Without fail, the daily headlines feature an organization suffering a security breach or a software vendor informing the public about vulnerabilities in their product. But perhaps the most eye-catching headline is a zero-day exploit or attack that has caught everyone by surprise.

A zero-day vulnerability is a security bug susceptible to exploit that has not been disclosed to or patched by the affected vendor. A zero-day attack occurs when a hacker can develop a successful exploit for an unknown vulnerability, usually for nefarious reasons.

Zero-day exploits can go undetected for a long time, as it is exceedingly difficult to detect an unknown exploit, and the majority of security solutions are designed to detect known exploits or manage security based on heuristics. A zero-day exploit’s effectiveness depends on the window between its discovery and the development of a patch for it – and the window will continue to exist even if a patch is developed. Many organizations fail to patch their systems promptly, either due to the lack of an effective strategy for prioritizing vulnerabilities, limited resources and staff, or to avoid any potential disruptions a patch can cause to their internal systems. Unfortunately, any potential disruptions pale in comparison to a zero-day exploit that gives a hacker full access to internal systems to execute malicious, arbitrary code and exfiltrate critical data.

While the definition of a zero-day attack hasn’t changed, the execution of a zero-day attack has evolved. Security vendors have amped up their technologies to make enterprise networks more secure, but at the same time, hackers have evolved to develop new ways to circumvent those security protocols. Single zero-day attacks have blossomed to complex exploit chains where multiple vulnerabilities are threaded together to execute arbitrary code and exfiltrate critical data. This evolution is just the tip of the iceberg of a growing cybercrime economy.

The Evolution of Zero-Day Attacks

Gone are the days when a hacker showed off their skills merely for “street cred” in the hacking community. Now, it’s a thriving business. The legitimate side of the business attracts ethical white hat hackers through vendor-agnostic vulnerability disclosure and bug bounty programs like the Zero Day Initiative and Bugcrowd, as well as many large enterprises that provide a payout for vulnerabilities specific to their products. The vendor-agnostic bug bounty programs provide a level of accountability to affected software vendors to fix their vulnerabilities within a reasonable timeframe, and occasionally will “drop a zero-day” (that is, responsibly disclose the vulnerability) to the public in an effort to force a procrastinating vendor to fix their bugs.

However, the dark side of the business is poised to be the third-largest economy by 2021. Cybercrime has entered an industrialization wave, generating revenues 12 times higher than the largest retailer in the world, with organizational structures mirroring most software companies that include product development, distribution, technical support, quality assurance, and customer service. Cybercrime as-a-service is also contributing to the growth of the cybercrime economy, as more sophisticated tools make malware services readily available and more affordable without the need for advanced hacking skills.

The growing use and commoditization of zero-day exploits are evidenced by research from FireEye Mandiant Threat Intelligence, which documented more zero-days exploited in 2019 than any of the previous three years. The growing number of private companies that provide offensive cyber tools and services, plus the advanced capabilities of espionage groups who weaponize vulnerabilities to take advantage of the window between vulnerability disclosure and patch application, are contributing to the increasing prevalence of zero-day attacks. A sampling of vulnerabilities studied between Q1 of 2018 and Q3 of 2019 shows that 58% of vulnerabilities were exploited as zero-days before a patch was available. And when patches are made available, hackers continued to exploit those vulnerabilities on the assumption that organizations haven’t patched their vulnerable systems.

Game Over: The Reality of Zero-Day Attacks

There have been some notable zero-day exploits that have flooded the headlines and compromised a significant number of enterprise networks worldwide. One of the most high-profile zero-day attacks in recent years is EternalBlue, which was developed by the U.S. National Security Agency and leaked by the Shadow Brokers hacker group on April 14, 2017. EternalBlue exploits a vulnerability in Microsoft’s Server Message Block (SMB) communication protocol, which mishandles specially crafted packets that allow remote hackers to execute arbitrary code on a targeted computer.

