Sun Tzu And The Art Of Zero-day Exploits

Speed is the essence of war. Take advantage of the enemy’s unpreparedness; travel by unexpected routes and strike him where he has taken no precautions.

Sun Tzu, The Art of War

Sun Tzu and The Art of Zero-day Exploits

While Sun Tzu’s directives might be aimed more towards the attacker than the defender, it does point out an important element of defense. You cannot protect a vulnerability you do not realize you have. Programmers spend countless hours conceiving, planning, writing, testing, and creating software that must be more impressive than its prequels. The more complex the software becomes, the easier it is to overlook a misplaced comma that can cause entire subroutines to malfunction. 

Considering the stress a vendor experiences in finishing a product by the deadline, in addition to creating more complicated programs, it is not surprising to find that vulnerabilities can exist for quite some time before the software developer becomes aware of them. Generally by the time there’s an inkling that something is wrong, it’s too late—the software has been exploited. Nothing is more enticing to a thief than an unlocked door or window. Likewise, a virus programmer’s ultimate desire is finding a software vulnerability that the vendor is not even aware of yet.

Even when the vendor finds out about the vulnerability and begins developing a patch, there is still a limited time during which the virus is able to wreak havoc, but its days are numbered. The vendor will soon create an update, a patch, a workaround of some kind to stop the virus. Patching a hole is easy enough once you know it exists, but just how long were you vulnerable?

It is not possible to determine how many days a zero-day exploit lasts, but there are some key stages, which do not always run in the following order.

A.The software vendor releases the software on the market.

(It is possible that the vulnerability has already been detected by beta testers, employees, etc. It is even possible that the vendor is aware of the vulnerability but considers it to be inconsequential.)

B.The attacker finds the vulnerability.

At this point, he or she may release the information to other attackers, or may keep the information quiet in preparation of the next stage.

C.The attacker releases an exploit (i.e., virus).

Often this is still before the vendor is aware of the problem.

D.The vendor becomes aware of the problem.

Usually this happens as a result of reverse engineering to discover where an attack originated.

E.The vendor releases a fix of some kind—a patch, an upgrade, something that closes the vulnerability.

While the majority of vulnerabilities are patched soon after they are discovered, that does little to comfort those who have already been exploited. Fortunately there are some tactics you can employ to prepare your defenses against attackers: 

1. Block file attachments and hypertext links on your email server.

Far too many exploits take advantage of user vulnerabilities such as greed, lust, and fear. You know the type, they say "you have already been hacked so you better change your password," or "your anatomy is insufficient and we can fix you," or "your check is waiting." You could try to train your employees not to click on these links/attachments, but with the various clever schemes that exist out there, why not just remove the temptation altogether?

2. Keep your software updated, make sure your computer systems are all running the latest software versions and updates.

Especially your antivirus software. This may not protect you from vulnerabilities that have not been discovered yet, but it will at least protect you from the ones that have not been exploited on your systems.

3. Install a firewall and block any unnecessary ports.

The firewall effectively locks the doors and windows that many exploits enter through to get to your systems and capitalize on your vulnerability. You may not be aware that a strong magnet can open your third-rate wall safe, but if your house is locked, and you have an alarm, thieves can’t get to the safe to take advantage of its vulnerability.

4. Finally, enable heuristic scanning.

This method lets you learn from past experience where vulnerabilities are likely to exist, based on where and how attacks have occurred. Even if it is not known where vulnerabilities lie in the code, applying a standard baseline of attributes that many viruses share can help detect new ones automatically.

Sun Tzu’s words are written to the attackers, urging them to look for weaknesses in the defenses of the enemy. The same words suggest a strategy of precautions, and preparedness can overcome most attacks. A combination of these steps can greatly reduce your vulnerability to zero-day exploits, no matter how many actual days it lasts. Webroot’s suite of products can be of great assistance in developing your strategy.

By Nathan Darling