Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

FireEye Report Analyzes Zero-day Attacks of 2013

FireEye, a provider of solutions that help companies block advanced cyber attacks, has released a new report put together after analyzing 11 zero-day vulnerabilities discovered in 2013 by the security firm.

FireEye, a provider of solutions that help companies block advanced cyber attacks, has released a new report put together after analyzing 11 zero-day vulnerabilities discovered in 2013 by the security firm.

The report, “Less Than Zero: A Survey of Zero-day Attacks in 2013 and What They Say About the Traditional Security Model”, provides context around the threats these vulnerabilities create for enterprises, along with mitigation guidance.

FireEye OS

“Advanced threats against enterprises today thrive on exploiting the unknown and evading blocking techniques thanks to a growing, global marketplace for selling software vulnerabilities,” said Zheng Bu, vice president of security research, FireEye. “The old security model of tracking known threats and relying on signature-based solutions are simply powerless to stop zero-day threats. The number of zero-day attacks profiled in the paper highlight why organizations need to take a new approach to security by combining next-generation technology with human expertise.”

Evading traditional cyber defenses, these zero-days facilitated attacks against consumers and organizations, including the Council on Foreign Relations and the U.S. Department of Labor, FireEye said. Looking beyond just blocking these vulnerabilities, FireEye forensics experts found that watering-hole attacks targeting specific audiences and industries are a rapidly rising trend in the attack space. 

Last month, FireEye published its 2013 Advanced Threat Report which provides a high-level overview of attacks that the company discovered last year. 

While in the first half of the year Java was the most common target for zero-days, the security firm witnessed a surge in Internet Explorer (IE) zero-day attacks used in watering hole attacks during the second half of the year.

In 2013, FireEye analyzed 767,318 unique Command and Control (CnC) communications, or more than one per minute; and 22,509,176 total CnC communications, or more than one every 1.5 seconds on average.

FireEye’s latest report provides advice on how networks, incident response, and application management should be approached to deal with today’s advanced, unknown threats, and recommends that enterprises take the following actions:

Advertisement. Scroll to continue reading.

Segment your networks – Limit access between network segments with different risk profiles. This step includes limiting access from the Internet to the DMZ, the DMZ to the internal network, and so on. It also includes preventing systems in one functional unit from accessing systems in another when that access is not required. An example: preventing systems in the finance department from accessing systems in the engineering department. This move can block an attacker’s access to an unpatched vulnerability.

Limit network privileges – Users and applications should access only the information and resources that are required to function properly. This step can shrink the attack surface, because some attacks require elevated privileges to work. It also reduces the risk posed to the environment by a successful attack by reducing the attacker’s ability to access systems or information.

Use application whitelisting – By allowing user to install only preapproved applications, you prevent unauthorized files from executing, including some executable exploits and malware payloads.

Have an incident response (IR) plan in place – By definition, you cannot predict a zero-day attack. This uncertainty makes a robust, resilient IR plan even more crucial. By quickly detecting an attack and having a defined, tested IR response at the ready, security professionals can mitigate any damage.

Know your environment – Security teams cannot hope to mitigate the risk of an application with an unpatched vulnerability unless they know the application is present and understand the network well enough to put an effective mitigation plan in place.

Deploy a security platform that identifies both known and unknown threats – Signature-based defenses work only for threats that have been discovered and documented. Likewise, reputation-based defenses, by design, stop only known threats. Even file-based sandbox technology, touted as a fresh approach to security, cannot provide the deep insight required to block zero-day attacks. Zero-day attacks call for new technologies built from the ground up for today’s advanced threat landscape.

Keep your systems patched – The security team should apply the latest patches and audit the environment for missing patches. This step will not in itself protect your systems from zero-day attacks, FireEye said, but many organizations remain vulnerable to already fixed zero-day vulnerabilities simply because they have failed to fully patch their systems.

Use operating systems and applications that support DEP and ASLR – More zero-day attacks are bypassing DEP and ASLR protections. So this step is not a cure-all. But when the operating system and applications support DEP and ASLR, exploiting vulnerabilities becomes significantly tougher. When possible, organizations should use the newest operating system releases, which usually incorporate new techniques to mitigate threats.

Foster more collaboration in the security industry – Zero-day attacks move fast. The good guys need to move faster. To identity and counter zero-day exploits more quickly, the security industry must collaborate more often and more seamlessly. By sharing intelligence and quickly sounding the alarm, the community can contain the damage—and make everyone collectively safer.

“While FireEye’s “Less Than Zero” paper is a must-read for security professionals, it is equally important for business executives as a means for understanding what they are up against,” said Jon Oltsik, senior principal analyst at the Enterprise Strategy Group. “Today’s sophisticated cyber adversaries can easily circumvent existing security controls, penetrate corporate networks, and may ultimately be used to steal extremely valuable data. CEOs must come to terms with these threats and make sure to align them with their overall risk management, business planning, and fiduciary responsibilities.”

The full report is available online from FireEye in PDF format

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.