Zero day attack prevention best practices
In this article, get everything that you need to know about zero day attack prevention.
Table of contents
- What is a zero day attack?
- Examples of zero days
- Prevention starting points
- Prevention best practices
- Conclusion
What is a zero day attack?
A zero day attack consists of a security risk that remains unknown to security professionals ahead of an actual attack. Zero day attacks, a.k.a. 0-days, are akin to hidden health problems that have persisted under the skin for years, but that people haven’t been consciously aware of. They can turn into emergencies very quickly.
When a zero day risk emerges, organizations need to test and deploy fixes almost immediately. Otherwise, a zero day attack could overwhelm the organization, leading to system crashes, collapses or other types of destruction.
In order for a zero day attack to commence, a hacker must first identify a software vulnerability – an error in the code yet undiscovered by the original software developers. The hacker then devises a means of “exploiting” the code. In other words, the hacker finds a way to use the code as a portal through which to infiltrate organizations that use the software.
Examples of zero days
In a simple, hypothetical example, an attacker might identify a vulnerability in Google Chrome. After identifying the vulnerability, the hacker could conceive of a means of using it to access an organizations’ browser tabs, gleaning information about who performs which types of tasks, intellectual property information, or other insights. Cyber attackers commonly record, exfiltrate or steal such information for profit-driven purposes.
In a real-world example, in 2009, a group of government-backed hackers leveraged a zero day in Internet Explorer and other Windows software versions to target the intellectual property of over 20 different American organizations. The hackers’ wanted to obtain source code, likely so that they could copy it and build inexpensive versions of premium products. According to Google, attackers did manage to steal intellectual property.
In 2010, the Stuxnet worm used four zero day vulnerabilities. The software was designed to manipulate the speed of sensitive enrichment centrifuges in Iran. The goal was to limit the country’s nuclear potential. The Stuxnet worm reportedly infected over 200,000 devices across 14 facilities, running up to 10% of the 9,000 centrifuges in the city of Natanz.
The term zero day
The term zero day comes from the digital media world. When a movie, music or other media are illegally available prior to official release, they’re sometimes referred to as “zero day”. In other words, the contraband version hits shelves, laptops, or livelihoods ahead of the official version’s release.
Prevention starting points:
Zero day attack
The best starting point for zero day attack prevention involves absorbing real-time information about the latest threats. Further, organizations should deploy a web application firewall (WAF) on a network edge. This allows administrators to review incoming traffic and to filter out malicious inputs.
10 zero day attack prevention best practices
1. Leverage Windows Defender Exploit Guard. In 2010, Microsoft introduced the Windows Defender Exploit Guard. This effectively mitigates zero day attacks through the following means:
Attack surface reduction (ASR). Use of ASR protects against malware by halting threats based on Office files, scripts and emails. ASR blocks underlying behavior related to malicious documents while facilitating productive scenarios. ASR can identify and stop malicious, obfuscated macro code, JavaScript, VBScript and PowerShell scripts. It can also prevent scripts from executing downloaded payloads or email-based executables.
Network protection. Protect outbound and inbound connections with network protection mechanisms. In turn, these prevent malware from communicating with a command-and-control server. Egress traffic receives evaluation based on hostname and IP reputation. Network connections to untrusted devices are terminated.
Controlled folder access. Controlled folder access helps monitor changes made by applications to files located in protected folders. It can help safeguard critical folders and limit access to authorized applications. This prevents ransomware-based file encryption.
2. Implement a threat intelligence solutions. Threat intelligence solutions rely on sophisticated threat intelligence databases. For example, Check Point Software’s ThreatCloud database inspects 4 million files each day. In turn, on a daily basis, it helps block 7,000 zero day attacks.
3. Consider next-generation antivirus. Antivirus solutions that rely on file signatures for malware detection purposes may not be of much assistance when you’re up against zero day threats. While traditional antivirus can be useful when vulnerabilities are publicly announced and vendor databases are updated, zero day malware preempts these systems.
Next generation antivirus technology can’t identify all zero day attacks. However, it can limit the potential for attackers to push through an endpoint with unknown malware.
4. Strong patch management protocols. Every organization should have a patch management strategy. Employees across the IT operations, development and security teams should have a clear understanding of the strategy and how it might play out within an average work day.
Larger organizations should rely on an automated patch management solution. Automated solutions source patches from vendors, automatically identify systems that require updates, test patch-related changes, and automatically deploy the patch to production. As a result, organizations avoid the problem of missing a legacy system during patch management, and then inadvertently allowing hackers to compromise the system.
5. Input validation. Input validation, a.k.a. data validation, refers to the proper testing of any input offered by an application or user. This prevents improperly formed data from entering a system. The practice protects organizations via the vulnerability scanning and patch management process. In turn, organizations can respond to inbound threats in real-time.
6. Consider an AI-powered cyber security solution. Artificial intelligence is essential when it comes to zero day attack prevention. AI-powered engines can analyze thousands of threat indicators, producing accurate verdicts that help organizations get ahead of zero day threats.
7. Ensure use of mobile threat prevention. Mobile devices -from phones to USBs- can bring threats into networks. On account of system set-ups, threats associated with mobile devices often make it past firewalls.
8. Implement a strong data backup system. A strong data backup system means that a given organization will be able to efficiently recover from threats. It also means that the organization will likely avoid catastrophic cyber damage. Follow the 3-2-1 rule. Reliable backups are arguably worth their weight in gold. They also provide peace-of-mind for executives and security professionals alike.
9. Maintain an incident response plan. All types of organizations, across industry sectors, benefit from retaining incident response (IR) plans. Create an incident response plan that’s specific to zero day attacks. Just in case your zero day threat prevention fails. This can give you an edge in the event that a zero day attack comes your way.
The SANS institute recommends focusing on six areas of incident response. Your zero day attack IR plan should cover:
- Preparation. This area includes a risk assessment ahead of an incident and encourages organizations to document roles, responsibilities and processes during a potential incident.
- Identification. In this area, organizations can define how to detect a potential zero day attack (leveraging tools and/or operational means), how to determine the authenticity of the attack, and can zero in on which additional data should be included in threat reporting.
- Containment. Upon identifying a security incident, what steps should be taken in order to contain the incident? Are there means of preventing the continuation of the attack and/or long-lasting effects? How can your organization clean and restore affected systems?
- Eradication. At this stage, organizations need to identify the origins of an attack. IT professionals should ensure that proper steps are taken to avoid similar attacks.
- Recovery. Here, organizations need to write down how they will bring systems back online, test them, and ensure continuous monitoring to confirm that all systems are back to normal.
- Lessons learned. In this section, a plan should indicate when and how to conduct a post-attack analysis. This can help an organization determine how to better prepare for a future threat.
10. Install a comprehensive cyber security solution. A comprehensive cyber security solution will come with capabilities like sandboxing, SOC and XDR options, remote device protection, and means of managing your entire estate from a single point.
In conclusion
Stay informed regarding the latest zero day threats. In addition, follow expert-led best practices and adopt advanced industry security solutions. For further information about how you can block zero day threats, click here. Lastly, to receive cutting-edge cyber security news, exclusive interviews, expert analyses and security resources, please sign up for the CyberTalk.org newsletter.