“A zero-day (also known as 0-day) vulnerability is a computer-software vulnerability that is unknown to those who would be interested in mitigating the vulnerability (including the vendor of the target software). Until the vulnerability is mitigated, hackers can exploit it to adversely affect computer programs, data, additional computers or a network. An exploit directed at a zero-day is called a zero-day exploit, or zero-day attack.” (From Wikipedia)
A Zero Day Attack doesn’t require a Zero Day Vulnerability to be successful. Many known vulnerabilities are subject to unknown exploits. However once a vulnerability is identified, the clock is ticking towards a patch for the vulnerability. In addition some technologies are able to filter attacks by their ability to exploit known vulnerabilities.
Before attempting to understand how to protect against Zero Day Attacks, let’s take a look at how known exploits are mitigated. A typical Gateway Security Infrastructure consists of a Firewall, commonly augmented with additional technologies such as Intrusion Prevention Systems, Anti Virus, URL Filtering and Anti Spam.
It’s often overlooked how major a role the Firewall plays in Securing the environment behind it. Even more overlooked is the importance of NAT, Network Address Translation. NAT is performed by the Firewall and “hides” the entire range of internal IP addresses behind a single “Public” IP address. Although not intended as a security measure, NAT inherently protects our networks by only passing traffic into the network if it’s a response to a request from this internal network. Any unsolicited traffic destined to the same network gets dropped as the Firewall has no record of an internal IP address to forward it to.
The Firewall’s core security function however, is to compare traffic with established criteria and perform actions as per a set of instructions referred to as the “Firewall Rule Base”.
Each new traffic flow destined for the network is compared against this set of criteria. If the traffic matches one of these criteria the appropriate action is performed. If no match is found the traffic is simply dropped or denied.
If the Firewall allows the traffic it is subject to inspection by additional security technologies. Anti Virus, Intrusion Prevention and other forms of Malware Prevention are effective against multiple types of malicious code. However, they rely on comparing the traffic against a set of known exploits in order to determine whether the traffic is malicious or not. As such these technologies offer little in regards to Zero Day Attack Prevention. (although some have limited abilities which can sometimes identify certain Zero Day Exploits.)
URL Filtering protects users from all attacks by allowing access to known good sites only. Unknown sites are usually the first distribution point of malware, and many internet users access a handful of sites daily. Since this method focuses on the source rather than the content, it effectively reduces exposure to exploits of any type, including Zero Day Attacks.
Zero Day Attack Protection
Let’s focus on technologies specifically developed to prevent Zero Day Attacks. Because these exploits are unknown, there is nothing to compare them to in order to identify them as exploits. Instead developers of Zero Day Attack Protection Solutions must rely on other methods to identify malicious code. Some of the methods used include:
- Sand-boxing, The traffic is temporarily “held in quarantine” while executed in a controlled environment
- Vulnerability Filtering, Traffic is compared to a database of known vulnerabilities to determine if there is an attempt at exploiting these vulnerabilities. (Only works if the vulnerabilities are known)
- Heuristic Analysis, Code is analyzed in regards to it’s capabilities and purpose. (Write to disk, Self propagation, Remain resident etc.)
- Anomaly Detection, Traffic is compared to a baseline for acceptable or normal traffic
The Cost of Zero Day Attack Protection
This is where it gets interesting. Regardless of whether the Firewall, Intrusion Prevention, Anti Virus, URL Filtering and other security solutions are bundled as a UTM or procured as separate products, in general, a pricing breakdown looks something like this: (As illustrated to the right)
Firewall – Low Cost
Anti Virus, Intrusion Prevention, URL Filtering – Medium Cost
Zero Day Protection – High Cost
Often when deciding on budgets “The Law of Diminishing Returns” and/or “The 80/20 Rule” (20% of the cost delivers 80% of the solution) are taken into consideration. In the case of Information Security these two principles are highly applicable, as the Firewall blocks the bulk of malicious traffic, followed by Intrusion Prevention, Anti Virus and URL Filtering. Zero Day Protection Solutions mitigate the least threats, but at the highest cost. Whether the cost is warranted or not depends on multiple factors;
- What is the cost to restore the environment to a state before the breach?
- Is your organization a target or would an attack be the result of random selection?
- Does the environment contain confidential or proprietary data?
- Are there Political, Economical or Prestige-related reasons to attack your organization?
- How large is your organization’s “Attack Surface”? (Can your Firewall, IPS, URL Filtering, etc. be configured for maximum security / Minimum Attack surface without impacting legitimate business traffic?)
There are numerous examples where successful Zero Day Attacks have had nothing but a negligible impact and a very low cost to clean up. On the other hand there are also examples of organizations that have not survived the exact same attack. Check out these scary examples just in time for Halloween:
2020 InfoSec is dedicated to assisting our clients save money. One of the ways we do this is to recommend appropriate security measures rather than spending on unnecessary technologies or products that offer a low level of benefit. We can help you decide if Zero Day Protection would be a worthwhile investment for your organization.