A "zero-day" exploit is any vulnerability that's exploited immediately after its discovery. This is a rapid attack that takes place before the security community or the vendor knows about the vulnerability or has been able to repair it. Such exploits are a Holy Grail for hackers because they take advantage of the vendor's lack of awareness and the lack of a patch, enabling the hacker to wreak maximum havoc.
Zero-day exploits are often discovered by hackers who find a vulnerability in a specific product or protocol, such as Microsoft Corp.'s Internet Information Server and Internet Explorer or the Simple Network Management Protocol. Once they are discovered, zero-day exploits are disseminated rapidly, typically via Internet Relay Chat channels or underground Web sites.
Why is the threat growing?
Although there haven't yet been significant zero-day exploits, the threat is growing, as evidenced by the following:
- Hackers are getting better at exploiting vulnerabilities soon after discovery. It would typically take months for vulnerabilities to be exploited. In January 2003, the SQL Slammer worm exploit appeared eight months after the vulnerability was disclosed. More recently, the time between discovery and exploitation has been reduced to days. Just two days after Cisco Systems Inc. disclosed a vulnerability in its Internetworking Operating System software, exploits were seen; MS Blast was exploited less than 25 days after the vulnerability was disclosed, and Nachi (a variant of MS Blast) struck a week later.
- Exploits are being designed to propagate faster and infect larger numbers of systems. Exploits have evolved from the passive, slowly propagating file and macro viruses of the early 1990s to more active, self-propagating e-mail worms and hybrid threats that take a few days or a few hours to spread. Today, the latest Warhol and Flash threats take only a few minutes to propagate.
- Knowledge of vulnerabilities is growing and more are being discovered and exploited.
For these reasons, zero-day exploits are a scourge for most enterprises. A typical enterprise uses firewalls, intrusion-detection systems and antivirus software to secure its mission-critical IT infrastructure. These systems offer good first-level protection, but despite the best efforts of security staffers, they can't protect enterprises against zero-day exploits.
What to look for
By definition, detailed information about zero-day exploits is available only after the exploit is identified. To understand how to determine if your company has been attacked by a zero-day exploit, here is an example:
In March 2003, a Web server run by the U.S. Army was compromised by an exploit using a buffer-overflow vulnerability in WebDAV. This was before Microsoft was aware of the vulnerability, and hence no fix was available. The exploited machine collected information on the network and sent it back to the hacker. Army engineers were able to detect this exploit because of the unexpected increase in network scanning activity originating from the compromised server. The engineers started to rebuild the exploited machine only to find that it was hacked again. After the second attack, the engineers realized they had encountered a zero-day exploit. The Army notified Microsoft, which subsequently developed a patch for the vulnerability.
The following are key signs a company would see when attacked with a zero-day exploit:
- Unexpected potentially legitimate traffic or substantial scanning activity originating from a client or a server
- Unexpected traffic on a legitimate port
- Similar behavior from the compromised client or server even after the latest patches have been applied
In such cases, it's best to conduct an analysis of the phenomenon with the affected vendor's assistance to understand whether the behavior is due to a zero-day exploit.
How should companies secure themselves?
No enterprise can protect itself entirely against zero-day exploits. However, companies can take reasonable steps to ensure a high probability of protection:
- Prevention: Good preventive security practices are a must. These include installing and keeping firewall policies carefully matched to business and application needs, keeping antivirus software updated, blocking potentially harmful file attachments and keeping all systems patched against known vulnerabilities. Vulnerability scans are a good means of measuring the effectiveness of preventive procedures.
- Real-time protection: Deploy inline intrusion-prevention systems (IPS) that offer comprehensive protection. When considering an IPS, seek the following capabilities: network-level protection, application integrity checking, application protocol Request for Comment (RFC) validation, content validation and forensics capability.
- Planned incident response: Even with the above measures, a company can get infected with a zero-day exploit. Well-planned incident-response measures, with defined roles and procedures including prioritization of mission-critical activities, are crucial to minimizing the business damage.
- Preventing the spread: This can be done by limiting connections to only those required for business needs. This will mitigate the spread of the exploit within the organization after the initial infection.
Zero-day exploits are a challenge for even the most vigilant systems administrator. However, having the proper safeguards in place can greatly reduce the risks to critical data and systems.