Detecting and defending against zero-day attacks is perhaps the biggest challenge facing the modern security practitioner. In 2017, 25% of all reported breaches were caused by zero-day attacks. In 2018, that number rose to 37%. Further, in a survey of 660 IT leaders, zero-day attacks were considered the number one threat facing their organization. The reason for this is simple: the tools and techniques for developing and spreading zero-day attacks are becoming more readily available and more sophisticated. This, unfortunately, has led to an increase in the complexity of detecting these attacks in a timely manner, before they do severe damage to an organization.
What is a Zero-Day?
Generally, in cybersecurity, the term “zero-day” (sometimes referred to as 0 day) refers to the day when a new vulnerability is discovered by a software vendor. From that moment, of zero-day detection, the clock is ticking for the software vendor to produce a patch as quickly as possible. Once a patch is produced, the software’s end users must install and verify the patch and security vendors must update their attack detection signatures and push those updates to their tools.
In a Zero-Day event, there are essentially 3 phases:
0 day vulnerabilities are the aforementioned flaw in a software code or in the way a piece of software interacts with other software that is yet to be discovered by the software vendor.
A 0 day exploit based on a zero-day vulnerability; usually malicious software that uses a zero-day vulnerability to gain access to a target system.
The act of applying a 0 day exploit for malicious purposes;
“Zero-Day exploits, and their underlying vulnerabilities, have a 6.9 year life expectancy, on average”
Rand Corporation, "Zero Days, Thousands of Nights - The Life and Times of Zero-Day Vulnerabilities and Their Exploits."
A true zero-day attack occurs when perpetrators are using a vulnerability that is currently unknown to the software vendor, in order to compromise a system and perform malicious actions. However, there also exists a form of “pseudo” zero-day attack where the exploit was already known to the software vendor but the cyberattack was still effective due to the failure of end-users to effectively update/patch their software. This serves to highlight the inherent, ongoing risk of a zero-day vulnerability.
Zero-Day Detection Challenges
While traditional security strategies like employing antivirus endpoint solutions, patch management and a sandbox certainly still have their place in cybersecurity, they are insufficient to detect and prevent zero-day exploits and attacks. This is for the simple reason that attack signature-based tools will not detect attacks that, by definition, have never occurred before.
With zero-day exploits, the source is often an unwitting internal user, and manifests in ways that are undetectable by traditional means. Zero-day exploits are best identified by automatically recognizing aberrant behavior, and immediately alerting administrators to the change.
Therefore, to effectively deal with zero-day threats, organizations need to be more proactive and predictive with their security strategies. Securing an organization means obtaining visibility and security for its entire data flow. This requires visibility into traffic from every endpoint by dismantling each incoming file to search for any malicious elements whether they be known or unknown, while simultaneously looking at user and network behavior to be alerted to deviations and anomalies from expected activities.
The time when traditional security measures were effective has come and gone.
Zero-Day & AI
As previously stated, zero-day exploits cannot be detected by conventional means, such as anti-malware or IDS/IPS devices because signatures have not yet been created. Without specific detection capabilities, security administrators have to rely on behavior-based detection methods.
Behavior-based detection: techniques look for characteristics of malware based on the way it interacts with the target system. This means that a solution using a behavior-based technique doesn’t examine the code of incoming files and traffic flows, but instead looks at the interactions they have with existing software and tries to predict whether this is the result of any malicious action.
Machine learning is often used to establish baseline behavior based on data of past and current interactions within the system. As with statistics-based detection techniques, the more data that is available, the more reliable the detection becomes. A behavior-based detection system that works on a single target system for a long time may prove very effective in predicting results of current processes and actually detecting malicious software.
Third-Wave, Context-Aware AI
The core approach of modern AI is supervised learning, which involves using data that represents the phenomenon of interest in order to train machine learning models built on artificial neural networks. The threat of zero-day attacks, for which no effective anti-malware solution exists hangs over supervised machine learning based cybersecurity solutions, just as it does over older signature-based cybersecurity defenses.
Second-wave AI is not proficient at detecting zero-day attacks because it is not good at detecting that which it has not been trained to see.
Having a machine learning model that has learned only one rigid behavioral attack vector makes a cybersecurity program vulnerable to dynamically changing attack signatures. If the ML-learned normal attack vector is too broad, it’s at risk of blocking an excessive number of legitimate behaviors as cybersecurity attacks. If that pattern is too narrow, the cybersecurity program is at risk of permitting a wide range of actual attacks to proceed unchecked. You can’t train an ML model to detect a threat for which there are no extant examples in the historical record.
“MixMode’s proprietary AI relies on an unsupervised learning methodology capable of understanding its environment based on its own, changing context. This is different from anything else currently available on the market.”
Dr. Igor Mezic, MixMode CTO & Chief Scientist
MixMode's proprietary third-wave AI moves beyond these issues. It relies on an unsupervised learning methodology capable of understanding that the environment is changing based on the contextual information it observes.
Specifically, it observes the totality of the information available to it from the network sensor and detects any unusual behavior, be it on the lateral movement, inbound traffic or outbound traffic.
As its own behavior is adaptable to new network conditions, it makes it almost impossible to fool by hackers, even those using modern machine learning penetration methods. This enables constant adaptation to evolving security conditions and robust zero-day detection of security events that have never been observed before ushering in a new era in cybersecurity.