Zero-day Threats: Has Detection Become Deception?

Whether it’s a  vulnerability found in Microsoft Windows Task Scheduler service or attackers leveraging a cryptomining attack exploiting an Apache Struts flaw, zero-day threats continue to threaten enterprise security. As more vulnerabilities are reported, these threats create real-world problems for enterprise security.

Zero-day threats are nothing new, but they are an ever-expanding problem. While each new alert of a zero-day vulnerability and proof-of-concept (PoC) might make for juicy headlines, they pose serious risks.

When an attacker is able to exploit these vulnerabilities in the wild, it’s not only harmful to businesses but also to consumers. As I mentioned in a previous post, when a company makes headlines for being breached, it’s often the case that the CISO is out of a job. Job loss and damage to brand are certainly risks that can grow out of zero-day vulnerabilities, but the potential of being breached are only a glimpse into the real-world issue companies deal with when zero-day threats are disclosed.

Once a CERT alert is announced with a PoC, developers get to work on a patch, but patching in itself creates risks.

The Risky Business of Patching

One key lesson organizations should have learned from the Equifax breach is that when companies fail to patch their systems, they are at greater risk of a breach. But there are cases in which patching doesn’t offer a real-world solution to the zero-day problem.

The vulnerability is known and can now be exploited by virtually any cybercriminal. Companies that fail to patch as soon as one is released become prime targets. Yet, enterprises that are running hundreds if not thousands of software applications struggle to keep up with the high volume of patches released. It’s nearly impossible to update them all, particularly when companies are still running legacy systems.

That’s why it’s critical to know your assets and the overall risk exposure of your organization. Certain vulnerabilities may pose little threat to the business. Others, such as the Microsoft zero-day, have the potential to cause major problems. “It can impact fully patched ubiquitous software—Windows 10—which means almost all organizations are vulnerable to it,” said Glen Pendley, deputy CTO at Tenable.

Even in cases where companies have patched previous vulnerabilities, a zero-day threat could come along and negate that measure. So what are organizations supposed to do the defend themselves against unknown threats?

Technology has evolved so that the ability to detect malicious behavior is ever-improving. Anti-virus (AV) solutions are part of a defense in depth approach, but AVs still regularly fail to detect new zero-day threats, said Steve Subar, president and CEO of Comodo Cybersecurity.

“The issue is not that zero-days exist,” said Subar. “In fact, enterprises are spending billions annually to combat the issue. The problem is that the approaches enterprises are taking are ineffective.”

Has Detection Become Deception?

Attackers can leverage known or zero-day vulnerabilities to run malicious code, and malicious actors are cranking out nearly 350,000 new unknown malware samples a day, which means that actual zero-day protection involves much more than detection.

“Preemptive, comprehensive protection that stops all unknown files before they can damage system resources and user assets renders both known and unknown malware harmless,” Subar said.

Investing in detection and response tools is tantamount to admitting that there will be a problem, but “sophistication and velocity is ever increasing, and it’s the new malware that’s the problem. But the vendor community has propagated the notion that detection is protection. Detection has become deception,” Subar said.

Containment technologies monitor endpoints in real time and report all unknown files that have never been seen before. The file is contained to stop it from doing any harm, but the containment doesn’t prevent productivity as users are still granted unfettered access.

While the file is contained, it is denied rights privilege to hardware, registry and the communication interface so that file operates as it normally does. “It thinks it’s talking to a regular system,” Subar said. Once the file is contained, the technology then renders a verdict on whether the file is malicious.

A Fool’s Errand

Do you feel like saying, “Voila! Problem solved”? Hopefully not, because the reality is that no technology can ever offer 100 percent protection. Every day, every minute, every second brings with it the potential of a new zero-day threat.

With the advent of AI and machine learning, technology will continue to evolve, all the while devices will continue to proliferate. More companies will move to multi-cloud platforms, and more and more lines of code will be added into the ecosystem, creating increased potential for more zero-day threats.

“Organizations that take a defense in depth approach and those that are closely attuned to their system configurations and user behavior are the best positioned to reduce their overall risk,” Pendley said. The reality is that businesses continue to rely on technology. As such, approaches to securing the organization against new and emerging threats need to evolve with the same velocity.”

Avatar photo

Kacy Zurkus

Prior to joining RSA Conference as a Content Strategist, Kacy Zurkus was a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus was a regular contributor to Dark Reading, Infosecurity Magazine, Security Boulevard and IBM's Security Intelligence. She has also contributed to several industry publications, including CSO Online, The Parallax, and K12 Tech Decisions. During her time as a journalist, she covered a variety of security and risk topics and also spoke on a range of cybersecurity topics at conferences and universities, including Secure World and NICE K12 Cybersecurity in Education. Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). In addition, she's also spoken on a range of cybersecurity topics at conferences and universities, including SecureWorld Denver and the University of Southern California.

kacy-zurkus has 62 posts and counting.See all posts by kacy-zurkus