Defending Against Zero-Day Threats
Zero-day threats are attacks that use an unknown exploit/attack for which no patch or antivirus definition file exists as yet, and they are a major concern for administrators. So what can an administrator do to prevent zero-day attacks from affecting systems under his/her control?
There is no method of detection for zero-day exploits that is 100% reliable however there are two things that could greatly help an administrator, if the standard precautionary measures designed to prevent infection were to fail.
The first is patch management. The effect of this method will be somewhat limited since the attack would still be unknown and no patch would be available to address the exploit. However, if all systems are up-to-date, the scope of attack might be limited and the attacker can only cause minimal damage while further threats are contained.
Furthermore, with a robust patch management and vulnerability scanning system in place the administrator will receive notification as soon as the attack is made public and security companies implement vulnerability checks for it. These two important software solutions allow the administrator to take proactive action until a patch for that exploit is released. The administrator will also be notified when the patch for the zero-day attack is made public thus minimizing the window of opportunity for an attack to take place.
The second option is to use a good antivirus solution. A zero-day attack does not become public knowledge for a period of time and during that period the antivirus program will not detect any file containing this specific vulnerability by using standard pattern analysis techniques.
However, effective antivirus solutions do not rely solely on antivirus definitions to detect threats. A good antivirus also uses a technique called heuristics analysis. This technique does not only look for certain patterns in a file, but it will also analyse what the file actually does during its normal execution. Depending on the file’s behaviour, the AV product may then classify the file as a virus if suspicious behaviour is detected. This technique can help to detect a zero-day threat even though no one knows of the vulnerability’s existence.
While antivirus solutions that use heuristic analyses can be a great weapon against Zero-day malware there is no guarantee that the malware behaviour will always be classified as malicious. However when AV is coupled with a strong patch management strategy, the administrator has a much stronger defense against infection by zero-day threats.
Heuristic analysis is invaluable. Another thing that works in smaller organizations is maintaining regular backups and restore points. While some things can be lost in the process, for a particularly debilitating attack rewinding the tape can be useful. However, ultimately it won’t prove to be any good unless you can pinpoint the cause of infection.
Hi Alicia,
I totally agree with your regular backups with multiple restore points. In case things go wrong, that can definitely save you!
I’ve been working as a system admin for almost five years now – all I can say is that patch management always, almost work all the time – with 99 percent success rate. Bugs, malwares, and other forms of security threats and vulnerabilities can be fixed with an efficient patch management system.
Although patch management can’t solved and detect all threats, it can help contain what could have been a much bigger problem. It’s a real life saver for me.
Also, if I may add, aside from patch management and vulnerability scanning, you can also try to integrate penetration testing to your system to defend against zeroday threats.
Heuristics is the best weapon against Zero-Day threats. I don’t say patches and updated antivirus are useless but when they do not contain the remedy against the attack, they don’t help a lot. The worst with Zero-Days is that you might be totally oblivious to the fact that you got hacked.
For me, the best defense against zero-day threat is no other than zero threat protection. Think of it as the complete opposite of zero-day threat.
The principle behind this is that software engineers should protect any form of software against new attacks even before vulnerability is presented to them. Sounds impossible to do, but in reality it’s not.
At present, where information is easily disseminated and cloud-computing is on the rise, zero-threat protection is very plausible.