Protecting Against Zero Day Threats


The thought of a Zero Day attack fills many cybersecurity professionals with dread. How can you defend against a vulnerability you don't know about? One for which standard protections like IDS/IPS and anti-malware detection rules or patches don't yet exist?

The challenge of defending against Zero Day Threats ("unknown threats") is growing too. According to Trend Micro, reported ZDTs increased by 74% in the first half of 2020 compared to 2019. The problem is further exacerbated by the accelerating adoption of IoT devices - which is increasing the attack surface as well as introducing a whole raft of new potential vulnerabilities.

ZDT's give attackers a key advantage over defenders. By targeting a vulnerability before the victim is even aware of it, attackers stand a better chance of evading detection and leveraging that vulnerability to gain a foothold. Because the threat is unknown, defenders are unlikely to have rules for signature-based tools to detect and block the attack.

What can you do to better protect against "unknown threats"?
The first strategy is to deploy security solutions that leverage new techniques such as heuristics, behavioral analysis and machine-learning based statistical analysis that don't rely on signatures alone. However, these techniques are not infallible, and can introduce "noise" in the form of false positive alerts, making it hard for security analysts to identify and prioritize real threats.

Security teams need a way to validate the alerts generated by these tools and provide feedback to tune the tools and reduce false positives while ensuring real threats are still detected. Key to doing this quickly and accurately is access to reliable, trustworthy evidence.

Of the possible evidence sources, full packet data is the most trustworthy. For any attack that takes place across the network, full packet data contains an accurate and complete record of precisely what took place. Unlike log files or other telemetry sources - which can be modified or deleted by attackers - packets don't lie. If it happened on the network, it's in the packets. This makes it the ideal evidence for investigating and validating alerts that security monitoring tools raise.

The second strategy is proactive threat hunting. Combining threat hunting with threat intelligence data, and deception techniques such as honeypots and file triggers, can help teams detect activity that accompanies a Zero Day Attack earlier in the Kill Chain and respond more quickly. Again, access to packet data – containing the full payload - is key to being able to see precisely what's happening on the network and definitively identifying threats.

Lastly, with an accurately recorded history of network traffic, teams have a third potential weapon in their defensive arsenal. By replaying recorded traffic to their analytics tools, they can go back-in-time to analyze historical threats or behavior. When a new signature is released, they can rewind and replay traffic to check for Zero Day attacks from before new patches or rules were deployed.

See how Endace Network History can help you better protect against unknown threats.

Sustaining Partners