Zero-day attacks and defence

tools

Saththiyan
Satchithanantham

21 Apr. 21
—
ZEIT 8026
Cyber Defence
—
Dr Nour Moustafa & Dr Waqas
Haider
 Summary
This report discusses the Zero-Day attack and the defence tools we have in network systems. Zero-Day attacks are
increasing day to day. Half of the malware attacks in 2019 was classified as zero-day attacks. Zero-day vulnerabilities
encourages the attackers to take advantage of the newly discovered and yet not disclosed to public type of vulnerabilities.
Before the vendor pick the vulnerabilities attackers finds the hole and use it to attack the system is what referred to zero-
day attack.

Time to time we discover the vulnerabilities in operating systems and applications, Zero-day attacks are very difficult to
identify by our signature matching firewalls or IDS systems because since it’s an unknown attack its very difficult to pick
until it finished the cause. Hence the chances to get compromised the end devices are high.

In this report I tried to demonstrate the threat modelling against computers and network systems to understand how
attacks occur and develop cyber defence techniques and tools and firewalls, IDS, as well as machine learning-based
intrusion detection to identify known and unknown cyber-attacks from computers and network systems.

REPORT TITLE PAGE 2

 Introduction
Zero-day attacks create massive threat to the internet and systems security. As the attackers take the advantage of newly
identified unknown, yet not published exploits, zero-day vulnerabilities on the system is a real threat to security. Zero-
days attacks are jointly used with other targeted attack techniques to get access the potential private information. Hence
there is in practical no defence mechanism to prevent.

Since the zero-day vulnerability is unknown, the system / software affected will not be able to patch or update. There for
antivirus products won’t be able to detect the incident via signature-based scanning. Cyber Criminals and hackers hacked
millions of computers and 1000s of leading companies via Microsoft Office, Adobe Flash and other famous applications
using the zero-day vulnerability. The following are the most spoken zero-day attacks in the past.
1) 2010 Hydraq trojan
2) 2010 Stuxnet worm
3) 2011 attack against RSA
4) 2014 Sony Zero-Day Attack
5) 2016 ‘The DNC Hack
6) 2017 MS Word Dridex
7) 2019. Attack on Microsoft Windows privileges escalation
These are only the known data, unfortunately the real data of zero-day is not available till the attacks are discovered.
Most zero-day attacks are commonly target attacks, which means the attacked target the system based on the gathered
information and launch the attack. Based on a public research 15% of the zero-day attacks launched or created even
before the application vulnerability disclosed in which 67% of the software have had patch for the vulnerability on
windows hosts. Since those systems are not updated or installed patch attacked gets benefit from that.

Below the graphic shows the identified vulnerabilities every year. This vulnerability leads to attacks. Today there are
massive numbers of scanners available freely to scan and identify the software flows but unfortunately, they are quite
help less due to the fact that these vulnerabilities are completely new and unknown.

Figure 1:Vulnerabilities Identified so far

According to Symantec that every year the aero-days attacks are increasing by 125%. Which says in
1. 2011 - 8 attacks
2. 2012 – 14 attacks
3. 2013 – 23 attacks
4. 2014 - 23 attacks

REPORT TITLE PAGE 3

 5. 2015 – 54 attacks
6. 2016 – 82 attacks

Menlo Park, Calif. – Jan. 3, 2017 said the current trend of zero-day attach will reach 1 attack per day in 2021 from 1 attack
per week in 2015. Dealing with something totally new and unknown is always a big challenge, though we have got
firewalls, Antivirus, IDS/IPS, Patches, software updates, System updates there to find and alert the well-known attacks but
this zero-day attack is quite difficult to prevent because of the nature of the attack and lot of unknowns. According to
FireEye report, system, software vulnerabilities are discovered by attackers and they kept it silent and remain unknown
to the public, which is even unknown to application vendors of the software, for an average of 310 days. Hence, we need
another type of protection to prevent zero-day attack and available traditional security systems are not effective to
prevent it.

Literature Review
This is an attack without any signature, using a malware the attacker takes advantages of an unpatched application.
Sometime the application vendor may not be even aware that the application has a vulnerability. This is quite similar to
polymorphic worms. Which is the most dangerous and unpredictable malware we have, zero-day attacks are almost
provide same level of dangerous to the network. Various virus, malware analysts have done various research on finding
some solution to prevent but unfortunately due to the nature of this they are unable to provide a preventive mechanism.
These zero-day attacks are mostly done through downloads from a webpage, also it is believed some of the most
famous xero-day attack(s) are supported by government agencies, such as sutxnet attack, its till the day believe was
supported by US and Israel government.

Figure 2: Life of a zero-day attack

Researchers “Bilge and Dumitras” used seven steps to define the life cycle of a zero-day attack:

1) Vulnerability introduced – This is the first step toward the zero-day attack. The vulnerable code or application
released. This vulnerable application will be the tool to launch the attack later.

