A few weeks ago, security experts revealed that a Chinese hacking group had compromised more than 30,000 US organizations since January by using a zero-day attack targeting on-site Exchange servers. The hackers also left behind an access portal allowing them to visit those companies’ networks in the future and steal any data they’d like. That sounds bad – and it is. But what is a zero-day attack?
To understand a zero-day exploit, it helps to know how software flaws are found and patched. Software vendors and independent security researchers review code constantly to find security vulnerabilities. When they do, they let vendor development teams know – and then keep quiet about the flaw until it is patched (this typically takes days or weeks).
But security holes aren’t always found first by software vendors or researchers. Cybercriminals and state-sponsored hacking groups spend thousands of hours (and millions of dollars) attempting to find never-discovered vulnerabilities. When they uncover one, they get straight to work using the exploit to steal intelligence, corporate secrets or other valuable information.
This is called a zero-day exploit, because the vendor gets zero days of advance notice that the vulnerability exists before it’s being used to attack their customers. When hackers discover zero-day exploits, they can often use these vulnerabilities to steal data for months before anyone realizes an attack even happened.
Should You Worry About Zero-Day Exploits?
Years ago, small businesses didn’t have to worry too much about zero-day exploits. If a hacking group found a never-before-discovered vulnerability, they weren’t going to waste it on a bunch of small companies. They would use it to gain access to sensitive government information or trade secrets from major corporations. Only after the vulnerability was discovered, announced and patched at organizations with the highest-value data would they use it to target small businesses. At this point, they could only hit companies with weak IT practices.
But that was years ago. Today, hacking groups have more money, more people and faster networks than they’ve had in the past. Now they don’t have to make a choice of who to target first – they can target tens of thousands of businesses at once.
How Do You Defend Against a Zero-Day Attack?
It’s extremely difficult to protect your organization from a zero-day attack when the only people who know the vulnerability exists are the group using it to attack you. Software patches won’t protect against a zero-day exploit, because the software vendors don’t even know what to patch yet. Anti-virus and anti-malware programs can’t catch software or intrusions they aren’t trained to look for.
The best defense against zero-day attacks is to deploy AI-based threat detection tools that can detect unusual behavior on your network. This software monitors network traffic and alerts your IT team when it detects unusual behavior. Your IT team can then evaluate the traffic to determine if the access was legitimate, or if it is a potential threat that should be analyzed further.
These products have visibility on thousands of business networks. If the software detects similar suspicious behavior at multiple companies, the vendor incident response team gets to work determining if this is a new and emerging threat.
Zero-day exploits are being aimed at small and mid-sized companies earlier in their lifecycles than ever before. The attack referenced above is the second zero-day attack in three months to target vast numbers of US business networks before a software patch addressing the vulnerability was released. With the acceleration of these types of attacks, it’s becoming more important than ever for businesses to have these threat detection tools deployed on their networks. In many cases, they are the first tools able to help make sense of unusual and threatening network traffic. They can also help to make sure that network access is revoked – permanently – when it’s coming from locations or devices that can’t be explained or justified.
To learn more about threat detection and persistence detection, call us at 919-460-7011 or email us at Team_WingSwept@WingSwept.com.