Zero-Day Vulnerability Attack

As Forensics Expert discuss the process involve in investigating Zero-Day Vulnerability attack

Introduction

The Internet became essential in this 21^st generation and people can’t live without Internet. As the growth of the use of Internet, new technologies are also invented to support our life. However this new technologies may also exploit to the vulnerability attack. One of the vulnerability attack is zero-day attack (0day). A zero-day attack is an attack that exploits a previously unknown vulnerability in a computer application, one that developers have not had time to address and patch.( Wikipedia, (2014)) The zero-day threat can be undetectable and unknown for most of the antivirus software and it is keep increasing in new form which try to hide itself. The incident handlers have to fight against this threat which may include both corporate and home users and security vendors. Once they found or discovered the new threat, they have to respond to it.

In order to investigate and have better understanding to zero-day attack, research and pratices are carrying out. Different security researchers have different opinion and ways to handle the zero-day threat. Most of the incident response program will usually implemented using a aphased methodology. This is because by using phased methodology will allow the lifecycle of incident response to be break down into seperate managable components. However, there are two popular methodology which one is from SANS Institute and one from the National Institute of Standards and Technology (NIST). Both the phased methodology are useful for handling incidents when zero-day exploits. The benefits of both the phased incident response plan and corresponding measures are they can detect and identify zero-day threat efficiently.

1. Phased Methodology 1.1 SANS Institute phased methodology

SANS Institute phased methodology consist of six phases which include

1) Preparation 2) Identification 3) Containment 4) Eradication 5) Recovery

6) Lessons Learned (Murray,2007)

1.2 NIST phased methodology

NIST version phased methodology consist of four phases which include

1) Preparation 2) Detection and Analysis 3) Containment, Eradication and Recovery

4) Post-Incident Activity (Scarfone, Grance, & Masone, 2008)

Both of the phased methodology have the similarity. However, the incident response team (IRT) may need to modify the methodology so that it can specifically to handle zero-day attack. From IRT, the phases that have most impact to zero-day incident response will be preparation, identification or analysis and containment. This three important phases is essential when handling incident response to zero-day attack.

1.3 Incident Response Team Methodology

In order to deal with the zero-day threats, IRT have a methodology to perform proactively and reactively. The proactive will be focus to external threat when zero-day is known but haven’t any impacted to the organization. The reactive will be focus on how to response to the actual zero-day incident. This methodology consist of a cycle of three phases which are : 1) Monitor 2) Analyze 3) Mitigate

The monitor phase refer to monitor the public resources which is still ongoing. This is to identify the zero-day threats. The analyze phase refer to analyze of the threats exploited which conduct in a lab environment. This purpose is to identify the potential threat that may impact to the organization. In mitigate phase, the information that gathered from analysis will be build and implement inside the mitigation mechanisms.

2. Three important phases

2.1 Preparation

The two primary objective of preparation is to ensure incident response team (IRT) and sufficient controls to mitigate security incidents. (Scarfone,Grance,&Masone,2008) First of all, IRT need to monitor on the Internet at all times to ensure the security. IRT should be able to react immediately to ensure the risk is mitigated. IRT need adequate controls to prevent and detect any possible attack. Besides that, this can be divided into two types of response which is external response and internal response.

2.1.1 External Response

External response can include analyzing external advisories. This can help to gather the information about zero-day attack through 5W1H (what,where,when,why,who,how). How does zero-day works and exploits? What is the target is? When is the exploitation? Where zero-day exploited? Who get impacted by zero-day? Why zero-day attack such platform? The following methodology is for external response.

2.1.1.1 Build an Incident Response Lab

IRT can have a lab environment which consist of system that can simulate the role of attacker and victim. The lab should also include machine that have tools, interpreters and compilers in order to provide different types of source code files that related with zero-day. However, the victim machines should in exactly the same condition within that organization include operating system used.

2.1.1.2 Monitoring to Public Resources

Monitoring what happen to the Internet is one of the essential component in our daily life. IRT needs to be constantly monitoring and keeping an eye on new trends of attacks, public internet resources and any other security vulnerabilities. One of the well-known resources for notification is the SANS Internet Storm Center (ISC) (http://isc.sans.org). The ISC monitors different types of public resources which included the logs from devices that used by businness and home users.

2.1.1.3 Analyze the Threat

Once a zero-day is found, IRT should able to reproduce it in lab environment to find out the impact level of it. This consist of few steps need to carry out. The first step is to review the targeted software or application, operating system or version of it. After that, all the settings and platform are set up so that it is applicable to the environment. The last step is to monitor the system and it should run a sniffer to capture all the packets. Once completed, the exploit is launched to attack the target. After the attack succesful, IRT can start to investigate and identify the threats include the ports use, payload size and others.

2.1.1.4 Mitigation

Once the threat is been analyzed, IRT should gather all the information and start to mitigate. All the ports that was used, can be checked and filtered through firewall to ensure that it is blocked.

2.1.2 Internal Response

For the internal response, the following methodology is used.

