What to do when a zero-day strikes

Zero-day attacks sound scary, but security experts say you can ride them out with some simple precautions.

It’s 9:30 AM and with your email out of the way, you settle back and decide to read SearchSecurity ANZ.

That’s when a nice-looking day turns nasty, because we carry a story about a zero-day attack on one of your critical applications. Criminals, the story explains, could quite easily invade the software on which your business relies and steal data galore.

What do you do next?

Zero-day checklist

Fred Borjesson, Regional Endpoint Sales Manager, Asia Pacific, at CheckPoint, offers a flowchart for approaching zero-day attacks.

  1. How critical is this application or system to our organisation, partners and/or customers / What is the business impact of taking the application or system offline until the vulnerability is removed?
    1. Can I live without this tool for a few days?
  2. What is the impact of this vulnerability being exploited?
    1. Is the impact so minor and/or are we able to control it using other solutions so that we can take the risk of running like it is?
  3. What tools do we have to remove and/or minimise the risk of an exploitation of the vulnerability?
    1. Can we use a IPS, Firewall, Anti-malware or other solution to “patch” the problem now?
  4. What tools do we have to proactively stop the vulnerability from being exploited?
    1. Like 3 above and potentially changing design and or communication.
  5. What alternative applications, systems and/or manual processes can be implemented until the vulnerability is removed?
    1. Upgrade, downgrade, competitive application etc.

Paul Ducklin, Sophos’ Asia-Pacific Head of Technology says you almost certainly can remain at your desk and finish your coffee, because “Many so-called ‘zero-day’ attacks are not quite as ‘zero-day’ as the media might lead you to think. They are not practicable as an attack vector against your setup.”

Joshua Simmons, Symantec’s Asia Pacific and Japan Regional Product Management also fees zero-days may be a little overrated.

“Symantec documented 4,501 vulnerabilities in 2009 yet only 12 of these were zero-day,” he says.

Ducklin therefore advises: “Do not act on hearsay. Do not act on fear, uncertainty and doubt. Do not act ‘because you saw it on TV.’ Zero-day vulnerabilities are a matter for science and engineering. They can't be fixed with sympathetic magic or knee-jerk responses. So check for a reasoned risk analysis with someone who knows what they're talking about.”

He adds that “If you have a decent endpoint security and control solution, you may already be safe; if not, there may be a dozen suitable options for rendering yourself safe until the patch is out and you are ready to deploy it.”

Another option, he says, is to use a “minor, non-disruptive configuration change” that can mitigate the risks a new attack represents.

That change could include the recommendation to “Update all of your operating systems and applications to the latest versions” offered by Lloyd Borrett, Marketing Manager for anti-virus vendor AVG. “Most zero-day threats initially get onto your system via one exploit, but some also rely on other exploits to do their dirty work. So ensuring you are as up-to-date as possible helps to mitigate the risk,” he says.

“If you have reason to believe that the above measures will not be adequate, ask your application vendor if rolling back to an earlier version might be a solution. Although very rare, sometimes security holes are specific to newer versions of applications with the users of older versions safe from the threat.”

Getting on the phone to a vendor might, however, be a little hard on the day a zero-day emerges. The vendor’s call centre could be in meltdown or it may not even know of the problem or had the time to formulate a response.

Nelson DaSilva, a Systems Engineering Manager for Fortinet’s South Pacific operations, therefore recommends enacting pre-prepared plans that offer guidance on how to deal with a zero-day.

“It is prudent to assume that you will always have some unknown zero day vulnerabilities in your key IT systems, and put together a few response scenarios for how you plan to contain and clean up a problem – before it actually occurs,” he says.

Those plans should include preparation of “accurate and complete records of software and hardware assets, including software versions, allowing you to quickly estimate the real risks posed by any particular threat, and simplifying cleanup if malware strikes. “

“If your organisation is not likely to be specifically attacked – which is the most common situation - then you need to consider how you will detect whether zero day malware has breached your defences. In many cases, it is possible to see changes in CPU or memory usage, or unusual patterns in network traffic. Of course you will probably never spot these changes if you aren’t already measuring and benchmarking system and network performance.”

DaSilva says that if you detect an attack, “the most sensible first response will often be containment of the problem from the rest of the organisation. The purpose of containment is to limit the spread of the problem, while giving you time to come up with a cleanup strategy. Some businesses run mission critical systems which simply cannot be shut down or disconnected from the Internet, so the manner of containing the threat will vary.”

In simple situations, containment could involve sections of the network being unplugged. More sophisticated alternatives involve setting up restrictive security measures for network traffic, or implementing web proxy settings which only allow computers to access a tightly defined whitelist.”

Symantec’s Simmons also feels some preparation can get you through a zero-day and advocates acquisition of intelligence services to bring you as much information as possible about a new threat, then use of patch management tools so that you can understand the state of your defences and then implement any new patch quickly.

“Combine your knowledge of the vulnerability, your environment and your security tools to make a proactive response,” he says. “For example, if the vulnerability is in a PDF reader, consider blocking PDFs at your email or web gateways until a patch is available. If an active attack using the vulnerability is known to make connections to specific hosts on the Internet to deliver stolen confidential data, block these hosts at the perimeter firewall.”

Simmons also advises that “The time between a zero-day vulnerability being announced and a patch being available (and more importantly, applied!) is a window of heightened risk. If possible, don’t use the affected application until it is patched [and] treat unusual events with more suspicion than usual and investigate them – a web browser crashing more often than usual could just be a bug, but it could also be the result of an exploitation attempt.”

It could also, Sophos’ Ducklin points out, just be a browser crashing.

“As the Hitchhiker's Guide to the Galaxy makes clear, ‘Don't Panic,” he concluded.

Read more on Data breach incident management and recovery