Pages

12 September 2016

Zero-day attacks: How DoD should defend from the unknown


John Edwards and Eve Keiser

Department of Defense networks are evolving away from signature-based protection to more effective strategies that could stop a potentially devastating damage from a zero-day attack.

Signature-based protection identifies viruses and malware by comparing them to a database of known signatures. Zero-day threats, however, exploit a previously undisclosed vulnerability in software or hardware — so no registered signature.

Zero-days are capable of creating serious and complex problems before anyone realizes that something is wrong. Once an exploit has been detected, it requires an immediate response, usually in the form of a software patch that seals the vulnerability before further damage can be inflicted on the network.

For many threat actors, including nation-states, economics is the primary driver behind a zero-day attack, according to Jon Miller, vice president of strategy for Cylance, a company that uses artificial intelligence and machine learning technologies to protect network endpoints against advanced forms of malware.

“The more valuable your data, the more they can invest in zero-day attacks to exploit and gain access to that data,” Miller said. “Given that zero-day attacks may represent years of dedicated work and design by highly sophisticated teams ... signature-based anti-malware defenses can’t help you with malware that was custom-built for your targeted endpoints.”

New end-to-end strategy

To address zero-day threats, DoD will need an end-to-end cyber strategy based on open multivendor technologies with sophisticated software and high-performance hardware, said Judson Walker, systems engineering director for Brocade.

“DoD security must be able to adjust in a similar manner as our adversaries adjust,” Walker said. “It is a collective conversation around bringing multiple security point-products together and have them provisioned, activated and configured via a centralized software platform that allows for a centralized policy deployment to leverage the advantages that each point-product provides as part of an end-to-end strategy.”

DoD has a long history of firewalling systems and networks from each other, so the agency is better positioned to handle zero-day attacks than most businesses. “These techniques don’t necessarily prevent a zero-day attack, but they do limit the amount of damage an attacker can do,” said Adam Wick, mobile security and systems software research lead for high-trust security software company Galois. “In the end, however, if an attacker has a zero-day, a target and a place to launch it, no system is immune.”

Build a multifaceted defense

To better detect potentially malicious needles in the network haystack, DoD must improve data collection across a growing number of endpoints and automate key aspects of its data analysis.

“This includes greater integration of data science techniques, such as machine learning and natural language processing, to help free up resources for hunting and responding at scale,” said Mark Dufresne, director of malware research and threat intelligence for security software company Endgame.

Vendors can help by building nonintrusive techniques to prevent initial exploitation and block common techniques used by attackers in the event they gain execution on a targeted system, according to Dufresne.

DoD also should do everything possible to limit the amount of software on its systems. “Zero-day attacks require flaws in software,” Galois’ Wick said. “No matter what your ratio is between lines of code in a system and the number of flaws in a system, less software on a system means less lines of code, which means fewer flaws.”

A thorough knowledge of attacker motives and methods can also help nip zero-day attacks in the bud. “Protecting against zero-day attacks requires understanding of how attackers plan and mount attacks against their targets,” said Cylance’s Miller. “Multiple layers of protection need to be deployed to help mitigate that risk, effectively raising the bar of exploitation above the capabilities of the attacker.”

Limit response time

A swift response is essential in the event a zero-day attack manages to break through safeguards, as is containing the damage.

“The trick with recovering from a zero-day is ensuring that you are not subject to the exact same attack as soon as you come back up,” Wick said. “Having some heterogeneity in your system can help with this, as well as clean-room procedures that can help prevent attackers from persisting in a system throughout the attack.”

The specific vulnerability exposed by a successful zero-day attack must be patched as quickly as possible. Many attacks escalate in severity the longer it takes IT to identify the vulnerability, which allows the hackers additional time for exfiltration and inserting backdoors networks, Miller said.

“It’s no different from preemptive disaster planning,” he said. “Have a plan, practice the plan and put the plan into action when an attack is discovered.”

Attacks will happen, and any system that has a flaw will eventually be exploited, Wick observed.

“The only remedies we have are formal methods to ensure that the most critical systems are flawless, to use strong inter-system protections to limit the damage a failure causes and to make sure that we find and eliminate attackers as quickly as possible,” he said.

No comments:

Post a Comment