Zero-day attacks have businesses and consumers alike worried about how to protect data. If we don’t know what a threat looks like, can we really protect ourselves against it?
For some time, security tools have been developed with the objective of helping organizations defend against the unknown, but the reality of zero-day attacks (the fact that they are by definition brand new, leveraging new vulnerabilities or techniques) makes it difficult to detect using traditional security software.
Let’s look for a moment at antivirus or antimalware software. The reason why you have to continuously install updates for these software solutions is because new signatures (or threat “definitions”) for new strains or versions of malware are constantly being added to their dictionaries. But this doesn’t work for zero-days. What happens when this software doesn’t have a definition for a specific malware yet?
The “old school” way of detecting malware relies on spotting indicators of compromise (IOCs). The problem with this method is that detecting malware via IOCs requires previously having seen that IOC (see Figure 1). This is essentially a signature- and rules-based approaches, which require the software to be acquainted with new “definitions” of an intrusion before it’s able to spot it. As you can imagine, detecting zero-day malware through this process is extremely difficult because zero-day malware is brand new, which means that its specific IOCs haven’t been seen before.
These traditional applications can be very good at protecting against what has been seen before in the past. But can you train a machine to spot malicious software that has never been observed in the wild? In other words, can a machine detect (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Tripwire Guest Authors. Read the original post at: https://www.tripwire.com/state-of-security/off-topic/how-to-spot-a-zero-day-sight-unseen/