Zero day. Perhaps the most frightening words for any IT leader to hear. For security researchers, zero days are one of the more fascinating topics, the crown jewel of hacking: a capability that can bypass traditional security measures, that might allow an attacker to run any code they want, or to penetrate any device. In this post, we will demystify what a zero day really is, how many are actually seen in the wild, what their impact has been, and how you can stay protected.
What is a Zero Day, Really?
The term “zero day” has come to describe one thing: A vulnerability or an attack vector that is known only to the attackers, so it can work without interruption from the defenders. You can think about it is a flaw in a piece of software, or even sometimes hardware. Here’s a typical lifecycle of an attack utilizing zero days to compromise devices:
- A vulnerability or new attack vector is discovered by a malware author.
- The capability is weaponized and proven to work
- The zero day is kept secret and utilized by cyber criminals.
- The vulnerability is discovered by defenders.
- The OS vendor or application vendor deliver a patch.
- The zero day is no longer a zero day.
With that said, here is a better scenario, based on responsible disclosure:
- A vulnerability or new attack vector is discovered by a hacker or a security researcher.
- The author reports it to the OS or application vendor.
- A patch is created, and released.
- The zero day is then published, crediting the hacker for his contribution, and sometimes even paying him for the responsible disclosure.
While the technical ability to discover a zero day (some would call it the ability to break things) is quite similar in both scenarios, the first is a crime that can cause huge damage, both financially and to a brand, the latter is the right path to choose.
What is Not a Zero Day?
It is not uncommon to see the term ‘zero day’ used in marketing campaigns, to spread fear or just to demonstrate the risk associated with cyber attacks. The risk is definitely real, while the term is used loosely. Here’s what a zero day is not.
1. Malware with an unknown hash or reputation
It is very easy to change existing malware to evade signature-based solutions. In fact, there is a lot of malware out there that uses this technique to evade legacy AV. How easy is it? Just see:
2. Malware that evades legacy AV string-based scans (e.g., ‘Yara’ rules)
The same goes for packers – compressing executables without changing the software – yet another common way to infect devices and avoid legacy AV, but not a zero day.
3. Attacks against unpatched vulnerabilities
If a patch is available, but you did not patch and you got infected, then it was not from a zero day; and it means you need to reconsider your security program. The day Microsoft patched EternalBlue and other RCE exploits (14 March, 2017), those vulnerabilities ceased to be zero day vulnerabilities. Wannacry, first detected on 12th May that year, was around Day 59 after the patch, not Day 0.
In-the-Wild, Zero Day Attacks
Thanks to a recently-shared dataset collated by Google’s Project Zero team spanning the years from mid-2014 to the present day, it’s possible to shed some light on how knowledge of actual zero days can help improve your security posture.
The dataset includes zero day exploits that were either detected in the wild or were found in circumstances where in the wild use is a reasonable inference. For example, it includes leaks of exploits developed by the Equation Group and leaked by ShadowBrokers. Similarly, it includes tools leaked from the hack of defunct Italian private intelligence firm Hacking Team.
In total, there have been 108 zero day exploits discovered between July 2014 and June 2019. On average, around 20 zero day exploits are detected in the wild each year, which naturally leads to the question: how many go undetected? What percentage of the total are being detected?
Unfortunately, that will always remain an unknown. Assuming that attackers are not suffering 100% failure rate, however, defenders should think about their security solution in terms of where attacks might be getting through. Where do you lack visibility in your network? What are the bottlenecks in your response times that could be hiding an alert that was lost in the noise?
The data we have shows that the year 2015, with 28 discovered exploits, had by a small margin the highest number of attacks that leveraged zero day vulnerabilities. The lowest, 2018, only saw 12 detected zero days: a number almost equalled already in the first 6 months of 2019 with 10 detections.
Attribution: Fundamental & Almost Impossible!
Knowing who is behind an attack is one of the most important mysteries to solve for a truly robust defensive strategy. Whether you are being targeted or just a victim of an indiscriminate attack on computer networks at large can play a crucial role in how your organization responds and allocates resources.
