Download PDF - Codenomicon
Download PDF - Codenomicon
Download PDF - Codenomicon
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
CODENOMICON WHITEPAPER - Proactive Cyber Security: Stay Ahead of Advanced Persistent Threats (APTs)<br />
4<br />
Known and Unknown<br />
Vulnerabilities<br />
In this paper we focus on the fourth quadrant, the unidentified<br />
zero-day vulnerabilities. These vulnerabilities are the biggest<br />
threat to an organization’s security [7]. Their existence is<br />
unknown, there are no defenses against them and an attack<br />
can go completely unnoticed [7]. If an attacker finds a zero-day<br />
vulnerability in a network, service or application, they can do<br />
what they want with it from website defacing, obstructing operations<br />
to stealing confidential information. It is unlikely that<br />
targets of high profile attacks are not keeping their patches upto-date.<br />
It is the zero-day vulnerabilities in their systems that<br />
make APTs possible. How can APTs be mitigated<br />
Figure 2 divides vulnerabilities into known and unknown vulnerabilities<br />
for which there are already patches available or not.<br />
If you have vulnerabilities within your systems for which patches<br />
already exist, then clearly you should be doing better vulnerability<br />
research and be more vigilant about patch updates [6].<br />
Most organizations do a good job, employing various technologies<br />
like anti-virus, firewall, IPS/IDS to defend against known<br />
attacks and keep up-to-date with software updates [6]. During<br />
the small window when a vulnerability has been discovered but<br />
there is no patch yet, a workaround needs to be implemented.<br />
Zero-Day vulnerabilities and APTs<br />
Patch<br />
Not available<br />
Implement<br />
workaround<br />
<br />
5<br />
Fuzzing<br />
Fuzzing is a black-box robustness testing technique used to reveal<br />
unknown zero-day vulnerabilities by triggering them with<br />
unexpected inputs. Basically, unexpected data in the form of<br />
modified protocol messages are fed to the inputs of a system,<br />
and the behavior of the system is monitored [9]. If the system<br />
fails, e.g., by crashing or by failing built-in code assertions, then<br />
there is an exploitable vulnerability in the software [10]. While<br />
many security techniques focus on finding known vulnerabilities<br />
or variations of them, fuzzing reveals previously unknown<br />
vulnerabilities, so called zero-day vulnerabilities by triggering<br />
them with unexpected inputs [4]. Figure 3 depicts the flow of<br />
fuzzing tests. Discovering Zero-Day Vulnerabilities<br />
A survey conducted by a large independent software vendor<br />
found that every single unique vulnerability found had been<br />
discovered by fuzzing [6]. The Internet is full of fuzzing kits,<br />
like the Phoenix Exploit Kit, Blackhole and Crimepack, favored<br />
among crackers to find exploitable vulnerabilities in networks<br />
and applications [6]. Industry leading companies are already using<br />
fuzzing to protect their networks against zero-day attacks.<br />
By finding zero-day vulnerabilities proactively, networks can<br />
be made more robust against attacks reducing the risk of advanced<br />
cyber attacks [4].<br />
Patch<br />
Available<br />
Apply the patch<br />
Known<br />
Vulnerability<br />
Do better<br />
vulnerability<br />
research<br />
Unknown/Zero-Day<br />
Vulnerability<br />
Figure 2: Known and Unknown Vulnerabilities.[8]<br />
6<br />
Automating Fuzzing<br />
In fuzzing, thousands and even millions of misuse-cases are created<br />
for each use-case, thus most robustness testing solutions<br />
contain at least some degree of automation. There are two popular<br />
ways to automate fuzzing: generation and mutation-based<br />
fuzzing [11]. In mutation-based fuzzing, real-life inputs such<br />
as network traffic and files, are used to generate test cases by