Zero-day attacks: How to fight back

Most users are vulnerable long before and long after the patch comes out

With cybercrime hitting more than 500 million victims globally and costing $100 billion annually, it’s clear that security breaches are a problem very far from being solved. One particularly dangerous threat that doesn’t seem to be getting its fair share of attention is zero-day attacks.

True, zero-days are just one part of the overall threat landscape. However, virtually everyone is at risk from a zero-day attack. And the threat from zero-day vulnerabilities occurs long before vendor or public discovery, and remains active long after patches are released.

Kasper Lindgaard, head of research at Secunia, explains that “a zero-day vulnerability is a vulnerability that has only been discovered by hackers. The vendor does not yet know of the vulnerability and therefore has not developed a patch for it. In contrast, a general vulnerability is disclosed by the vendor who typically has a patch ready.’’

Zero-day attacks can affect just about any user. These attacks arrive through different vectors, including viruses, e-mail attachments, webpages, pop-up windows, instant messages, chat rooms, as well as by social engineering or other types of deception.   

Satnam Narang, security response manager at Symantec, says, “Recently we’ve seen a lot of zero-day vulnerabilities in web browsers, as well as in third party applications required to run on some websites. For instance, vulnerabilities in WordPress allowed attackers to inject malicious code into WordPress-based websites. That malicious code takes you to a webpage that will direct you to an exploit kit that will target a vulnerability in a third-party application in your machine such as Flash, Java or your browser.”

(Shootout results: Best security tools for small business

5 examples of zero-day attacks

Scott Gerlach, director of information security operations at Go Daddy, adds, “You see the growth of attacks targeting websites because they’re easy to reach and because there are millions of them; the footprint of what you can attack is huge.” Today, that represents 2.4 billion Internet users.   

Zero-Days by the numbers

Leyla Bilge and Tudor Dumitras of Symantec Research Labs released a study last fall based on four years of data from 11 million real-world hosts around the world. They found that zero-day attacks last on average 312 days, hitting multiple targets worldwide.

In some cases the attacks remained undiscovered for up to 2½ years. Even after the vulnerabilities are disclosed, the number of attacks exploiting them skyrocket as much as five orders of magnitude. Even more frightening -- one in ten patches have security bugs of their own.

Why zero-day attacks remain dangerous after a patch is issued

Just because a zero-day vulnerability is patched by the vendor does not mean the threat is gone. Gerlach pointed out that “most users don’t update Java regularly and it seems like every updated version of the Java runtime engine has some kind of zero-day workaround to whatever they fixed in the previous version. As a result, just by visiting any number of websites, systems get infected with a Java attack that is a new zero-day as well as revived former zero-days and they have little way to protect themselves other than not running Java”.

Sure enough, while 1.1 billion desktops run Java , 93% of Java users are not running the latest version.  

It’s more about protection more than detection

How can you defend yourself from something that you don’t know exists? According to James A. Lewis at the Center for Strategic and International Studies, there are four measures which, deployed in combination, can stop almost all attacks.

The measures were whitelisting, rapid patch deployment for OSs, the same for applications, and minimizing the number of staff with “administrator” privileges.  

Narang adds this advice: “First, isolate machines that have critical data, such as financial information, from the main network. By keeping them separate, applications are less likely to be compromised and, if users need to browse to websites that could potentially be infected, they would be better protected. Next, employ today’s layered security; from applying patches regularly to installing and maintaining antivirus, antispam, antimalware, intrusion detection and applying proper account permissions. Then, always being suspicious. Finally, and something that is oft ignored especially in smaller offices, user education. A well-run, regular user security awareness training program can help bring the dangers from cyberthreats down to a dull roar.”

New ways to nab zero-day attacks

Of technologies claiming to trap never-before-seen forms of zero-day attacks, two seem promising. One is an innovative way to visualize and interact with anomalies in massive data sets of system activity and the other is a just-released and mostly automated system that detects suspect autorun settings.

One of the most frustrating aspects of zero-day detection is the nature of the data itself. This is so especially in enterprise environments where the data is massive, multidimensional, includes both live and static data, and comes from myriad applications and devices often with different protocols and formats. In short, it is overwhelming.

VisiTrend created a solution for the U.S. Department of Defense that is also slated for commercial release late this year. NDVis is a web application that enables users to see graphic representations of the data and to actually interact with it. More precisely, it is a security information and event management (SIEM) system where layers are rules that can show visual alerts or post to a table of alerts.

While at first glance the information hardly seems intuitive, a little training enables users to identify even a single anomaly among what can be more than 1 million events on the screen. It also enables users to use a mouse and touch the data on the screen to immediately evaluate relationships, project effects, plan courses of actions (COA), and view the relationships between cyber and kinetic operations. Intended for enterprise environments with trained IT staff, this new form of interactive visual analytics can provide early indicators of zero-day attacks before they do damage.

Sampan Security, a new player in the field, takes an interesting approach. The company assumes that – no matter what you do – some attacks will land on your PC. But, since most malware needs to set itself up to autorun and to survive both reboots and system scans, certain low level changes to the system are required and that is just what Sampan Security has done with its Fire Tower Guard Technology.

Unlike other autorun detection systems that require scans and also require subject matter experts (SME), Sampan’s product works automatically in real time and has a cloud-based authentication feature. The result is a solution that helps your own IT staff identify suspicious autorun changes that indicate that malware has tried to set itself up to wreak havoc. This is a good thing considering that, according to Mandiant, 97% of Advanced Persistent Threat (APT) malware they collected for their 2011 report used either Windows Services or Registry Run keys, all of which are tracked by FireTower Guard.

Finally, for anyone who thinks that zero-day attacks won’t land in their systems, consider this: for you to be personally at risk they don’t have to. Just think about what risks are posed by the information garnered from compromised machines wherever they are.

Smith is consultant, a freelance writer in IT and founder of Alexander LAN, Inc. He can be reached at

Copyright © 2013 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022