And yet, attribution is probably the most difficult of all the tasks involved in defending against cybercrime. The entirety of the evidence will likely not lie only in artefacts and forensics on your particular network, and interpretation may equally demand knowledge of context that goes beyond your own organisation, particularly when thinking about nation state actors and APTs.
Of the 108 zero days, there are 44 for which no attribution has been claimed at all. Of the other 64, claims of attribution should be largely taken as ‘best guess’ for the reasons just noted.
With that in mind, the largest number of zero day exploits over the last 5 years appear to be from Russian and American nation state actors, respectively. APT 28, also known as Fancy Bear, Sophacy and several other names, were believed to be behind 10 of the zero day exploits detected in the wild. The Equation Group, widely believed to be a unit within the United States National Security Agency, were suspected of being behind 8 of the exploits.
Interestingy, 11 of the exploits discovered were attributed to two private intelligence firms, whose business relies on discovering or buying zero day exploits from other hackers and selling them on to third-parties for profit. While their intended customers may be law enforcement or government organisations, the fact that one of these private firms, Hacking Team, were themselves hacked and had their exploits leaked online makes attribution even more difficult.
What Products Have Been Affected By Zero Days?
Essential to analysing your risk is gauging just how far your own software stack is vulnerable. As already noted, detected exploits tells us nothing about vulnerabilities being leveraged right now that remain undetected, but they can at least shine a light on areas you absolutely must be sure to cover.
As the next graph shows, Microsoft products are by far and away the largest vectors for zero day exploits, with Windows, Office, Internet Explorer and Windows Kernel making up four of the top five affected products. Combined, they account for 62 of the 108 exploits discovered. It won’t be a surprise to many to see Adobe’s Flash holding up second place, with 23 zero day vulnerabilities found in the multimedia platform.
That has important implications. With such a large percentage of the vulnerabilities found in products from just two vendors, it’s clear that use of those vendors’ products should be effectively monitored in your environment as a priority.
What Vulnerabilities Have Led to Zero Days?
By far, most of the zero day vulnerabilities uncovered were due to memory corruption issues. These result in exploits based on buffer overflows and out-of-bounds read/writes, among others.
Another 14 vulnerabilities were due to logic and/or design flaws such as improper validation. These allowed exploits such as sandbox escapes and remote privilege escalations.
How Can You Protect Against Zero Day Exploits?
With 108 zero days discovered over a period of 1,825 days, that works out at an average of a new zero day exploit in the wild every 17 days. And while that kind of statistic can be misleading – we know the reality is that many have been leaked in a single day – it does suggest that zero day exploits are not rare occurrences you can afford to ignore until the next research article or media headline.
Start by ensuring you have a comprehensive approach to network security. Your defensive strategy needs to be proactively searching out weakpoints and blindspots. That means making sure all endpoints have protection, that admins have the ability to see into all network traffic, including encrypted traffic, and knowing exactly what is connected to your network, including Linux-powered IoT machines.
Choose a security solution that does not just whiteilist code from trusted sources or, equally as bad, puts a blanket network-wide block on tools your employees need in their daily work, killing their productivity. Instead, look for an endpoint security tool that actively monitors for and autonomously responds to chains of anomalous code execution, and which can provide contextualized alerts for an entire attack chain. A solution like SentinelOne allows your employees to use the tools they need to get their work done while at the same time autonomously taking action against malicious code execution, whatever its source.
Finally, prepare for the next news headline in advance. When a zero day attack is next detected, be sure you have tools in place that can retrohunt across your entire network, and that can help you patch quickly and easily.
If there’s one thing we can learn from the last 5 years of zero day exploits, it is that zero days are a constant that you need to have a coordinated strategy to deal with. When the next news headline has everyone buzzing, be sure you have the ability to check, patch and defend against any attacker trying to leverage it against your network. If you’d like to see how the SentinelOne solution can help you do just that, we’d love to show you with a free demo.