What is the most difficult type of cyber-attack to defend against?

blog + Systems security + SOC + Website security Z. Oualid todayJuly 23, 2021

Background
share close

Being a passionate penetration tester gives you the courage and the willingness to test all possible and new attacks against your target. Therefore, to be able to perform those new attacks you must always be up to date with any new techniques will developing yours. However, the most difficult type of cyber-attack to defend against is the zero-day attack.

When a zero-day attack is most likely used?

Zero-day attacks are the most critical and dangerous attacks in the world of the internet this is due to the fact that there is no 100% effective defense against them and it is very difficult to be detected in the network. This attack is based on discovering a zero-day vulnerability in one of the target software and exploiting it.

A zero-day vulnerability is basically a critical vulnerability is discovered by a hacker or a group of hackers will the vendor still not knowing anything about its existence.

You need to know that in most cases when a company is well secured especially from the outside. The hacker who wants to infiltrate them has two options. The first one is to use phishing attacks where he tries to send multiple malicious emails to the target employees to hack into their personal computers.

To be honest this technique is very effective and work in most cases when the company did not educate his employees about the basics of information security (which is the cases basically all the time).

However, when the company takes good care of security aspects these phishing attacks do not work. At this moment the only technique is left is finding a zero-day vulnerability in either the router or the firewall interfaced with the internet.

Examples of known cyber-attacks with zero days

Stuxnet

Stuxnet malware was one of the most developed malware in the world. It was using some of the most critical and difficult to find zero-days in some SCADA systems. According to some malware experts, it was using more than 4 windows based zero days to spread over the network.

What makes this malware even more dangerous than any other malware in history, is that it uses many specific SCADA machines zero-days. When I say SCADA machines I mean Nuclear reactors and it was programmed to abuse them.

EternalBlue

EternalBlue was a zero-day exploit basically discovered in mid-2017. However, this exploit was already being used in the wild by some groups of hackers around the world in 2016. This exploit targeted one of the most used windows protocols which is SMB. If you want to know more about this vulnerability you can take a look at the vulnerability details.

 This vulnerability was patched by Microsoft after the big discovery in 2017. However, even after producing this patch many users and companies around the world didn’t get enough time to verify, test and deploy the patch. Therefore, malware called Wannacry has been created by a group of hackers that exploit this vulnerability in unpatched systems and encrypt all their data.

Can a penetration test discover zero day vulnerability?

Depending on the complexity, the level of security of the application, and the time allocated, a penetration test can discover many to none zero-day vulnerabilities. Finding a zero-day vulnerability is not an easy process, especially when the application is very complex and has been secured by multiple security experts.

In a penetration test, most of the time the security expert got a time frame to perform its tests and in general, it takes between 1 to 4 weeks for a large network. Which is in most cases not sufficient to find zero-day vulnerabilities in complex apps.

You need to understand that finding a zero-day vulnerability during a penetration test depend also on the scope the pentest is performed against. The more the scope is large, the more likely the penetration tester would not be able to find any zero-day.

For example, when the scope of the pentest is for example a whole network with more than 100 computers and servers, which host multiple apps. It is more likely that the penetration test will not discover any zero-day vulnerability. This is very normal as the objective of this kind of penetration tests, in general, is to take over the network and not finding a vulnerability. Moreover, a penetration test against a network is usually performed to test the capabilities of a SOC team (time to detect and time to respond).

Usually, finding a zero-day vulnerability in a well-known solution takes around at least 6 months. Which is not practical for a penetration test in most cases.

How to prevent a zero day attack?

To be honest, there is no 100% effective solution to protect your systems against a zero-day attack. However, there are some things you can do to enhance the security level of your network and applications to either discovering those zero-day vulnerabilities before black hat hackers do or detect them while they get exploited.

Creating a bug bounty program

When your application gets to a certain level of maturity in terms of security and the number of vulnerabilities discovered at every penetration test mission, you can start what we call a bug bounty program. A bug bounty program is a sort of continuous penetration test or a continuous vulnerability discovery process. In this program, you pay for every newly discovered vulnerability.

In addition, the amount of money you pay to the white hackers that will apply to your bug bounty program will depend also on the criticality of the vulnerability. This criticality change from one app to another. For example, if a hacker discovers a CSRF in a bank website, this will be very critical as it can be exploited to perform a transaction. However, in case of discovering the same vulnerability in a simple company website, well the impact and the criticality would be very low.

This approach is only effective if as I said your application gets to a high-security level. Otherwise, it can be very expensive.

Implementing a WAF

Not all companies have the budget or the security level to create a bug bounty program. Therefore, implementing a WAF would be a very good idea to detect a zero-day attack. Implementing a WAF requires a lot of tuning. In addition, a learning phase is required for the WAF to correctly work in a production environment.

As I said there is no 100% effective way to stop a zero-day attack and both solutions I have discussed here will only enhance the security level of your app and network. Increasing the security level of your network and application make it even harder for hackers to invest time to discover a zero-day vulnerability.

Some big companies start to implement another solution to protect against this type of attack called a Security Operation Center. I have written a step by a step blog post on how to create and implement a SOC if you are internet to know more about this.

Written by: Z. Oualid

Rate it

About the author
Avatar

Z. Oualid

I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).


Previous post

Similar posts

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *