Zero day attacks anatomy & countermeasures By Cade Zvavanjanja Cybersecurity Strategist
Question? How do you secure against something Your security system can t capture, your experts don t know, your vendors don t know and the tech community doesn t know? ~ Which is only known by the attacker(s)!
Outline: Key terms Anatomy of Zero days Attack methodology Zero day attack(s) Countermeasures Way forward Economics of cybersecurity Q & A References
Key term(s): Zero-day exploits are cyber-attacks against software/hardware vulnerabilities that are unknown and have no patch or fix.
Introduction: Traditional security tools rely on malware binary signatures or the reputation of outside URLs and servers. By definition, these defenses identify only known, confirmed threats. At the same time, operating system-level protections such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) are becoming less effective
Intro Cont. An attacker can easily hijack a legitimate website to bypass a blacklist. Code morphing and obfuscation techniques generate new malware variants faster than traditional security firms can generate new signatures. And spam filters will not stop lowvolume, targeted spear-phishing attacks. ASLR bypassing methods to neutere once-effective safeguard.
Intro Cont. Zero day attacks are rising in prominence They tend to be behind the most devastating attacks these days Generally used by very high end criminals and nation states You usually don t know about the attack unless there are other indicators
Key term(s)
Lifespan of Zero-day: typical zero-day attack lasts an average of eight months and can last close to three years in some cases. That gives attacks ample time to steal organizations most valuable assets and leave before anyone knows what happened. Not surprisingly, zero-day exploits are heavily used in targeted attacks. These secret weapons give attackers a crucial advantage over their targets.
Zero Day Anatomy
Introduction
Threat landscape:
Countermeasures:
Way Forward
Economics of Cybersecurity
What is the ratio between events received and action taken? What is the efficacy level in the events & incidents you identify (i.e. the real cyber attack event to false positive ratio)? How many cycles do you iterate through to get from an event(s) to an action; is it timely and cost efficient? (Can you rank the processes/tools you leverage today in terms of man-hours and skills required to get to to action?)
Do you align, prioritize and qualify events against against business goals and impact (How many cycles does this take)? Make the assessment using the framework & success criteria below to evaluate the key time and cost multipliers in your event/incident security process, so you can validate the economic value that comes from the processes and tools you leverage today, to see which are effective and which are not?
Q& A: Thank You Cade Zvavanjanja Director - Zimbabwe Cybersecurity Center cadezvavanjanja@gmail.com +263 773796365
References Zero Day Malware Threat Prevention Ensuring Document Safety with Outside In Clean Content Oracle brief july 2015 The Best Defenses Against Zero-day Exploits for Various-sized Organizations SANS I September 21st 2014: David Hammarberg http://www.trapx.com/wp-content/uploads/2015/02/anatomy-of- Attack Zombie-Zero.pdf http://www.industryweek.com/rockwell-connected-industrialenterprise/cyber-threats-hiding-targeting-valuable-assets Internet Security Threat ReportInternet Report Symatic, APRIL 2016 https://www2.fireeye.com/rs/848-did-242/images/wp-zero-day-danger.pdf k-zero Day Safety: Measuring the Security Risk of Networks against Unknown Attacks A Review on Zero Day Attack Safety Using Different Scenarios 2015 Harshpal R Gosavi and Anant M Bagade Detection and Prevention of Unknown Vulnerabilities on Enterprise IP Networks IJRITCC February 2015, Vincy Rose Chacko Regulating the zero-day vulnerability trade: a preliminary analysis 2014: mailyn fidler