EN Chttps://www.sentinelone.com/) What Is Zero-Day? < BACK TO GLOSSARY (HTTPS://WWW.SENTINELONE.COM/CYBERSECURITY-101/) Introduction Zero day. Perhaps the most frightening words for any IT leader to hear. For security researchers, zero days are one of the more fascinating topics, the crown jewel of hacking: a capability that can bypass traditional security measures, that might allow an attacker to run any code they want, or to penetrate any device. In this post, we will demystify what a zero day really is, how many are actually seen in the wild, what their impact has been, and how you can stay protectedWhat is a Zero Day, Really? The term “zero day” has come to describe one thing: A vulnerability or an attack vector that is known only to the attackers, so it can work without interruption from the defenders. You can think about it is a flaw in a piece of software, or even sometimes hardware. Here's a typical lifecycle of an attack utilizing zero days to compromise devices: 1. Avulnerability or new attack vector is discovered by a malware author. 2. The capability is weaponized and proven to work 3. The zero day is kept secret and utilized by cyber criminals. 4. The vulnerability is discovered by defenders. 5. The OS vendor or application vendor deliver a patch. 6. The zero day is no longer a zero day.Typical Avulnerability or new attack vector is discovered | byamalware author. The capability is weaponized and proven to work The zero day is kept secret and utilized by The vulnerability cyber criminals Is discovered by defenders. <7 oe © ZERe With that said, here is a better scenario, based on responsible disclosure: 1. Avulnerability or new attack vector is discovered by a hacker or a security researcher. 2. The author reports it to the OS or application vendor. 3. A patch is created, and released. 4. The zero day is then published, crediting the hacker for his contribution, and sometimes even paying him for the responsible disclosure.Responsible Disclosure ‘The zero day is then published, crediting the Avalnerabilty ornew hacker for his contribution, and sometimes even attack vector i discovered paying him forthe responsible disclosure. by ahacker ora security researcher. W Ww Apatch is created, ww and released. The author reportsit to the w 0S or application vendor. similar in both scenarios, the first isa crime that can cause huge damage, both financially and to a brand, the latter is the right path to choose. While the technical ability to discover a zero day (some would call it the ability to break things) is quite similar in both scenarios, the first is a crime that can cause huge damage, both financially and to a brand, the latter is the right path to choose.ot a Zero Day? eN hy tine! 1e ORR ea ientinglone com.) day’ used in marketing campaigns, to spread fear or just to demonstrate the risk associated with cyber attacks. The risk is definitely real, while the term is used loosely. Here’s what a zero day is not. 1. Malware with an unknown hash or reputation It is very easy to change existing malware to evade signature-based solutions. In fact, there is a lot of malware out there that uses this technique (https://www,sentinelone.com/blog/what-is-hash-how- does-it-work/) to evade legacy AV. How easy is it? Just see: Downloads — -bas! LCE si Bi 2. Malware that evades legacy AV string-based scans (e.g., ‘Yara’ rules) The same goes for packers - compressing executables without changing the software — yet another common way to infect devices and avoid legacy AV (https://www.sentinelone.com/blog/5-common- cyber-security-threats-that-bypass-legacy-av/), but not a zero day. 3. Attacks against unpatched vulnerab! If a patch is available, but you did not patch and you got infected, then it was not from a zero day; and it means you need to reconsider your security program (https://www.sentinelone.com/blog/evaluating- endpoint-security-products/). The day Microsoft patched EternalBlue and other RCE exploits (https://www.sentinelone,com/blog/eternalblue-nsa-developed-exploit-just-wont-die/) (14 March, 2017), those vulnerabilities ceased to be zero day vulnerabilities. Wannacry, first detected on 12th May that year, was around Day 59 after the patch, not Day 0.SentinelOne eS A What is Not A Zero Day ae * Malware with an unknown hash or reputation ‘* Malware that evades legacy AV string-based scans (eg., Yara’ rules) # Attacks against unpatched vulnerabilities In-the-Wild, Zero Day Attacks Thanks to a recently-shared dataset (https://googleprojectzero, blogspot.com/p/Oday,htm!) collated by Google's Project Zero team spanning the years from mid-2014 to the present day, it’s possible to shed some light on how knowledge of actual zero days can help improve your security posture. The dataset includes zero day exploits that were