REPORT TITLE PAGE 4

 2) Exploit released in the wild – Once the application or code released with the vulnerability attacker will identify
the techniques and tools to use against the vulnerability.
3) Vendors discover the Vulnerability– In this stage vendor becomes aware of the vulnerability, but still the patch
is still not available.
4) Vulnerability disclosed publicly – Since the vendor discovered the vulnerability, vendor, or researchers announce
the identified vulnerability and the risk, which making both users and attackers widely aware of it.
5) Anti-virus signatures released – This is where things get harder. If attackers have already created a zero-day
attack, then the anti-virus companies can find the attack signature and quickly can release the protection or patch
or update. This doesn’t mean the vulnerability is completely fixed and the systems or application is safe to use.
There may be still some other ways to attack which is still unknown
6) Patch released – Since the vendor identified the vulnerability then eventually developer or system vendor will
release a fix for the identified vulnerability. Normally this may take hours to days or sometimes it can take months.
Remember there are incidents took 9 months to identify patch
7) Patch deployment completed – This is another place where attackers get benefits. Though they have released
the patch users takes time to update the systems. This will create another change for an attacker to exploit the
systems. Specially for home or small office users this task become critical.

Figure 3: Vulnerability Assessment

Also, Security researchers have identified the following systems are targeted for zero-day attacks.
1) Operating Systems
2) Web Browsers
3) Office applications such as MS Office and Adobe
4) IoT.

Protect Against Zero Day Attacks

Any device connected to internet has a common risk, that is zero-day attack. The main goal of these attacks are to steel
the confidential information.
At most primary goal of cyber defence is to find the possible exploit as earliest as possible to avoid or control the attack
and protect the resources.

There is four deferent type of prevention mainly.

1. statistical based

REPORT TITLE PAGE 5

This detection method uses the past known attacks and maintains the logs files history of them, using this history statistical
based detection systems prepare a attack profile. This profile will help to detect the new attacks. Using this way, we can
identify the normal activities, hence we can identify the abnormal traffics. Since this attack detection system works by
updating the past history, longer you use this system you will get much better and accurate response. Since its updating
the patters and history this cannot be used in a dynamic and changing environment freely.

2. signature-based

Polymorphic worms use signature-based detection methods to identify new changes or patterns. Signature-based
detection has three types such as Content-based, semantic-based and vulnerability-driven. AntiVirus use this technique
to make signature library.

3. Behaviour-based
This technique is totally depending on the network traffic and its flow, using this machine learning process they can predict
the future behaviour of the traffic. IDS and IPS uses. These behaviour-based detections should have high success rate of
detection and sometime need to produce false alarms.
4. hybrid techniques
hybrid techniques are the combination of any of the above detection mechanism. It has no limitation whether to use two
or all three technique to be used.

How Do You Detect a Zero-Day Attack?

There are several methods available today to detect the zero-day attack. Some of the methods are follows.

1) Honeypot Methods.

Honeypots is a system with more vulnerabilities to invite attacker to identify their motive, technique and information.
Using this collected information cyber defenders can build the robust system to prevent the cyber-attacks. When large
amount of information collected by many honeypots, this collected information can be used to treat intelligent to develop
a treat landscape, this will be helpful to warn the future attacks. Later this collected information mapped against attack
and vulnerability and that are useful to detect zero-day attacks too.

2) Perimeter detection
Perimeter detection and advance warning of zero-day attack can prevent zero-day attacks against servers and Routers.

3) Linear Data Transformation Techniques

In this method we create many different characteristic functions of that separate the normal pattern of the traffic. These
created linear functions are used in conjunction with run time to estimate the zero-day attack.

4) Patch Management.
5) Incident response plans.

How to Protect Against Zero Day Attacks

Zero-Day Exploit Recovery

REPORT TITLE PAGE 6

 Reference

https://www.isroset.org/pub_paper/IJSRCSE/3-IJSRCSE-VC000412.pdf

https://www.cynet.com/network-attacks/zero-day-vulnerabilities-exploits-and-attacks-a-complete-
glossary/

https://www.trendmicro.com/vinfo/au/security/news/vulnerabilities-and-exploits/security-101-
zero-day-vulnerabilities-and-exploits

https://www.sans.org/reading-room/whitepapers/bestprac/defenses-zero-day-exploits-various-
sized-organizations-35562

https://www.blackhat.com/docs/eu-17/materials/eu-17-Ablon-Zero-Days-Thousands-Of-Nights-
The-Life-And-Times-Of-Zero-Day-Vulnerabilities-And-Their-Exploits.pdf

REPORT TITLE PAGE 7

https://ijarcce.com/upload/2017/january-17/IJARCCE%2079.pdf

https://www.usenix.org/system/files/login/articles/02_bilge_6-13_online.pdf

https://www.forcepoint.com/cyber-edu/zero-day-exploit
https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-zero-day-attack/
https://www.avg.com/en/signal/zero-day-attack
https://info.capsule8.com/how-to-detect-and-prevent-zero-day-attacks
https://www.cynet.com/advanced-threat-protection/zero-day-attack-prevention/
https://hal.archives-ouvertes.fr/hal-02889708/document

REPORT TITLE PAGE 8