Day Zero Is How Long??!
We find out about computer security vulnerabilities because someone publicly discloses them. Sometimes the disclosure comes from the vendor of the vulnerable software, or in other cases it comes from a security researcher. In either case, there are always a few people who knew about a particular vulnerability before it was publicly disclosed.
Vulnerabilities that haven’t yet been disclosed are known as “zero-day” vulnerabilities – meaning that the amount of time that the vulnerability has been publicly disclosed is zero days. Zero-day vulnerabilities are particularly dangerous if they fall into the hands of an attacker, as they typically do not have patches and are not blocked by intrusion prevention signatures. In some cases, software vendors and the security industry are completely unaware of zero-day vulnerabilities that attackers are using to target networks for some period of time.
We would like to think that vulnerabilities do not remain zero-day for long, particularly if they are in the hands of attackers. Unfortunately, a recent report from Symantec Research Labs indicates that this is not the case. Symantec retroactively looked at zero-day exploits on more than 11 million machines going back to February 2008 and discovered that 18 zero-day exploits were widely executed in networks for up to 30 months before discovery, with an average window of 312 days. That is almost a year passing before the white hats know that the black hats have keys to your network. Even more troubling, the authors of the paper believe that this window is growing, and that many zero-day exploits remain undiscovered.
Historically, we have comforted ourselves about these threats through two statements. First, “no one is targeting my organization,” and second, “we will detect zero-day attacks as soon as signatures are available.” The Symantec Research report reveals both of these statements to be fallacies.
At Lancope, I have the unique opportunity to meet with security teams across my territory and spend time talking with them about these types of threats. I often ask the question, “How are you detecting targeted attacks and zero-day exploits today?” Most of the folks I ask are honest enough to tell me that they have no hope of seeing these attacks before someone else creates a signature. My follow-on question is, “Who is going to detect them, then?” The sad state of affairs is that the answer to that question is typically “no one,” and that’s why “zero-day” could end up being renamed “zero-year” unless we get our collective act together.
While these conversations constitute the sobering and disheartening part of my job, I really enjoy the conversations I have with customers once Lancope starts intelligently processing their NetFlow data with our StealthWatch System. One of the key reasons that hackers are able to sit so long inside of a network undetected is that once they are in, there is no effective surveillance. Most security operators have no more visibility than what their IDS alarms or other security tools are providing.
Those solutions are fine for finding documented exploits, but rarely provide visibility into zero-day attacks. NetFlow processing, on the other hand, delivers the broadest possible visibility into the network by showing each and every communication taking place. StealthWatch then processes that data to look for suspicious and anomalous traffic.
I love going through StealthWatch dashboards and reports with security teams as the “lights” are shone on the network. First we see the noisy worm infections. Then we see the communications to documented botnet command-and-control servers. After those are cleaned up, we see the users violating policy and leaking protected information. Once we spend the time necessary to clean up the previously “darkened” network, we can start looking for behaviors associated with the sophisticated, targeted attacks that are often launched using zero-day exploits. Those behaviors include internal reconnaissance and scanning as well as connections to command-and-control servers that won’t show up in any IP reputation database.
I’m not going to mislead you into thinking that StealthWatch and NetFlow are a silver bullet for automatically catching zero-day or targeted attacks. Those types of attacks are being driven by smart bad guys and are going to need to be caught by smart good guys. StealthWatch and NetFlow do, however, provide the visibility and toolset that security teams need to catch sophisticated attackers. Those tools need to be placed in the hands of expert analysts who can use them effectively to dig in and find needles in the haystack.
No matter where you land on NetFlow or StealthWatch, your organization needs to have a solid answer to the question, “How do we detect zero-day attacks?” If the Symantec Research report is to be believed, we need to stop thinking that we can afford to wait for zero-day attacks to be covered by signature-based security solutions, or that they aren’t relevant to our organizations. Nowadays, any organization that houses valuable intellectual property can become the victim of a sophisticated threat. All organizations need to “turn on the lights” within their respective networks and start flushing out these zero-day attacks.