How To Detect And Mitigate Zero-Day Attacks

For obvious reasons, the consequences of zero-day attacks can be severely damaging to businesses: they frequently result in material harm, costing companies millions of dollars, and exposing customers to additional cybersecurity threats.

At Capsule8, we’ve identified 4 major risks that zero-day attacks pose to our customers:

1. SCALE AND FREQUENCY

The threat landscape is evolving, as global IT infrastructure scales rapidly across hybrid production environments. According to the “2017 Application Security Report” by Cybersecurity Ventures, there are 111 billion new lines of software code created every year. As the attack surface expands, it’s no longer feasible for security teams and organizations to keep up with the sheer volume and frequency of threat vectors. Static Application Security Testing (SAST) alone is no longer a sufficient deterrent against the often daily attacks that systems are being exposed to. A hybrid approach that focuses on dynamic testing and protecting applications in real time needs to be prioritized. A DevOps approach to security, is also critical. Studies have shown teams that build and test their code daily fix vulnerabilities faster than average teams that only build and test 7-8 times a year.

2. Asymmetric Complexity

An asymmetric relationship exists between the attacker and defender. For starters, the defender (i.e. the security practitioner) must try to defend against all potential vulnerabilities, while the attacker only has to find and attack a single vulnerability. What’s worse, it’s getting easier to find and launch an attack. For example, ‘fuzz testing’ for a vulnerability involves simple trial-and-error, requiring minimal specialized knowledge of the target system; some exploits are also readily available on the black market. In some cases, attacks are being launched based on proofs-of-concepts shared publicly by hacker groups. Meanwhile, the deep security expertise required to defend against these threats is expensive, scarce, and at risk of being overwhelmed by security alerts. Security organizations based on the traditional security operation center (SOC) have proven to be less effective without the proper detection and automation tools at their disposal.

3. Long Tail to Remediation

The window of vulnerability from the time the security team discovers the zero-day attack, routes the alert, runs their risk analysis, and installs the patch can be extremely costly, in terms of budget, time, and risk. What’s more, remediation could turn out to be just as disruptive as the original attack, as certain updates and patches could render some systems unbootable. In some cases, it can take months or even years to remediate the known security issues (think Oracle and the multi-year Java attack campaign in 2015). The 2018 Drupal vulnerability was a more recent case, in which a ‘highly critical’ bug was discovered in the popular open-source content management system (CMS), affecting over one million websites. Despite the fact that a zero-day exploit could be developed “within hours or days,” developers often needed weeks or months to reserve time for core security updates.

4. Cloud-Native and Hybrid Cloud Risks

Traditional enterprise security focused on securing endpoints, segmenting the network, and protecting the perimeter. These concepts may no longer apply to cloud-native and hybrid cloud production environments. According to ESG Research, 42 percent of organizations reported an attack in their hybrid and containerized environments last year, with 28 percent pointing to a zero-day exploit as the origin. As companies move towards deploying more cloud-native workloads to meet customer demand, the challenge of finding new ways to secure these applications becomes critical.

Every new incidence of a “successful” zero-day attack should serve as a reminder that the security tools and approaches being utilized today are both inadequate and quite possibly, obsolete. Zero-day attacks are a dynamic problem based on undiscovered flaws with unknown signatures.

Patching a security vulnerability is like playing catch up - a company has to develop a security patch and make sure that all users download the update. This could take months or even years during which time hackers can continue to exploit that vulnerability. Putting up a static defense using software patches, after much of the damage has already been done, will always be too little, too late.

The three major problems with the patch-only approach are as follows:

1. It leads to negative performance impacts on the business

This is the major pain point for most companies. Going back to the 2018 Meltdown and Spectre examples, vendors like Microsoft introduced mitigations for these vulnerabilities, which included BIOS updates, processor microcode updates, OS updates, and web browser updates. However, they had to halt updates to some AMD-based systems due to the update rendering them unbootable. Initial updates to Ubuntu Linux kernels also experienced similar issues. Imagine installing a software patch that does as much damage to your business as the actual attack.

2. It creates alert fatigue for security teams

One complaint we’ve heard repeatedly is that traditional SOCs are clearly not equipped to handle the barrage of alerts they receive every day. The sheer volume of false positives and low signal-to-noise ratios have made basic-level discovery of potential issues an increasingly manual and time-consuming process.

3. It is reactive and doesn’t prevent future attacks

Consider this hypothetical scenario: a zero-day attack has been detected and the vulnerability is swiftly identified by your SecOps team. A software patch is then installed without any hiccups. It’s clear that a minor miracle has just occurred. Now what? Well, since the next zero-day attack will look nothing like the previous ones, this minor miracle will need to happen over and over again - at an accelerating rate. Which is to say that patch-only strategies are difficult to scale and do not effectively prevent against future attacks. And without real-time detection in place that is continuously updated, and can be customized for your workloads to identify zero-day attacks, you likely won’t catch them on time to prevent costly impacts to the business.

