Join Mike Chapple for an in-depth discussion in this video Zero days and the advanced persistent threat, part of CySA+ Cert Prep: 3 Cyber Incident Response.
- [Instructor] Many attacks take place because an organization fails to apply security patches, leaving them vulnerable to an attacker who knows how to exploit a vulnerability. The fix for that situation is simple. Organizations should apply security updates as soon as they are available from operating system and application vendors to fortify their systems against attack. Unfortunately, it's not always possible to protect yourself from every possible vulnerability, because not all vulnerabilities are known.
Consider, for example, that modern operating systems literally contain millions of lines of codes. There's no doubt that lurking in that massive amount of code, there are new security vulnerabilities that the security community simply hasn't discovered yet. Those vulnerabilities can expose an organization to risk. When a security researcher discovers a new vulnerability, they typically handle it in an ethical and responsible fashion. This normally means notifying the vendor responsible for the vulnerability and giving them the opportunity to fix it before publicly disclosing the vulnerability.
That's the normal process that covers thousands of newly discovered vulnerabilities each year. But, what happens if someone discovers a new vulnerability, but decides to keep it a secret? Instead of sharing it with a vendor or the world, the researcher simply holds onto it and preserves the vulnerability as a secret weapon used to gain access to systems. This type of vulnerability is known as a zero-day vulnerability. Until the rest of the world discovers it, the zero-day is an incredibly powerful weapon.
Applying security patches won't protect you against this vulnerability because there is no patch to apply. Intrusion detection systems may not detect a zero-day attack because there are no signatures of the attack for it to match. The time between when someone discovers a new vulnerability and the vendor releases a patch for that vulnerability is known as the window of vulnerability. Now, it's not easy to exploit a zero-day vulnerability. You have to know about it and have the tools and skills required to exploit the zero-day.
It's not likely that your average script kiddie hacker is going to have a zero-day in his or her arsenal. There is, however, a type of attacker that is known to use this type of attack. Advanced persistent threats, or APTs, are attackers who are well-funded and highly skilled. APTs are typically military units, government intelligence agencies, or other highly organized groups that are carrying out very focused attacks. They're advanced because they have access to zero-days and other sophisticated technical tricks.
They're persistent because they are methodically working to gain access to a highly selective set of targets with military or economic value. Defending against APTs is very difficult. Their use of zero-day vulnerabilities gives them the capability to compromise the security of any typical enterprise. After all, it's hard for a small business or even a large one to stand up technically to the resources of a government agency. You can protect your organization to some extent by implementing strong security measures, including the use of strong encryption and rigorous monitoring in the hope that your sensitive data will withstand an APT attack.
Want more CySA+ test prep tips? Visit certmike.com to join Mike's free study group.
- Identifying and classifying security incidents
- Determining incident severity
- Building an incident response program
- Notification, mitigation, recording, and reporting
- Incident symptoms
- Conducting forensic investigations
- Password, network, software, and device forensics