This post is about how security vendors handle the detection of zero-day attacks, which are exploits against previously unknown vulnerabilities.
All modern security products rely on some definition of threats.
• These definitions can be as specific as a 'signature' that identifies a unique strain of malware; or
• These definitions can be as general as a behavior pattern that threat actors employ broadly across different strains of malware.
Thus, the challenge of security is to keep those definitions up to date as attacks emerge and evolve 'in the wild' every single day. Most organizations outside of the Fortune 500 do NOT have the resources to tackle this challenge on their own.
There are TWO approaches to this challenge of staying ahead of the always-shifting threat landscape and new zero-day attacks:
1. One is to discover vulnerabilities before threat actors discover them and figure out how to exploit them.
2. Another is to identify the active exploit in the wild early and to quickly update your defenses immediately to detect and respond to it.
I have seen security venders using both of these approaches simultaneously to keep their customer environments secure in the face of zero-day attacks.
Let’s take a deeper look at - HOW?
-
Early Access to New Vulnerability Information Is CRITICALAs I just said -- One way to stay ahead of emerging threats is to know about the vulnerability BEFORE threat actors have an opportunity to exploit it. As soon as a new software vulnerability or security flaw becomes public knowledge, threat actors immediately go to work, taking advantage of the time it takes for security vendors to update their tools and for security teams to then identify and patch their vulnerabilities.
That’s why, it’s a security best practice for software researchers to inform security vendors of new threats and vulnerabilities BEFORE they announce them to the general public.
For example, most security vendors participate in Microsoft’s Microsoft Active Protections Program (MAPP).
-
What is MAPP?
The Microsoft Active Protections Program (MAPP) is a program for security software providers (vendors) that gives them early access to vulnerability information so that they can provide updated protections to customers faster.
Almost all the major security vendors are PARTNERS in this MAPP program...
And they all receive security vulnerability information from the 'Microsoft Security Response Center' before Microsoft publishes it in its monthly security update.
This allows them to use this information to more quickly provide protections through their security software or devices, e.g., antivirus software, firewall, network-based intrusion detection systems, or host-based intrusion prevention systems. It results in giving their customers a headstart in identifying and remediating the vulnerabilities in their environments.
Even with these protections, Microsoft recommends that customers must deploy security updates to help prevent exploitation of vulnerabilities as quickly as possible.
-
Discovering Zero-Day Attacks As They Emerge In The Wild
Of course, the “good guys” are not always the first to discover new vulnerabilities.
Too often, threat actors also find and exploit vulnerabilities, even before security vendors have the opportunity to discover and release patches for them. These are known as Zero-day vulnerabilities.
Thus, zero-day vulnerabilities are often discovered AFTER they’ve been exploited in a successful zero-day attack. That’s why, it’s important vendors to have a constant watchful eye on the global threat landscape as well as the ability to operationalize new threat information as soon as it becomes available.
Four previously unknown or ‘zero-day’ vulnerabilities in Microsoft Exchange Server are now being used in widespread attacks against thousands of organisations with potentially tens of thousands of organisations affected, according to security researchers (March, 2021).
The bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Microsoft, which issued emergency patches for last week, attributed the attacks to a newly discovered hacking team it calls Hafnium, most likely a China-backed group. Microsoft said they were “limited targeted attacks” but warned they could be more widely exploited in the near future.
These vulnerabilities were found after attackers exploited them, not before.
-
The power of the global threat intelligence community is UNLEASHED...
There is Open Threat Exchange (OTX)...the world's largest open threat intelligence sharing community of over 100,000 security researchers and practioners. They are contribution approx. 2 million pieces of threat data PER DAY. They often alert the community within the INITIAL MINUTES or HOURS of discovering an attack in the wild. Anybody can use this data.
Users of OTX can subscribe to any OTX Pulse to enable security alerting on the indicators of compromise (IOCs) published within that pulse. They can also subscribe to email notifications to stay aware of specific attacks, threat actors, or malware families as they evolve.
-
Security Research Teams of Vendors
In addition to the community-powered threat data shared, for example, in OTX, all major security vendors have their own 'Research Teams' who work on behalf of all their customers, they monitor the global threat landscape daily, they analyze threats with a combination of human and machine intelligence. Then they curate the threat intelligence which is delivered continuously and automatically to their security devices and services.
Most of such Threat Intelligence is ready-to-use and is written to proactively detect higher-level activities, patterns, and behaviors to effectively automate threat hunting activities across customer environments.
-
Behavioral-Based DetectionThis is the second approach which I mentioned in the beginning of this post.
Detecting threats based on Incidents of Compromise (IOCs) like file hashes and IP addresses, enables security teams to identify emerging attacks quickly and with higher confidence.
BUT, when used alone, these IOCs are fairly volatile as threat actors can alter them very quickly, easily, and even automatically. They may not be too reliable at times...
Instead, the tactics, techniques, and procedures (TTPs) that threat actors use (and reuse) to carry out attacks, are less volatile and more reliable in order to detect the attacks. Because these TTPs are like the recipe for their attacks, as these are high level tasks the attackers perform at each stage of attack. These steps are often the SAME for different malware or campaigns, so identifying them is more effective than focusing on other methods of detection.
For example, let us consider a network attack. The initial network intrusion may be done using a brand new, unidentified vulnerability. But, once the threat actor gains access to the system he attacked, his recipe calls for downloading 'tools' needed to move laterally in the network and extract data. These tools can be identified when they are downloaded or when they communicate on the network. These tools are independent of the initial zero-day vulnerability that was exploited in order to gain access, so we can still detect the threat by detecting other tools used in the attack. Got it?
To do this, most security vendors use machine learning (ML) algorithms to extract threat characteristics and clusters to identify known and unknown threats. These "clusters" are based on observed network behavior, OS interactions, and more. These algorithms further analyze these clusters to identify anomalous behavior. Then, their security research teams use this information to codify the tactics, techniques, and procedures (TTPs), which are packaged as correlation rules and delivered continuously to vendors security devices or services as part of the threat intelligence subscription.
-
Summary
In this blog post, I’ve outlined a few of the techniques that Security vendors leverage to detect emerging and evolving threats, including zero-day attacks. To quickly summarize:
1. Early access to new vulnerability information allows us to update the vulnerability signatures in security devices/services ahead of public release.
2. OTX acts as an early warning system of experts around the world, and they are bolstered by your internal threat teams to quickly find and analyze new attacks.
3. Advanced detection techniques like identification of behaviors and TTPs means you can detect many zero-day attacks even if the IOCs change frequently.
Please let me know of what do you think about this in the comment section. You can also share with all if the information shared here helps you in some manner.
Kindly write your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
30,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM