What are zero day attacks?

What are zero day attacks?

Introduction

In the world of E-mail, attacks are not new– they are not old. They are ever-present, sometimes we are aware of it, sometimes not. But they are always around.

It is not too often that we have email linked attacks but once they occur it usually raises hell all around. And the Internet is abuzz with various compromises, threats and what not.

The recent log4j compromise is one such in which people did not know a vulnerability existed till talk was out.

Zero day attacks are basically e-mail linked network compromises where the attacks or malware characteristics are not known beforehand.

Once the attack is known and recognized it ceases to be a zero day attack.

And all software , even AI and ML algorithms struggle to identify and triage zero day attacks, you can go by some metrics and isolate attack vectors but once a CVE is released then the zero day attack becomes easy to deal with.

Till then it is quite hard to apply preventive measures and secure email gateways usually have a hard time but if you use an API based malware check or a SURBL check, then the attack can quickly be detected and dealt with.

Within minutes the attack gets logged into a central database where the zero day attack is recognized and you can stop emails containing weaponized payloads.

Zero day attacks can occur outside the email world which must be obvious from the name itself but for purposes of this article we shall only talk about zero day attacks as pertains email medium.

The CVE bulletins released by various public websites and forums usually describe the attack once it is recognized, and zero day attacks can cause much damage till the bulletin is released.

Also patching systems infected with the new vulnerability or bug or exploit or buffer overflow or whatever is usually slow and typically takes days and suddenly attackers world over are now able to ride on top of the vulnerability.

Danger of zero day attacks

The main problem associated with zero day attacks is the depth and breadth of damage it can cause you, since nothing is known about this family or class or category of malware.

What is the intention of the malware author? Is it espionage? Is it network level damage? Is it to steal information?

What is it about?

That is the million dollar question now.

In the case of Sunburst attack nobody knew there was a malware in the first place and what the intention was.

Unless someone like Fireeye or Qualys or Expanse studies about the attack vector, indicators of compromise and releases a CVE(common vulnerability and exploit) you are left guessing what you are up against.

How do you address them?

Why are they dangerous?

Can yara rules help?

Can sandboxes help?

Conclusion

References

Sunburst UNC2452

Back to homepage



Download 30 day trial of SpamCheetah