either detected in the wild or were found in circumstances where in the wild use is a reasonable inference. For example, it includes leaks of exploits developed by the Equation Group and leaked by ShadowBrokers (https://www.sentinelone.com/blog/eternalblue-nsa-developed-exploit-just-wont-die/). Similarly, it includes tools leaked from the hack of defunct Italian private intelligence firm Hacking Team (https://en.wikipedia.org/wiki/Hacking Team). In total, there have been 108 zero day exploits discovered between July 2014 and June 2019. On average, around 20 zero day exploits are detected in the wild each year, which naturally leads to the question: how many go undetected? What percentage of the total are being detected? Unfortunately, that will always remain an unknown. Assuming that attackers are not suffering 100% failure rate, however, defenders should think about their security solution in terms of where attacks might be getting through. Where do you lack visibility in your network? What are the bottlenecks in yourretay @ times that could be hiding an alert that was lost in the noise (biting HES EN ghort-history-of-edr/)? The data we have shows that the year 2015, with 28 discovered exploits, had by a small margin the highest number of attacks that leveraged zero day vulnerabilities. The lowest, 2018, only saw 12 detected zero days: a number almost equalled already in the first 6 months of 2019 with 10 detections. In-the-Wild, (i) Sentinelone’ Zero Day Attacks CN at eT Pe a) light Petre eu Me he eget (eer ate ae aged ry he eMule I * = @ @ Number of Discoveries = During July 2014 and June 2019 Attribution: Fundamental & Almost Impossible! Knowing who is behind an attack is one of the most important mysteries to solve for a truly robust defensive strategy. Whether you are being targeted or just a victim of an indiscriminate attack on computer networks at large can play a crucial role in how your organization responds and allocatesreales’ eN Ar PERS MORES AOUPALRBESREMASst difficult of all the tasks involved in defending against cybercrime, The entirety of the evidence will likely not lie only in artefacts and forensics on your particular network, and interpretation may equally demand knowledge of context that goes beyond your own organisation, particularly when thinking about nation state actors and APTs (https://www,sentinelone,com/blog/what-are-advanced-targeted-attacks/), Of the 108 zero days, there are 44 for which no attribution has been claimed at all. Of the other 64, claims of attribution should be largely taken as ‘best guess’ for the reasons just noted. With that in mind, the largest number of zero day exploits over the last 5 years appear to be from Russian and American nation state actors, respectively. APT 28, also known as Fancy Bear, Sophacy and several other names, were believed to be behind 10 of the zero day exploits detected in the wild. The Equation Group, widely believed to be a unit within the United States National Security Agency, were suspected of being behind 8 of the exploits. Interestingy, 11 of the exploits discovered were attributed to two private intelligence firms, whose business relies on discovering or buying zero day exploits from other hackers and selling them on to. third-parties for profit. While their intended customers may be law enforcement or government organisations, the fact that one of these private firms, Hacking Team, were themselves hacked and had their exploits leaked online makes attribution even more difficult.Russian-Backed State Actor ‘APT28/Fancy Bear US-Backed State Actor Equation Group Private Hack for Sale Firm (disbanded) Hacking Team Middle East-Backed State Actor Black Oasis Private Hack for Sale Firm NSO Group Noth Korean Backed State Actor ‘APT 37 Scar Cruft ‘Chinese Based Actor APT 19,APT3 What Products Have Been Affected By Zero Days? Essential to analysing your risk is gauging just how far your own software stack is vulnerable. As already noted, detected exploits tells us nothing about vulnerabilities being leveraged right now that remain undetected, but they can at least shine a light on areas you absolutely must be sure to cover. As the next graph shows, Microsoft products are by farand away the largest vectors for zero day exploits, with Windows, Office, Internet Explorer and Windows Kernel making up four of the top five affected products. Combined, they account for 62 of the 108 exploits discovered. It won't be a surprise to many to see Adobe's Flash holding up second place, with 23 zero day vulnerabilities found in the multimedia platform. That has important implications. With such a large percentage of the vulnerabilities found in products from just two vendors, it’s clear that use of those vendors’ products should be effectively monitored in