FireEye, a provider of solutions that help companies block advanced cyber attacks, has released a new report put together after analyzing 11 zero-day vulnerabilities discovered in 2013 by the security firm.
The report, “Less Than Zero: A Survey of Zero-day Attacks in 2013 and What They Say About the Traditional Security Model”, provides context around the threats these vulnerabilities create for enterprises, along with mitigation guidance.
“Advanced threats against enterprises today thrive on exploiting the unknown and evading blocking techniques thanks to a growing, global marketplace for selling software vulnerabilities,” said Zheng Bu, vice president of security research, FireEye. “The old security model of tracking known threats and relying on signature-based solutions are simply powerless to stop zero-day threats. The number of zero-day attacks profiled in the paper highlight why organizations need to take a new approach to security by combining next-generation technology with human expertise.”
Evading traditional cyber defenses, these zero-days facilitated attacks against consumers and organizations, including the Council on Foreign Relations and the U.S. Department of Labor, FireEye said. Looking beyond just blocking these vulnerabilities, FireEye forensics experts found that watering-hole attacks targeting specific audiences and industries are a rapidly rising trend in the attack space.
Last month, FireEye published its 2013 Advanced Threat Report which provides a high-level overview of attacks that the company discovered last year.
While in the first half of the year Java was the most common target for zero-days, the security firm witnessed a surge in Internet Explorer (IE) zero-day attacks used in watering hole attacks during the second half of the year.
In 2013, FireEye analyzed 767,318 unique Command and Control (CnC) communications, or more than one per minute; and 22,509,176 total CnC communications, or more than one every 1.5 seconds on average.
FireEye’s latest report provides advice on how networks, incident response, and application management should be approached to deal with today’s advanced, unknown threats, and recommends that enterprises take the following actions:
• Segment your networks – Limit access between network segments with different risk profiles. This step includes limiting access from the Internet to the DMZ, the DMZ to the internal network, and so on. It also includes preventing systems in one functional unit from accessing systems in another when that access is not required. An example: preventing systems in the finance department from accessing systems in the engineering department. This move can block an attacker’s access to an unpatched vulnerability.
• Limit network privileges – Users and applications should access only the information and resources that are required to function properly. This step can shrink the attack surface, because some attacks require elevated privileges to work. It also reduces the risk posed to the environment by a successful attack by reducing the attacker’s ability to access systems or information.
• Use application whitelisting – By allowing user to install only preapproved applications, you prevent unauthorized files from executing, including some executable exploits and malware payloads.
• Have an incident response (IR) plan in place – By definition, you cannot predict a zero-day attack. This uncertainty makes a robust, resilient IR plan even more crucial. By quickly detecting an attack and having a defined, tested IR response at the ready, security professionals can mitigate any damage.
• Know your environment – Security teams cannot hope to mitigate the risk of an application with an unpatched vulnerability unless they know the application is present and understand the network well enough to put an effective mitigation plan in place.
• Deploy a security platform that identifies both known and unknown threats – Signature-based defenses work only for threats that have been discovered and documented. Likewise, reputation-based defenses, by design, stop only known threats. Even file-based sandbox technology, touted as a fresh approach to security, cannot provide the deep insight required to block zero-day attacks. Zero-day attacks call for new technologies built from the ground up for today’s advanced threat landscape.
• Keep your systems patched – The security team should apply the latest patches and audit the environment for missing patches. This step will not in itself protect your systems from zero-day attacks, FireEye said, but many organizations remain vulnerable to already fixed zero-day vulnerabilities simply because they have failed to fully patch their systems.
• Use operating systems and applications that support DEP and ASLR – More zero-day attacks are bypassing DEP and ASLR protections. So this step is not a cure-all. But when the operating system and applications support DEP and ASLR, exploiting vulnerabilities becomes significantly tougher. When possible, organizations should use the newest operating system releases, which usually incorporate new techniques to mitigate threats.
• Foster more collaboration in the security industry – Zero-day attacks move fast. The good guys need to move faster. To identity and counter zero-day exploits more quickly, the security industry must collaborate more often and more seamlessly. By sharing intelligence and quickly sounding the alarm, the community can contain the damage—and make everyone collectively safer.
“While FireEye’s “Less Than Zero” paper is a must-read for security professionals, it is equally important for business executives as a means for understanding what they are up against,” said Jon Oltsik, senior principal analyst at the Enterprise Strategy Group. “Today’s sophisticated cyber adversaries can easily circumvent existing security controls, penetrate corporate networks, and may ultimately be used to steal extremely valuable data. CEOs must come to terms with these threats and make sure to align them with their overall risk management, business planning, and fiduciary responsibilities.”
The full report is available online from FireEye in PDF format.