latest patches have been applied.
In such cases, it is best to work with the affected vendor to conduct an analysis of the phenomenon to ascertain whether the behavior is due to a zero-day exploit.
How can you protect yourself?
No enterprise can protect itself entirely against zero-day exploits. However, they can take reasonable steps to minimize the risk and maximize protection.
First, good preventive security practices are a must. These include installing and keeping firewall policies carefully matched to business and application needs, keeping anti-virus software updated, blocking potentially harmful file attachments and keeping your systems patched against all known vulnerabilities. Vulnerability scans are a good means of measuring the effectiveness of preventive procedures.
Next comes detection and protection. Deploy specific security products that can help minimize the risk of zero-day exploits. No single product can guarantee protection against them, but a defense-in-depth approach will minimize the risks. The most effective approaches incorporate products that are able to detect and/or prevent:
- Anomalous traffic behavior, such as connections or traffic rates;
- Anomalous application use, such as unused or unexpected FTP commands, file names, file types, unused or unexpected HTTP methods;
- Anomalous application behavior, such as excessive application connections;
- Anomalous network traffic behavior, such as simultaneous unexpected server activity that may individually be legitimate.
Products with a positive security model that contain the behavior of traffic and applications to their secure, expected behavior will reduce risk by limiting any operations across the secure boundary.
The products that together offer such detection and protection, when linked to policy-based positive security enforcement, all help to minimize the risk of zero-day exploits. They include intrusion detection and intrusion prevention systems (network-based and host-based), application firewalls, and security event management and correlation systems.
The next step is planned incident response. Even with the measures listed above, an organization can get infected with a zero-day exploit. Well-planned incident-response measures with defined roles and procedures, including prioritization of mission-critical activities, are also crucial to minimizing the business damage.
Finally, you can prevent the spread of the exploit, limiting connections and traffic flows to only those required for business needs.
Zero-day exploits are a challenge for even the most vigilant systems administrator. However, having the proper safeguards in place can greatly reduce the risks to critical data and systems.
Abhay Joshi is senior director of business development at Top Layer Networks Inc.
