零日攻击是指在攻击进行中被发现的攻击, meaning a security team has “zero days” to prepare or remediate the vector through which the attacker gained entry.
的确, 根据美国国家标准与技术研究院(NIST)“零日攻击”利用以前未知的硬件、固件或软件 脆弱性.”
A zero-day 脆弱性 one that was previously unknown to the security organization 和 for which there is currently no existing patch or remedy. This means it must be developed quickly from the ground up before a 威胁的演员 finds it 和 exploits it. 如果该漏洞尚未被利用,则使用 安全运营中心(SOC) 应该认为自己非常幸运吗.
但如果有迹象表明漏洞已被利用, then it's time to spring into action to try 和 limit the impact of the attack-in-progress.
零日漏洞就是 威胁的演员 进入攻击模式, exploiting the discovered 脆弱性 before any related security personnel have been made aware. 从那里, an attacker would hope they have a maximum amount of time to move around freely on the target network so they can steal as much data as possible.
Organizational reputation can be severely damaged if word of a zero-day exploit becomes public.
Zero-day attacks work by a 威胁的演员 implementing a phased attack approach to the target network. 当然,威胁行为者首先要寻找漏洞. After encountering one – 和 deciding it’s worth their time to attempt exploitation – the attacker will then deploy code to exploit the 脆弱性.
从那里, the attacker can pinpoint the vulnerable systems 和 begin infiltration of the network at that identified entry point. 如果他们没有被发现的话, the attack can be fully deployed onto the target network so the 威胁的演员 can seek out valuable data, 拿着它索要赎金, 或者卖给出价最高的人.
零日攻击可能是由威胁行为者组织实施的, 组队从受害者那里窃取高度敏感的信息. Or, 可能是一个非常老练的罪犯, compromising dozens or hundreds of organizations simultaneously by leveraging custom tooling to exploit vulnerabilities.
根据Rapid7的说法 2024年攻击情报报告, vulnerabilities exploited in targeted zero-day attacks often have higher-profile backstories. 这也是必然会自然发生的, as it’s never a good thing for any company’s reputation to find out their network has an active attack in progress – 和 it might have been happening for quite some time before it was discovered.
Many 网络安全 researchers now track the time between when vulnerabilities become known to the public 和 when they are reliably reported as exploited. 这个时间窗口被称为“已知开发时间”,” 和 it has narrowed considerably in the past few years largely as a result of zero-day attacks.
零日攻击可能是最耸人听闻的 网络安全 stories in the world because defenders have literally no time to prepare for these malicious actions.
This means they can cause the ultimate frenzy 和 adrenaline spikes in an environment that was most likely, 最近, 一切如常. 让我们来看看最近的几个零日攻击的突出例子.
对其绝对的有效性加以限制, 扩散, 零日攻击对威胁行为者的普及, 53% of new widespread threat vulnerabilities through the beginning of 2024 were exploited before software producers could implement fixes.
Identifying zero-day attacks requires a fundamental shift or addition to a SOC’s practices. 具体地说, this means shifting to or incorporating proactive measures that enable security practitioners 和 analysts to go beyond the network perimeter.
以这种方式, they can actively hunt threats against known telemetry that has been identified in the wider security world as suspicious. 有了增强的端点遥测技术, 团队可以快速查看日志并获得对所有端点活动的关键可见性. 让我们看一下其他一些识别零日攻击的技术.
Managing vulnerabilities – or simply becoming aware of them – is perhaps the single most important thing SOCs can do when it comes to identifying potential zero-day attacks.
总体目标, 当然, 是在关键漏洞被利用之前识别它吗. 但是,如果在每个情况下都不可能做到这一点,那么团队可以利用有能力的人 漏洞管理(VM) 缩短开发和发现之间时间的工具.
这有助于监视网络活动,以便有一个不断发展的, 实时记录网络上发生的事情. 与 网络流量分析(NTA), SOC不仅可以提高对整个网络中设备的可见性, but also has the ability to respond to investigations faster with rich detail 和 additional network context.
观察并报告核实情况 妥协指标(ioc) can help the 网络安全 community as a whole to review these known IOCs so that they can identify them earlier along their own 攻击表面. IOCs are essentially data discovered in forensic analysis that can alert analysts to past/ongoing attacks or breaches.
现在转向预防零日攻击, there are several technologies 和/or methodologies to aid practioners in what really amounts to seeing in the dark. The goal is to make visible what can be incredibly difficult to see 和 detect – so a team can act 和 take down fast.
The process of collecting forensic evidence of a past attack can help a SOC to underst和 if there was a historical attack that could still be ongoing. 数字取证和事件响应(DFIR) 系统都收集这些取证数据, 也被称为工件, 积极寻找潜在的国际石油公司.
对于一个安全组织来说,要监视企业的面向互联网的资产,利用 外部攻击面管理(EASM) 非常有效. EASM平台可以监视暴露的凭据, 公共云配置错误, 以及其他具有更大内在暴露风险的资产特有的脆弱性.
这种类型的系统是针对最突然或迫在眉睫的威胁的包罗万象, 零日攻击就是其中的一种. 从本质上讲, 入侵检测和防御系统(IDPS) work by passively motoring traffic 和 subsequently blocking suspicious or malicious behavior almost immediately after it’s flagged.
使用这种终极主动安全姿态技术, teams can attempt to defend their network before any real damage can come to its perimeter. 保持对威胁源的实时可见性, 猎人的威胁 can become extremely familiar with circulating threats 和 ready their network in case it comes their way.