We have recently seen an increase in the number of zero-day exploits, which indicates that attackers are being more methodical in their discovery and use of software vulnerabilities. A zero-day exploit occurs when a software flaw is only discovered after it is already being exploited in the wild (and there isn’t a patch available from the vendor).
The “window of exposure” is the time frame during which users of vulnerable software will be at risk. This is calculated as the difference in time between when a vulnerability is exploited and when a patch is made available. The average window of exposure from the first six months of 2006 was 28 days – a dangerously large window in which systems and users are at risk. Average time to develop a patch – Time to develop exploit code = window of exposure (31 – 3 = 28 days).
While vendors continue to make strides and reduce the amount of time it takes to release a patch, attackers seem to be staying one step ahead of the game by developing exploits faster.
So, how do we handle these zero-day attacks? Using intrusion prevention. (For a good explanation of the differences between intrusion detection systems and intrusion prevention systems, please refer to this previous blog by Jonathan Omansky.) A single vulnerability is usually the target of multiple exploits and variants. Our strategy is to protect a new vulnerability against any future attacks in the form of broader coverage focusing on the one vulnerability, instead of having to reactively respond to every specific exploit. This approach protects against both known and unknown attempts to exploit that vulnerability. Users can deploy one signature that protects against many different attacks. To complement intrusion prevention signatures that focus on the network vector, antivirus signatures block the file-based attacks.
The table below shows our intrusion protection at work. Each line represents a vulnerability and the number of variants associated with that vulnerability. In every instance, our intrusion prevention prevented exploitation of the vulnerability.