Organizations are struggling with how to more quickly account for and guard against zero-day vulnerabilities, reports Karen Epper Hoffman.
For information security professionals, zero is much more than nothing.
Zero-day vulnerabilities – those holes in software that are not generally known nor protected against – are indeed a growing concern for organizations as criminals get increasingly savvy about how to use these liabilities to their favor. In the end, experts say, it is becoming a race between how fast software makers and researchers can uncover these holes – which most commonly target Microsoft, Adobe and Java software – and distribute a patch or update, and how quickly the bad guys will get there.
Exploits that target zero-day vulnerabilities, by most accounts, are not all that common. Craig Williams (left), technical leader for the Cisco Threat Research, Analysis and Communications (TRAC) Outreach team, says his group regularly sees zero-day exploits “but it is far from a daily event,” adding that normally he would see one or two per month. “Companies are getting better at reducing the number of vulnerabilities that ship in their code,” he says. “Things like development lifecycles that put emphasis on security and require security-focused testing help reduce the number of bugs.”
Additionally, companies are investing in exploit-mitigation technologies – like memory protections sandboxes or Microsoft's Enhanced Mitigation Experience Toolkit, which Williams says can make it “much more challenging for vulnerabilities to result in useful code execution.”
Nonetheless, when they do hit, zero-day exploits can be more damaging than most because they strike where no one is looking and can remain undetected owing to the fact that much current security software seeks out malicious code based on known signatures.
“Zero days are incredibly valuable to the attackers…they don't want people to know it exists, and [the length of time] between detection and disclosure can vary,” says Mark Elliott, founder and executive vice president of Quarri Technologies.
Or, in the words of Allen Harper, chief hacker and executive vice president of Tangible Security: “We have a blind spot growing in the security field and that's zero-day.”
Alex Cox (left), principal security researcher for RSA FirstWatch, says zero-day exploits targeting Java in particular “tend to be the most damaging as many enterprises don't have a solid patching process for it, and vulnerabilities tend to be exploitable for a longer period of time between patch cycles.”
But, other experts point out that while the threat certainly hovers, actual damage has of yet been minimal. “The continued string of high-profile compromises, to Adobe source code in particular, has the potential to cause an explosion of zero-days, but we haven't really seen that yet,” says Cox. “The potential is there, just unrealized as of yet. I'd say that the use of zero-days has increased along the same lines as the threat. That is, as the bad guys' sophistication has increased, so has their ability to use zero-days in their attacks.”
In fact, says Williams, the growth rate of zero-day threats is set by the number of people attempting to exploit users of the internet. “We're seeing a much more targeted use of zero-day threats these days,” he says.
Michael Sutton, vice president of security research for Zscaler, says the landscape for zero-day vulnerabilities has evolved significantly in recent years as software makers, Microsoft in particular, have gotten increasingly better about putting out patches, and organizations have become more adept at shortening the patch cycle. Instead, it's no longer the “low-hanging fruit” of simple vulnerabilities, Sutton says. “It's not getting worse so much in terms of sheer volume, it's the severity of the threats and the length of time they are taking to come to the surface to get to where a vendor can address them,” Sutton says.
In the meantime, there is a lot of money to be made in zero-day vulnerabilities, by the criminal underground and nation-states alike.
Anup Ghosh, CEO and founder of Invincea, believes the problem will get bigger come April, when support for Windows XP ends, and new vulnerabilities may keep cropping up without getting fixed. “We're about to enter a period where zero-days will be very common on Windows XP machines, with no patches available,” Ghosh says. Jeff Davis, vice president for engineering at Quarri, agrees that this causes a problem, especially since 30 percent of PCs are estimated to run the Windows XP operating system.
With more and trickier zero-day exploits on the horizon, what can organizations do to streamline the process so that they can account for these vulnerabilities, find them and protect against them?
“You can't patch what you don't know about,” Sutton points out, adding that all organizations need to start with a well-oiled patch management process which monitors public sources, as well as commercial feeds, for reports of potential zero-day vulnerabilities. Monitoring, he says, also must take into account the fact that employees are bringing new computing asset into the corporate environment – creating a need to update patching on new devices.
Stefan Frei, research vice president for NSS Labs, points up that not all exploits do affect the latest versions of a program or an operating system. Having the latest versions installed and kept up-to-date is effective in preventing known exploits and zero-days that affect older versions – for example, a zero-day for IE 7 which is ineffective against IE 10, he says. Further, the latest versions of operating systems typically deploy exploit mitigation techniques to protect the OS and programs running from exploitation, which at least make it much harder to successfully exploit the box. To benefit from these protection features, he recommends upgrading XP boxes or older operating systems.
“If you are a high-value target, assume you are compromised by zero-days, unpatched programs or internal attackers,” Frei says. “As 100 percent protection is an illusion, be prepared to detect a breach early and have a process to handle it. Many protection suites promote ‘ahead of the threat' protection, but often fail to even block long-known exploits in our tests.”
Likewise, Cox points out that historically the mitigation process in most enterprises has revolved around how widespread the attack is. “The idea being that you are relatively safe during the early stages of a zero-day attack and can delay your strategies until attacks are widespread. I've long been a proponent of immediate mitigation in these cases, as the enterprise is most vulnerable during the targeted attack phase.” He adds that once the attack has gone widespread, security vendors have likely caught up and commodity security technologies can detect the threat.
Williams believes the best way to mitigate zero-day events is defense-in-depth. “The trouble with these is that the attackers can be committed to avoiding detection – this is why they are using a zero-day in the first place,” he says. “By using multiple security devices with different detection engines one can maximize coverage. Additionally, opting-in to telemetry systems can help vendors enhance coverage.”