Even though Microsoft patched the vulnerability one month before the Shadow Brokers leak, hackers utilized EternalBlue to deploy the WannaCry ransomware attack on unpatched systems. WannaCry affected more than 200,000 computers across 150 countries, with total damages ranging from hundreds of millions to billions of dollars. Many international state governments, universities, hospitals, as well as some of the top automobile manufacturers, shipping companies, and financial institutions were impacted. Soon after, EternalBlue was used again to launch the 2017 NotPetya attack. Targeted mainly at Ukraine, NotPetya also spread to several companies, most notably, FedEx and Merck, who sustained $400 million and $870 million in damages, respectively.

In March 2017, an Apache Struts vulnerability that was exploited in the wild before a patch was issued later became part of one of the biggest data breaches in history. It was quickly patched, but it wasn’t until September that the public found out that hackers had used the vulnerability on Equifax to breach their systems and achieve owner-level access. Exfiltrated data included social security numbers, first and last names, birth dates, addresses, and some driver’s license numbers for approximately 147.9 million Americans, 15.2 million UK consumers and 19,000 Canadians. Equifax’s record-breaking settlement with the Federal Trade Commission to resolve consumer claims rang up to $1.38 billion. In addition to the lack of network segmentation and patch management, Equifax failed to encrypt files in a database that included usernames and passwords, making it easy for hackers to dig in and run queries on additional databases across the Equifax network.

Zero-Days Win by Executing Arbitrary Code

After using a zero-day to infiltrate a network, the most powerful next step for a hacker is the execution of arbitrary code. When a hacker can execute arbitrary code, it’s game over for an organization. The hacker can run any command, upload their own code, reconfigure the device, set up a backdoor, and even navigate your file system to delete files or download files full of critical data. Their options are endless.

As recent as this week, four zero-days discovered in IBM’s Data Risk Manager were disclosed to the public after IBM refused to accept the CERT/CC vulnerability report. While each zero-day is dangerous in their own right, the researcher who found the vulnerabilities determined that chaining the first three would allow hackers to remotely execute code as root on vulnerable systems. And by chaining the first and fourth vulnerabilities, hackers can download arbitrary files. Because IBM’s product stores credentials to other security tools and contains critical vulnerability information specific to the organization using the product, hackers leveraging the zero-days could extend their reach to cause catastrophic damage and exfiltrate critical data.

What About Using an Encrypting File System as a Last Line of Defense?

Using the Equifax example, hackers were able to leverage a zero-day exploit to compromise their systems, execute arbitrary code, and gain unlimited access to all of their files. Even if Equifax’s security team had used an encrypting file system, the data would still be vulnerable to exfiltration. Since the hackers have the same permissions as the user on a system, they would have access to any files encrypted in bulk. They would be able to open encrypted files, view and modify, and save any changes. Essentially, no form of standard encryption deployed through the Microsoft ecosystem would deliver adequate protection of data in the event of a zero-day attack.

In the context of a zero-day exploit, the only files that are resistant to exfiltration are those encrypted with keys that are inaccessible to hackers. Equifax could have opted to encrypt each file individually, using, for example, encrypted zip files. Doing so would protect the data from exfiltration, but at the expense of scalability and manageability.

Zero-Day Protection with Atakama

Atakama makes it impossible for hackers who gain system access via a zero-day exploit to exfiltrate data. With Atakama, even hackers who can execute arbitrary code do not have access to encryption keys, as the ability to utilize those keys is decoupled from all network and domain authentication processes. Without the use of traditional passwords that can be easily compromised, files protected by Atakama cannot be exfiltrated or compromised without having both physical and digital access to trusted devices. Atakama does not utilize bulk encryption or central key storage. Instead, Atakama’s distributed key management architecture encrypts each file with a unique encryption key that is then split into pieces and distributed and saved to devices you control.

Request a demo and see how Atakama delivers your first line of defense to protect your data from zero-day attacks.