In today’s complex, data-driven world, many security vulnerabilities and attacks can jeopardize an organization’s data. Perhaps the most difficult, however, are zero-day vulnerabilities.
Malicious attackers have gotten increasingly better at identifying vulnerabilities and launching zero-day attacks to exploit these weak points in IT systems. Therefore, organizations need to ensure they’re protected against harmful vulnerabilities, specifically zero-day vulnerabilities. Because they’re previously unknown to experts, it’s nearly impossible for security professionals to anticipate them, which puts organizations worldwide at great risk.
Moreover, zero-day vulnerabilities are particularly pernicious because they can become endemic, evolving into a chronic critical issue for months and even years. To ensure the safety of their customers, employees, and business data, organizations must have a strategy to protect against zero-day vulnerabilities.
What is a zero-day vulnerability?
Zero day refers to security vulnerabilities that are discovered in software when teams had “zero days” to work on an update or a patch to remediate the issue and, hence, are already at risk. Zero day is often linked with three concepts: vulnerability, exploit, and attack. Let’s explore the key differences between these terms:
- A zero-day vulnerability is an unknown software vulnerability that has been discovered by attackers before the organization is aware of it.
- A zero-day exploit is a technique an attacker uses to take advantage of an organization’s vulnerability and gain access to its systems.
- A zero-day attack occurs when an attacker exploits these software vulnerabilities and causes significant damage before an update or patch has been implemented.
A zero-day vulnerability can become endemic when it’s present in a system for an extended amount of time and is more complex to protect against. Although IT teams are thorough in checking their code for any errors, an attacker can always discover a loophole to exploit and damage applications, infrastructure, and critical data. If a malicious attacker can identify a key software vulnerability, they can exploit the vulnerability, allowing them to gain access to your systems. There are many different cyberattack methods that can achieve this, including injection, cross-site scripting, JNDI attacks, and more.
What are traditional methods to detect zero-day attacks?
Zero-day attacks can manifest in various subtle forms and are often difficult to detect. Typically, organizations might experience abnormal scanning activity or an unexpected traffic influx that is coming from one specific client. One way to detect zero-day attacks is by observing software behavior and identifying whether any actions are malicious. Machine learning can also identify data from previously known exploits to establish a baseline to guide future possible exploits. Application logs are a good data source for this method.
Techniques such as statistics-based monitoring and behavior-based monitoring are also possible. Statistics-based monitoring is when organizations take statistics from exploits that vendors have detected and feed them into a system to learn and identify these attacks. Behavior-based monitoring is when an organization takes harmful software and purposefully induces a system, identifying any suspicious traffic and scanning through the interactions of the software and the system.
While both methods can be successful, they can leave gaps in identifying newly emerging threats, which can result in false positives, false negatives, and so on.
Examples of zero-day vulnerabilities
Recently, the industry has seen an increase in attempted attacks on zero-day vulnerabilities. For example, within a week of the discovery of the Log4Shell vulnerability, Microsoft reported more than 1.8 million attack attempts, against half of all corporate networks. However, as the Operation Aurora example below shows, attack attempts on zero-day vulnerabilities have always been prevalent.
- Log4Shell is a widespread software vulnerability that occurred in December of 2021 in Apache Log4j 2, a popular Java library for logging error messages in applications. The vulnerability enables a remote attacker to take control of a device on the internet if the device is running certain versions of Log4j 2. While mitigation evolves and the damage unfolds, the fundamentals of the Log4j vulnerability won’t change. Malicious actors can execute any code on the attacked system, for example, to access sensitive configuration data. In capturing this data, attackers could gain full control of a system — and all its data and applications.
- Spring4Shell is a critical vulnerability that emerged in March of 2022 that affects the Spring Java framework, an open-source platform for Java-based application development. The Spring framework is popular because it enables software engineers to more easily write and test code to maintain modular applications. Since many developers use Spring, many applications are potentially affected. Spring4Shell is a very severe vulnerability since if an attacker exploited it, applications could be vulnerable to remote code execution (RCE).
- Operation Aurora was a series of cyberattacks in 2009 that specifically targeted major enterprises, including Google, Adobe Systems, Yahoo, and more. The vulnerability’s main goal was to gain access to the source code of these widely known companies and make modifications to it.
Dynatrace Application Security helps protect against zero-day vulnerabilities
It’s critical to understand how you can protect your organization against zero-day vulnerabilities while ensuring teams are simultaneously working hard to resolve the issues contained in the code. Current methods such as web application firewalls (WAFs) and runtime application security protection (RASP) don’t protect against unanticipated attacks. WAFs are rule-based and produce many false positives. RASP tools don’t live up to their promise in enterprise environments, rely on agent technology, and require significant overhead.
Dynatrace Application Security fills the gaps in these solutions by providing real-time runtime application protection. Based on code-level insights and transaction analysis, you can detect and block attacks without configuration, achieving a perfect OWASP benchmark score for preventing injection attacks: 100% accuracy and zero false positives.
When Log4Shell became public, Dynatrace Application Security customers had an advantage: Within minutes after information about the vulnerability hit the wire, Dynatrace notified customers if they had an issue, the issue’s severity, and where to start remediation most effectively. With the ability to identify and block attacks that are happening in real time and with no configuration required, Dynatrace Application Security can help protect your business against zero-day vulnerabilities.
To learn more about how to protect your organization against zero-day vulnerabilities, join us for the on-demand webinar, Automating application security to detect and remediate vulnerabilities like Log4Shell with Dynatrace.
With zero-day attacks on the rise, Black Hat 2022 will focus on the importance of an airtight runtime application security strategy. For additional resources on zero-day attacks, check out our Black Hat 2022 guide.