Two kinds of security threats have emerged of late that need special attention, even if you’re running a small enterprise: Targeted zero-day attacks and advanced persistent threats .
Targeted zero-day attacks
Microsoft’s recent Internet Explorer security flaw (see my last blog post) is a fine example of a zero-day attack. The attackers got their edge from speed, since reactive countermeasures that depend on threat signatures — such as patching and tools like antivirus software and intrusion prevention — couldn’t be updated fast enough to halt the flaw.
Stuxnet is perhaps the best-known zero-day attack. It’s renowned for its use of not one but an unprecedented four zero-day vulnerabilities (one of these enables it to spread via USB drives, then there’s a print spooler remote code execution vulnerability plus two local privilege escalation vulnerabilities).
The majority of today’s malware encounters occur via the Web, and many zero-day attacks take advantage of threat development Websites, toolkits, and frameworks to quickly tweak known threats into new, unknown threats — called blended threats — able to thwart signature-based countermeasures.
When these are delivered via botnets that run covertly on networks and systems, sensitive data can often be gathered for long periods without detection. And increasingly, kernel-level exploits called rootkits are also being used because they mask the presence of other types of malware.
What can you do about zero-day attacks?
Layer your defenses, so what one defense doesn’t uncover another will. This means access control lists, firewalls, data loss prevention capability, port knocking, intrusion prevention systems, whitelisting, religiously updating and patching OSs and all software, training users in security-aware behaviors, and encrypted communication.
Advanced Persistent Threats (APT)
APTs count among the most pernicious of threats because they frequently use the techniques of zero-day attacks to remotely manipulate a system while remaining virtually invisible to standard defenses.
Because they’re so hard to spot, you can be plagued by a single APT exploit for months, even for years — even after becoming aware of the attack. Instead of going away, APTs react to your incident response by evolving and seeking out new vulnerabilities and weaknesses. Resilient, adaptive, and patient, APTs take advantage of the specific systems, applications, configurations, and even the people in a specific organization. Often, their execution is decentralized.
To defend against them, you’ll need to add to your layered defenses by deploying computer security incident response capabilities that:
- Produce, collect, and query as many logs as possible from a security perspective,
- Conduct deep packet inspection of all the important choke points on your network,
- Quickly query network connections across all network choke points,
- Analyze malware, and
- Enable trusted relationships with other organizations to share intelligence on events (e.g., the Forum of Incident Response Teams, first.org).