Readying For A Zero-Day Attack: Expect The Unexpected

In new report, Dark Reading describes methods for managing previously unknown vulnerabilities

Randy George, Director, IT Operations, Boston Red Sox

December 16, 2009

4 Min Read
Dark Reading logo in a gray background | Dark Reading

Excerpted from " Ground Zero: Building A Layered Defense Against Unknown Threats," a new, free, downloadable report posted today on Dark Reading's Vulnerability Management Tech Center.

Which vulnerabilities are the hardest for an enterprise to manage? None of them are easy, but the ones that are most lethal are the vulnerabilities you don't know about until an exploit hits. These flaws, known collectively as "zero-day" vulnerabilities, require a special type of vulnerability management.

On the surface, in fact, it may seem that vulnerability management practices are not much use against a zero-day attack, since you can't "manage" a flaw you don't yet know about. But there are many steps you can take to prepare for the inevitable zero-day issue, and any good vulnerability management program should outline those steps, and how they will be implemented.

The unfortunate reality is that planning for a zero-day attack is no different or less challenging than planning for a terrorist attack. Because a zero-day attack is by nature taking advantage of an unplugged hole in your defenses that you're unaware of, you have no choice but to absorb the first punch in this fight should an attacker exploit that particular vulnerability. Mitigating the damage caused by a new exploit is as much about disaster preparedness as it is about vulnerability management, and the best you can hope to do is soften the blow of such an attack when it comes.

The first step is to understand infrastructure dependencies and where vital system, network, application, and database components reside. In smaller environments, that may be pretty easy. In large enterprises, however, determining all of the network, system, application, and database dependencies for a particular business-critical application is a major challenge. In either case, if you don't have a living document that visually defines such dependencies, then build one -- and build it fast.

There's no single silver bullet in our toolset for responding to a zero-day attack. However, when used together, a bundle of security and network management tools will provide a sound foundation for deflecting many zero-day threats. Layer your defenses and your responses so that your environment is tougher to penetrate and quicker to respond if compromise occurs.

On any list of ways to get fired in IT, screwing up backups might be at No. 1. If a zero-day attack packs enough payload, you're going to be thanking a higher power for your backups. However, don't just assume your data will be there for you when you need it. When is the last time you actually tried restoring from your backup systems? If the answer is never, now would be a good time to schedule a mock disaster recovery exercise. Don't just focus on your databases, either; a zero-day attack might also target your applications, your Web servers, your OSes, or your virus scanning engine.

While IT should regularly do security scans on Web applications -- a process enabled by products such as Qualys' QualysGuard -- preventing such attacks at the Web-, application-, and database-server level is still difficult because it often requires rigorous reprogramming and retesting. Therefore, our next layer of defense against zero-day threats -- a host-based Web/database security tool -- is a must-have for highly available, business-critical applications.

Some security vendors are also doing a tremendous job proactively detecting the intended behavior of various Web sites and stopping suspected exploits. Most of these vendors now participate in a global, cloud-based approach to security updates. That means as a particular zero-day threat is discovered at one organization, the details of that attack, as well as how it's orchestrated and executed, can be shared with all appliance users. If the appliance is capable of stopping that attack, then it will automatically do so after the next update cycle.

Log management is also a part of the puzzle. By syslogging events on your important servers, routers, firewalls, and switches to a log management appliance, you can proactively monitor difficult-to-locate security alerts buried in the local logging databases of each individual device. You can detect someone's account getting locked out, you can spot attempts to crack an FTP server, and you can identify inappropriate file or database access.

Most importantly, you can aggregate all of this logging data enterprisewide. As a result, consider log management not just a troubleshooting and compliance tool, but a security tool for helping to detect the setup of a possible targeted zero-day strike.

To read more about the process of preparing for a zero-day attack " and more detailed recommendations on the tools and technologies that might be used to help -- download the free report.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author

Randy George

Director, IT Operations, Boston Red Sox

Randy George has covered a wide range of network infrastructure and information security topics in his 4 years as a regular InformationWeek and Network Computing contributor. He has 13 years of experience in enterprise IT, and has spent the last 8 years working as a senior-level systems analyst and network engineer in the professional sports industry. Randy holds various professional certifications from Microsoft, Cisco and Check Point, a BS in computer engineering from Wentworth Institute of Technology and an MBA from the University of Massachusetts Isenberg School of Management.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights