Security has always been a top concern for enterprises. As the tectonic shift to digital continues, enterprises witness both sides of a coin- transformation to new technology and other side being the constantly evolving cyber threats and attacks. Challenged to prevent enterprises from an array of security gaps in the network, enterprise security teams are up on their toes to discover, assess, and mitigate unknown cyber threats and attacks of different magnitude. Among various cybersecurity concerns, digital enterprises are compelled to pay more attention to Zero day attacks.<\/p>\n
<\/p>\n
<\/p>\n
To put simply a Zero day exploit is a software flaw. It refers to cyberattacks that occurs on the same day the flaw is discovered in a software or hardware.\u00a0Also referred as 0-day vulnerability, these are attacks that take advantage of unpatched and private (i.e have not been made public) vulnerabilities.\u00a0Zero day exploits are hard to detect. A zero-day attack happens once a flaw, or software\/hardware vulnerability, is exploited by hackers by releasing malware before developers create a patch to fix the vulnerability\u2014hence \u201czero-day.\u201d In a Zero day attack, hackers target flaws and errors of software programmes to attack enterprise networks. This kind of issue can be reported back to the software companies, who develop patches as a quick fix to such flaws and errors.<\/p>\n
<\/p>\n
<\/p>\n
May 2017, the technology world scampered after the news of WannaCryptor broke out. If you want to feel nostalgic about your heroic efforts as the Network Security team, here is an article<\/a><\/strong>\u00a0on what it was about. One of our partners \u2013 a large global technology consulting company, requested an emergency field deployment of SD-WAN to re-mediate WannaCry in their customer\u2019s network. Ironically, the incident response team was unable to make progress because the existing WAN capacity was insufficient to manage patch upgrades across the network. On average, the size of the security update issued by Microsoft is about 35MB in size. It keeps changing from Windows version to version. The details of the security patch are available\u00a0here<\/a>.\u00a0<\/strong>Specifically, if you look at the Microsoft security blog, the title of the article says it all \u2013 \u201cWannaCrypt ransomware worm targets out-of-date systems<\/strong><\/a>\u201d. The ugly truth we all were rudely awakened to is that the malware attacks all the systems that have not been patched and are classified as out of date systems.<\/p>\n <\/p>\n Recently, Microsoft released patches to address the bug (CVE-2019-0863<\/a>), one of 80 vulnerabilities, including 22 rated critical and 57 identified as important in severity. Above all, Microsoft urged system administrators to immediately deploy a patch for a Remote Desktop Services remote code-execution vulnerability (CVE-2019-0708<\/a>),\u00a0 because it was \u201cwormable\u201d flaw which could easily lead to fast-moving malware attack similar to WannaCry.\u00a0Here\u2019s an article<\/a> <\/strong>you can refer to know more about the flaw and the patch.\u00a0\u00a0On the other hand, WhatsApp patched a vulnerability that allowed attackers to install spyware on victims\u2019 phones. In May, the popular messaging app, owned by Facebook, discovered that attackers were installing surveillance software on iPhones and Android phones \u2013 by calling victims using WhatsApp\u2019s call function. The messaging platform which touts itself as a secure end-to-end encryption app for communications was quick to identify the flaw \u2013 now patched \u2013 as a buffer overflow vulnerability in WhatsApp\u2019s VOIP stack, which allows remote code execution via specially crafted series of SRTCP [Secure Real Time Transport Protocol] packets sent to a target phone number. Whatsapp has already released a patch, and are currently encouraging people to update the application as soon as possible.<\/p>\n <\/p>\n From the network perspective, WannaCry firstly taught enterprise IT departments to focus on patching software and upgrade to the latest security releases. And secondly, \u00a0IT engineers realized the increasing need to protect two endpoints of application communication. Unless we deploy protection and detection mechanisms at the endpoints, the network security problem in the age of Industrial revolution 4.0, cannot be solved. Enterprises must realize that why there is a lot more to do for security than just a firewall.<\/p>\n <\/p>\n <\/p>\n The primary reason why Zero Day attack takes place is twofold. First existing lapses in enterprise defense mechanism \u2013 like outdated systems, unpatched software, traditional security approaches. Secondly, longer time taken by IT teams to develop the patch, hackers benefits who get more time to develop sophisticated attacks. Traditionally, identifying the threat and hack detection relied on the database based on links and overall network, but given the advent of advance methods of hacking, enterprises require new age measures to prevent security breaches. Virtualization techniques like Sandboxing is a known method which allows enterprises to establish a highly controlled environment. It is frequently used to test unverified programs that may contain a\u00a0virus<\/a>\u00a0or other\u00a0malicious code<\/a>, without allowing the software to harm the host device.<\/p>\n <\/p>\n Enterprises today are working on implementing hybrid models that leverage the benefits of machine learning-based algorithmic models, cloud based networks and real time analytics. Once again, the aim here is to protect and block weak endpoints in user’s system and software, monitoring unusual program and user behavior, and ensuring secure cloud access. Almost every kind of security breach can be detected by looking at what happens to your network before and after the attack. Even the simplest of malware contacts its CnC (Command and Control center) once it is activated from an infected file. In fact, the most often implemented method in a malware sandbox solution is to look for suspicious application process or application network behavior when opening an infected file. Network flow analysis using a security lens is an invaluable and inexpensive way to stay on top of your security operations. The challenge thus far though is that the network analytics engines are mostly offline, and either need a sampled traffic or integration using flow record file formats with all your network devices. But when you deploy a cloud powered SD-WAN platform (sorry about the brazen advertising), it becomes possible to analyse all your network flows inline immediately for network behavior anomaly.<\/p>\n <\/p>\nMitigating and early detection of Zero Day attacks.<\/strong><\/h2>\n