your environment as a priority.What Vulnerabi Number of Zero Day by Product Windows Internet Explorer Office Windows Kernel ‘ASA, Firefox Java Reader Veseript Chrome Domino Ghostscript Kernel Silverlight Webkit Whatsapp XML Core Services = 2 5 5 30 ities Have Led to Zero Days? By far, most of the zero day vulnerabilities uncovered were due to memory corruption issues. These result in exploits based on buffer overflows and out-of-bounds read/writes, among others.Arti 4 nilnevabilities were due to logic and/or design flaws such as improper validation. These EN allay ed S7RIRNRSUSH aS SARS RSeRPES and remote privilege escalations. How Can You Protect Against Zero Day Exploits? © Information Leak @ Logic / Design Flaw © Momory Corruption @ Race Condition @ Type Confusion © Uso-after-froe @ uxss (W) Sentinelone With 108 zero days discovered over a period of 1,825 days, that works out at an average of a new zero day exploit in the wild every 17 days. And while that kind of statistic can be misleading — we know the reality is that many have been leaked in a single day - it does suggest that zero day exploits are not rare occurrences you can afford to ignore until the next research article or media headline. Start by ensuring you have a comprehensive approach (https://www.sentinelone.com/blog/network- security-today/) to network security. Your defensive strategy needs to be proactively searching out weakpoints and blindspots. That means making sure all endpoints have protection, that admins have theabfpy2 see ints all network trafic, including encrypted traffic, and knowing exactly what is connected EN to ° inux-powered JoT (https://www.sentinelone,com/blog/cybersecurity- weakest-link-linux-iot/) machines. Choose a security solution that does not just whiteilist (https://www.sentinelone,com/blog/can- whitelisting-win-advanced-persistent-threats/) code from trusted sources or, equally as bad, puts a blanket network-wide block on tools your employees need in their daily work, killing their producti ity. Instead, look for an endpoint security tool that actively monitors (https://www.sentinelone,com/blog/active-edr-feature-spotlight/) for and autonomously responds to chains of anomalous code execution, and which can provide contextualized alerts for an entire attack chain. A solution like SentinelOne (bttps:/www.sentinelone.com/platform/) allows your employees to use the tools they need to get their work done while at the same time autonomously taking action against malicious code execution, whatever its source. Finally, prepare for the next news headline in advance. When a zero day attack is next detected, be sure you have tools in place that can retrohunt (https://www.youtube.com/watch?v=tMdiBjRaEn8) across your entire network, and that can help you patch quickly and easily (https://www.sentinelone.com/press/sentinelone-and-automox-partner- Conclusion If there's one thing we can learn from the last 5 years of zero day exploits, itis that zero days are a constant that you need to have a coordinated strategy to deal with. When the next news headline has everyone buzzing, be sure you have the ability to check, patch and defend against any attacker trying to leverage it against your network. If you'd like to see how the SentinelOne solution can help you do just that, we'd love to show you with a free demo (https://www.sentinelone.com/request-demo/).Chttps://www.sentinelone.com/) ENCOMPANY inelone.com/customer- Our Customers (https/www.ser lone.com/why-sentinelone/) Why SentinelOne (https //www sentir nelone.com/platfortn/) 1 https //mww.son w.sentinelone.com/corpany/) n/a About thttpsi//ww -overview/ Partners (hitasy/www.sen! comn/supporty) htipsi/www-sentinelone, Support Careers (httos /Awww.sentinelone.com/eareers/) egal & Compliance (httpsi//www.sentinelone.corn/legal/) Security & Compliance (httes//www.sentinelene.corn/security-compliance/) ewsentinelone.com/cantact/) Investor Relations (nttpsi/investorssentinelonecom/) RESOURC oloa/) Blog (hitos//www-sentinel abs (https/www.sentinelone.com/labs/) nflp/hackchat/) Jeowessentinelone.ce: omy/press/) Press (hitps/Avww.sentinelone News (httas //www-sentinelone @ Chttpsi/www.sentinelonec A ovoves sentinelonecom/anthology/) Insomware Anthology (httosy/w 444 Castro St Mountain Viewentinelone.corn ([email protected]) EN (httes:/iwwwssentinelone.coms) x Business Email > By clicking Subscribe, L agree tothe use of my personal data in accordance with SentinelOne Privacy Policy (legal/privacy-palicy) tnelOne will not sell, trade, lease, or rent your personal data to third parties. ENGLISH 12023 SentinelOne, All Rights Reserved, Privacy Polley (nttpsi//www sentinelonecom/legaV/arivacy-polcy/) Master Subscription Agreement (https://www sentinelone.com/legal/master-subscription-agreement/)