Endpoints are often considered the weakest link in the enterprise security chain. Zero day attacks are, by definition, threats that are difficult to plan for and defend against. How can you prevent zero day threats from reaching and compromising your endpoints? Endpoint protection technology is a good start, but is not enough. Read on to discover how you can prevent the next big breach.
What is a Zero-Day Vulnerability?
A zero-day vulnerability is a flaw in an application or software that has been exposed to cybercriminals before the software provider has discovered it. This means that there is no patch that can be quickly applied, and nothing to prevent an attacker from exploiting the vulnerability.
For this reason, zero-day vulnerabilities are considered a severe security threat, which requires a complex response including multiple layers of defense.
How Do Zero-Day Exploits Occur?
Here is the typical lifecycle of a zero day attack:
- Vulnerability introduced—vulnerable code is injected into a software application deployed by a user.
- Exploit released—the attackers discover the vulnerability and devise a technique suitable for attacking the vulnerable systems.
- Vulnerability discovered by vendor—but a patch is not available yet.
- Vulnerability disclosed publicly—someone—either the vendor or security researchers—announces the vulnerability, ensuring that both users and attackers are aware of it.
- Attack signatures released—once security vendors identify the signature of the vulnerability, they can protect against it. However, at this time systems are still exposed to other exploits.
- Patch released—by the vendor. The time between a vulnerability is discovered and the release of a patch can be between a few hours and several months—depending on the complexity of the issue and the severity of the vulnerability.
- Patch deployment completed—it is not enough that a vendor releases a patch. Each user must deploy the patch, otherwise the vulnerability remains in their system. This can take some time, because not all organizations have a patch management and deployment system, and many home users ignore software updates.
Here are several additional considerations:
- The window of exposure—during which the system is vulnerable to the zero-day attack can last throughout the entire lifecycle explained above.
- Follow-on attacks—often occur even if the vulnerability is disclosed. If attackers manage to get into the affected system before the patch was deployed, they can launch a follow-on attack and cause more damage.
How to Protect Endpoints Against Zero-Day Attacks
Here are several ways you can successfully detect and block zero day attacks on endpoints.
1. Zero Trust
Zero Trust is a security strategy that restricts access to network resources according to user permissions. Every user must be authorized and authenticated to be granted access to an application or data. Zero Trust does not rely on traditional security boundaries like a network perimeter—it assumes that anyone could be a malicious actor, even if they are already inside the perimeter, unless authorized and continuously validated.
While zero trust is not a direct defense against zero threats, it can help prevent them by limiting the damage an attacker can do, once they have penetrated an endpoint by exploiting a zero day vulnerability. Zero trust can both deter a potential attacker and limit the ability of a successful attacker to move laterally and compromise further systems.
Zero Trust integrates advanced techniques and technologies to verify a user’s identity and protect the network. These include:
- Identity and access management (IAM)
- Multi-factor authentication (MFA)
- Identity protection and verification
- Least privilege controls
- Endpoint protection systems
- Data encryption
- Behavioral analysis
2. Threat Modeling
Threat modeling is a strategy for identifying security threats by creating a picture of a system’s vulnerabilities from the point of view of an attacker. This allows organizations to understand the different threat agents and the level of harm they can cause. Threat modeling can take place at all stages of an application’s development, but it is typically conducted at the design stage.
Threat modeling can help understand the threat actors behind zero day threats, how they operate, and where they are likely to strike. It involves analysis of aspects such as the software architecture and business context to provide an in-depth understanding of your system and its vulnerabilities. Objectives of threat modeling include:
- Identifying vulnerabilities and potential exploits
- Quantifying and prioritizing threats
- Establishing security requirements
- Informing remediation measures
3. Windows Defender Exploit Guard
The Windows Defender Exploit Guard was introduced by Microsoft and is offered as part of Windows 2010. It is a highly effective, readily available tool that can combat zero-day threats on Windows machines, which make up a large percentage of endpoints in many enterprises.
Key capabilities of Windows Defender include:
- Folder access control—tracks changes made to protected files. Exploit Guard allows authorized applications to access protected folders and blocks other access, limiting the ability of ransomware to encrypt files.
- Network protection—stops malware from connecting with a command and control (C&C) server, by blocking outbound network traffic to untrusted destinations. Exploit Guard evaluates connections according to IP and hostname reputation.
- Endpoint protection—blocks suspicious activity on endpoint devices using policy-based rules. Endpoint protection software typically offers preset rules but organizations can choose to create unique rules for their specific challenges.
4. Next-Generation Antivirus (NGAV)
NGAV solutions extend traditional AV capabilities to better protect your endpoints. It combines new technologies such as artificial intelligence and machine learning algorithms to detect behavioral anomalies and mitigate exploits of known and unknown vulnerabilities.
NGAV uses a cloud-based architecture, so you can deploy it in hours rather than months, reducing the maintenance burden for the software and infrastructure. Cloud-based machine learning algorithms enable NGAV to keep up with ever-evolving cyber threats and anticipate the tactics, techniques and procedures (TTPs) that attackers may use to infiltrate your system.
NGAV is effective against a range of attack vectors and techniques, ranging from standard malware to zero-day malware and fileless attacks.
5. User and Event Behavioral Analytics (UEBA)
UEBA is a security system based on behavioral profiling driven by machine learning analysis. It identifies normal behavior patterns that can then be used to automatically detect behavioral anomalies. If a user or IT system is behaving suspiciously, UEBA alerts the security team.
Traditional security solutions often fail to detect zero day threats, yet UEBA can detect and mitigate them successfully. UEBA can identify:
- Insider threats—the attacker is a malicious insider, and is difficult to detect because traditional security methods register them as a legitimate user. UEBA can recognize if an authorized user is behaving unusually or posing a risk, for example by escalating privileges or transferring large amounts of data.
- Lateral movement—the attacker infiltrates the network, usually via an endpoint vulnerability, and moves laterally within the network to access further systems. UEBA can analyze multiple systems as a unified ecosystem and detect unusual activity that moves between systems.
- Privileged devices and accounts—the attacker targets an endpoint that is used by highly privileged users such as network administrators or senior executives. UEBA can detect anomalous behavior on privileged assets.
In this article I explained how zero day threats work and described five effective ways to combat zero day threats in your organization, with a particular focus on securing endpoints:
- Adopting a zero trust security model, which prevents zero day attacks from spreading in your corporate network and doing damage
- Using threat modeling methodologies to understand how attackers operate and identify gaps in your defenses
- Using Windows Defender Exploit Guard, an excellent solution provided as part of Windows which can defend a large percentage of endpoints against zero day threats
- Deploying Next-Generation Antivirus (NGAV), which includes behavioral analysis that can identify zero day threats by their anomalous behavior
- Leveraging User and Event Behavioral Analytics (UEBA) which can identify anomalous behavior across networks and user accounts, helping you detect and respond to zero day threats fast
I hope this will help you bolster your security defenses and protect against the most difficult part of the threat landscape – the unknown.