That being said, most enterprises today operating in complex hybrid cloud environments don’t have the luxury of choosing between prevention (‘catch’) over remediation (‘patch’). At Capsule8, we believe that the choice isn’t binary. Based on customer experience, we’ve found that prevention through real-time zero-day attack detection can augment remediation efforts, leading to a more efficient deployment of security resources.

Finally, it’s important to distinguish between zero-day attack detection and the traditional endpoint detection and response (EDR). In an industry that’s rapidly shifting to cloud-native and Linux-based microservices, understanding the distinction between the two will help you better realize your companies security requirements.

1. Zero day detection is active within the entire production environment while endpoint detection focuses only on the user

Today’s endpoint detection and response (EDR) and endpoint protection platforms (EPPs) focus capabilities at the end user level. This is completely at odds with what many customers are demanding: the ability to reach deeply into the production environment – the heart of the organization itself – to immediately identify and respond to the zero-day threats targeting the very systems that enable a business to operate and thrive. Zero-day detection offers full visibility into production infrastructure - not just at the user level.

2. Zero-day detection resolves the hybrid cloudshortcomings of EDR

To put it bluntly, basic EDR alone simply does not adequately address the requirements of a hybrid production environment. As companies leverage cloud-based, containerized, virtualized and bare metal systems, EDR capabilities are unable to detect attacks with accuracy across these hybrid environments. Second, when deployed, EDR cannot scale past a few hundred nodes. And when these solutions are deployed in production, they result in a performance impact that effectively hinders the ability for production environments to operate such that you’re meeting your SLAs.

3. Zero day detection provides the advanced support for Linux that augments traditional EDR solutions

Existing EDR solutions don’t secure Linux-based production infrastructures. Linux is the driving force behind the hybrid cloud infrastructure that drives businesses globally. According to "The State of Cloud Native Security” report, 12 percent of organizations considered zero-day attacks the biggest risk to their production environment.

Unfortunately, there are few EDR solutions on the market today that are focused on protecting the entire Linux stack, leaving a highly vulnerable attack surface exposed to potential zero-day attacks.

At its core, zero-day attack detection when done right, should have the following requirements: be lightweight, event-driven, and collect kernel-level data - and to do thiswithout disrupting the integrity of the production environment.

There are four cornerstones to an effective zero-day attack detection strategy:

1. A continuous security pipeline optimized for SecOps hierarchy of needs

An effective zero-day detection strategy should be tailored towards the priorities of your SecOps team. After listening to our customers, we’ve learned that there’s a distinct hierarchy of needs for the SOC. Building a zero-day solution designed to solve foundational needs means that you free up your security team to address higher-value problems.

Figure 1: The Security Operations Hierarchy of Needs

2. In-depth and real-time visibility across all production environments

This involves establishing an accurate baseline for how the production environment is supposed to behave across multiple public cloud vendors, on-prem data centers and Linux-based containers, and setting up sensors running outside the kernel to detect any anomalies. A recent real world example was the bug bounty awarded to a contributor who discovered an exploitable instance ofImageTragick in Facebook. It clearly illustrates how behavioral security monitoring can detect attempted exploitation of shell command vulnerabilities. In the case of ImageTragick, the vulnerability was verified only when the researcher attempted to tunnel the output from their injected commands over DNS requests.

But here’s the real headline: zero-day behavioral-based detection of a major vulnerability affecting millions of sites (and in this case, outsourced through a bug bounty program) - cost Facebook a mere $40,000 to mitigate.

3. Automated alert response to reduce false positives

Zero-day detection strategies can help augment traditional approaches through advanced security monitoring and automating real-time responses, thereby reducing the number of false positives for better detection outcomes. It’s important that you have the ability to customize alerting by host and/or workload.

4. Minimal disruption to production at scale

A shortcoming of many traditional endpoint detection solutions on the market is that they can fall down in production after scaling to only a couple hundred servers. Meanwhile, zero-day detection can scale to support thousands of servers.

We at Capsule8 have seen that it’s not ideal to perform generic detection of zero-day attacks at the network and endpoint levels, due to the evolving nature of the threat landscape. But we’ve already developed practical strategies for detecting them, which we’ve implemented on Linux systems.

Figure 2: Capsule8 Product Alert Details for Real-Time Kernel Exploitation

By practical, we mean:

Advanced: Capsule8’s advanced detection strategies, which are continually updated by our team of security researchers and data scientists, allow for fast and accurate discovery of the latest zero-day attacks.

Easy to Deploy and Manage: Capsule8’s agent is a single static Go binary that is portable and easy to install and to update through a wide variety of orchestration mechanisms.

Compatible: Our approach enables a single solution across several Linux deployments—dating back to the Linux 2.6 kernel—and will support your existing environment, including bare metal, public or hybrid cloud, containers, virtualized servers, etc.

Stable: Detection runs in userland, and collects  kernel-level data (as opposed to in-line data) without the need for a kernel module.

Efficient: Sensors run with minimal CPU overhead.

Resource-Effective: The advanced detection intelligence in the Capsule8 Platform delivers very few false positives and negatives. This results in easy-to-manage alertsthat you can act upon quickly.