How To Block Zero-Day Application Exploits

What Is a Zero-Day Application Exploit?

Cyber criminals develop newer methods of bypassing security controls when installing malware on corporate endpoints. For example, the newly discovered APT or Advanced Persistent Threat malware uses multiple evasion techniques for bypassing many of the latest detection approaches being utilized. The malware executes only when there is some mouse activity. This action helps it to avoid being detected in the first stage.

In a zero-day exploit, the malware takes advantage of security vulnerability before the weakness becomes known, or on the same day that the vulnerability is discovered. There can be many zero days between initial discovery of the vulnerability and the first attack, before the vulnerability is patched.

What Happens in a Zero-Day Application Exploit?

In general, the discovery of a potential security issue in a software program leads to a notification to the software company, and in most cases, to the world at large. The software company takes some time to fix its code, before it is ready to distribute a software update or a patch. Even if a potential attacker becomes aware of the vulnerability, it would take him some time to exploit the issue. Meanwhile, hopefully, the software company will make the fix available first.

However, sometimes the attacker is the first to discover the vulnerability. Since no one else knows about the vulnerability, there is obviously no guard against it being exploited.

Blacklisting usually fails in such cases, because cyber criminals keep changing their tactics to avoid detection. Enterprises trying to use application control or whitelisting find to their dismay that it is nearly impossible to control, as the whitelist becomes very large. The number of files they need to review and validate is extraordinarily large, significantly delaying the deployment.

How Can Zero-Day Application Exploits Be Kept Under Control?

The following methods are recommended to prevent enterprises from being exposed to zero-day application exploits:

Using IPsec or virtual LANs for protecting contents of individual transmissions;Deploying an intrusion detection system;Introducing network access control for preventing malicious machines from gaining access to the network;Locking down the wireless access points and using a security scheme such as WPA2 or Wi-Fi Protected Access for providing maximum protection against wireless-based attacks.

An endpoint malware protection paradigm helps by controlling malware from reaching the endpoint device and installing itself. Even if the malware is able to bypass the security successfully, the enterprise must have detection programs in place to prevent it from functioning.

Advanced data-stealing malware can be stopped from reaching the endpoint devices by new approaches such as the Stateful Application Control. This has two components: the first prevents malware from installing itself on the device; the second prevents malware from executing on the device. The application exploit prevention, as the first layer is called, is an application of whitelisting to the application states, rather than to the applications themselves.

James Scott Princeton Corporate Solutions

Leave a Comment