2.1.2.1 Monitoring Internal Log

The log monitoring is an essential factors in secure network. All the information should recorded in log in order to trace back and secure the network. On eo f an open source platform is Alien Vault’s Open Source Security Information Management (OSSIM) (http://www.ossim.net).

2.1.2.2 Monitoring Suspicious Network Activity

As most of the malicious are try to hide itself and traverse through the network, network activity logs is crucial. The network analyser should look for the malware propagation, command of communication and the network traffic. There are different types of tools that can be used to improve netowrk security systems such as Ourmon (http://ourmon.sourceforge.net/), Bothunter (http://www.bothunter.net/), Honeynet (http://www.honeynet.org/) and others.

2.1.2.3 Monitoring Host Activity

In order to improve the monitoring, monitoring an individual systems can be also crucial to identify zero-day. This is because it attacks can be unnoticed, so host monitoring is important for indentification and detection. Some of the tools can used to identify anomalous activity such as Tripwire (http://www.tripwire.com), OSSEC (http://www.ossec.net) and others.

2.1.2.4 Malware Analysis and Collection

In order to collect the malware and respond to it, some of the tools is needed to capture it. The IRT should ensure that they have the ability to capture and analyze malware. One of the best way to capture malware is using honeypots. Honeypots are used to identify new types of attack, track hackers and collect the malware. There are some tools that can be used as honeypots such as Honeyd (http://www.honeyd.org/).

2.1.2.5 Application Whitelisting

Application whitelisting is popular used recently. It permits all known and safe production applications to run and install, but block all unkown applications. This will prevent any remote code execution. One of the benefit by using application whitelisting is it only allowed known trusted applications to run. On the other hand, the limitation could be malware injected itself into the whitelisting process memory.

2.2 Detection and Analaysis

In order to detect and analyse, the following methodology is used.

2.2.1 Identify

The IRT needs to identify the potential signs of compromise, gather events and investigate it. After gathered the information, it should analyzed and mitigated. The potential signs oof compromise may include strange log entries or network activities or any others anomalous activity. Besides that, end users are also can be indicators of suspicious activity. They may click suspect links, surf social netowrking sites and respond to phishing emails.

2.2.2 Correlate

After all the information is identified and gathered, correlate events to investigate the source of the suspicious activity. All the connections should be identified in the netowrk logs and determine where is the source come from. One of the tools is Sysinternals (http://technet.microsoft.com/en-us/sysinternals/bb545021) used to gather system information which included incident response tools (Helix).

2.2.3 Analyze

After the process is identified, it is going to analyze it. IRT should analyse all the suspicious process include the processes that hidden in Explorer.exe. As most of the times malicious are try to hide itself, IRT needs some trusted tools to identify and analysis all the processes. One of the tools that is useful to dump a process without killing it is Microsoft’s User Mode Process Dumper.( http://www.microsoft.com/en-us/download/details.aspx?id=4060)

2.2.4 Mitigate

Once the processes is identified, in order to protect the mechanism, IRT should prevent it from executing. IRT should identified the child process launched, DLLs, and any related user information. One of the tools is CurrProcess by NirSoft (http://www.nirsoft.net/utils/cprocess.html). This useful tools will show all the process information which include name, priority level, process id and memory usage.

2.3 Containment

The purpose of the containment phase is to prevent any further spread of the threats or incident. Once the incident is been detected and analyzed, action should be taken in order to prevent any further damaging make by the threats.

2.3.1 Network Level Containment

In network level, the best way is to block on network devices. While IRT identified the particular was zero-day, other systems may get infected too. It is important that to implement containment across the network. This is to prevent any incident from propagation from one system to another.

2.3.2 Host Level Containment

In host level containment, the information gathered previously in detection and analysis phase can be used. First of all, IRT should kill all the running processes which related to the incident analyzed. After that, firewalls should be configured to disallow any incident traffic. In addition, anti-virus programs need to allow for custom anti-virus signatures to be created. This helps to detect and eliminate the new form of malicious.

3. Conclusion

Zero-day threats are a big challenge to all the incident response teams (IRT). As long as there is a software vulnerability been exploited, IRT need to fix it immediately for secure purpose. IRT need to approach different types of methodology in order to prevent, analysis and mitigate the zero-day threat. However, by having all these of methodology, IRT can conduct the incident response to zero-day threat much more easier.

References :

Wikipedia, (2014). Zero-day attack. [online] Available at: http://en.wikipedia.org/wiki/Zero-day_attack

Scarfone,K.,Grance,T.,&Masone,K. (2008,March). Computer Securit Incident Handling Guide. Retrieved March 1,2011, from NIST Special Publications (800 Series): http//csrc.nist.gov/publications/nistpubs/800-61-rev1/SP800-61rev1.pdf

Kliarsky, A. (2011,June). Responding to Zero Day Threats. [online] Available at : http://www.sans.org/reading-room/whitepapers/incident/responding-zero-day-threats-33709