1. Zero day attacks anatomy
& countermeasures
By
Cade Zvavanjanja
Cybersecurity Strategist
2. Question?
• How do you secure against something
Your security system can’t capture, your
experts don’t know , your vendors don’t
know and the tech community doesn’t
know?
~ Which is only known by the attacker(s)!
3. Outline:
• Key terms
• Anatomy of Zero days
• Attack methodology
• Zero day attack(s) Countermeasures
• Way forward
• Economics of cybersecurity
• Q & A
• References
4. Key term(s):
• Zero-day exploits are cyber-attacks against
software/hardware vulnerabilities that are
unknown and have no patch or fix.
5. Introduction:
•Traditional security tools rely on malware
binary signatures or the reputation of
outside URLs and servers. By definition,
these defenses identify only known,
confirmed threats.
•At the same time, operating system-level
protections such as Address Space Layout
Randomization (ASLR) and Data Execution
Prevention (DEP) are becoming less
effective
6. Intro Cont….
•An attacker can easily hijack a legitimate
website to bypass a blacklist.
•Code morphing and obfuscation techniques
generate new malware variants faster than
traditional security firms can generate new
signatures.
•And spam filters will not stop lowvolume,
targeted spear-phishing attacks.
•ASLR bypassing methods to neutere once-
effective safeguard.
7. Intro Cont….
• Zero day attacks are rising in prominence
• They tend to be behind the most
devastating attacks these days
• Generally used by very high end criminals
and nation states
• You usually don’t know about
the attack unless there are other
indicators
9. Lifespan of Zero-day:
•typical zero-day attack lasts an average of
eight months—and can last close to three
years in some cases. That gives attacks
ample time to steal organizations’ most
valuable assets and leave before anyone
knows what happened.
•Not surprisingly, zero-day exploits are
heavily used in targeted attacks. These
secret weapons give attackers a crucial
advantage over their targets.
19. • What is the ratio between events received
and action taken?
• What is the efficacy level in the events &
incidents you identify (i.e. the real cyber
attack event to false positive ratio)?
• How many cycles do you iterate through to
get from an event(s) to an action; is it
timely and cost efficient? (Can you rank
the processes/tools you leverage today in
terms of man-hours and skills required to
get to to action?)
20. • Do you align, prioritize and qualify events
against against business goals and impact
(How many cycles does this take)?
• Make the assessment using the
framework & success criteria below to
evaluate the key time and cost multipliers
in your event/incident security process, so
you can validate the economic value that
comes from the processes and tools you
leverage today, to see which are effective
and which are not?
21. Q& A: Thank You
Cade Zvavanjanja
Director - Zimbabwe Cybersecurity
Center
cadezvavanjanja@gmail.com
+263 773796365
22. References
•Zero Day Malware Threat Prevention Ensuring Document Safety with Outside
In Clean Content Oracle brief | july 2015
•The Best Defenses Against Zero-day Exploits for Various-sized Organizations
SANS I September 21st 2014: David Hammarberg
•http://www.trapx.com/wp-content/uploads/2015/02/Anatomy-of-
Attack__Zombie-Zero.pdf
•http://www.industryweek.com/rockwell-connected-industrial-enterprise/cyber-
threats-hiding-targeting-valuable-assets
• Internet Security Threat ReportInternet Report Symatic, APRIL 2016
•https://www2.fireeye.com/rs/848-DID-242/images/wp-zero-day-danger.pdf
• k-Zero Day Safety: Measuring the Security Risk of Networks against Unknown
Attacks
•A Review on Zero Day Attack Safety Using Different Scenarios 2015 Harshpal
R Gosavi and Anant M Bagade
•Detection and Prevention of Unknown Vulnerabilities on Enterprise IP
Networks IJRITCC | February 2015, Vincy Rose Chacko
• Regulating the zero-day vulnerability trade: a preliminary analysis 2014:
mailyn fidler