Zero Days and Counting: Defending Against the Unknown

Zero-day vulnerabilities inhabit a special, scary place in the cyber threat landscape. That's due in part to human fear of the unknown, but also because they flip the timeline of threat mitigation. For security leaders and software companies, the clock is ticking...

Symantec's annual security report shows the zero-day threat is growing, as the number of discovered vulnerabilities more than doubled in 2015 over the previous year, with a new one uncovered every week (on average). Attackers are drawn to popular applications used on a daily basis by millions of people around the world. Malicious code on rogue web sites can exploit vulnerabilities in popular Web browsers such as Internet Explorer, and phishing scams tucked away in seemingly friendly emails or embedded in Adobe Flash videos can wreak havoc in an enterprise within minutes.

It gets worse: Once discovered, these vulnerabilities are quickly promulgated within the hacker community and added to exploit toolkits. 2015 witnessed a discouraging uptick in use of the Angler Exploit Kit, a drive-by download that has spread ransomware, malvertising and even hacktivism. Zero-day exploits have also become quite lucrative, so much so that Symantec now characterizes the criminal hunt for zero days as professionalized.

Preemptive Protection: Stopping Vulnerabilities Without Signatures

Businesses today need more powerful, multi-layered endpoint protection that extends well beyond traditional signature-based antivirus. They need cutting-edge technology capable of securing all possible attack vectors.

Symantec Endpoint Protection 14 is answering that clarion call with the broadest suite of endpoint protection techniques – some traditional, some new and some improved. One of the newest features is Memory Exploit Mitigation, which we use to preemptively block exploit techniques regardless of whether they are known or unknown, foiling attackers' attempts to take advantage of zero-day vulnerabilities.

At the core, Memory Exploit Mitigation is designed to detect and mitigate against generic exploit attacks – without signatures. It works at the shellcode execution level to counter different exploitation techniques. It also hardens the targeted software applications, making it difficult for hackers to write exploits.

Memory Exploit Mitigation includes multiple mitigation techniques "out of the box" that don't need prior knowledge of an exploit to block it. It watches for a broad range of exploit behaviors and leverages Symantec's deep intelligence from millions of endpoints, billions of files and trillions of relationships. Most importantly, you don't need an additional endpoint agent to take advantage of new techniques.

In its initial release, Memory Exploit Mitigation includes three popular exploit mitigation techniques:

• Java exploit protection: Java exploits allow hackers to infiltrate Java code for the purposes of surveillance, data theft, or backdoor access to larger computer systems. Symantec's Memory Exploit Mitigation completely blocks Java Applets that try to disable Java's Security Manager.
• Heap spray mitigation: A heap spray attack occurs when the attacker tries to place its attack code onto a predetermined memory location. Attackers may have full control of the application once the injection is completed. Memory Exploit Mitigation reserves the commonly used memory locations to prevent an attacker from using them and disables access to locations in the memory.
• Structured exception handling overwrite protection (SEHOP): Exception handling exploits compromise an application by overwriting the pointer of an exception handler with an attacker-controlled address. Memory Exploit Mitigation provides built-in SEHOP protection, beyond the limited degree of protection in Windows operating systems (which often have the protection disabled by default).

All the techniques have been tested and proven already on more than 40 million endpoints via Symantec's Norton line of products. This field testing has allowed us to tune the techniques for very low false positives and certify against relevant programs before bringing them to enterprise customers. We are currently working on additional techniques that will be introduced in 2017 – stay tuned for more.

Unlike competitors, our Memory Exploit Mitigation works within a single agent alongside other protections, and provides centralized policy management and reporting. It can also run without a network connection – protecting disconnected or occasionally connected endpoints – and provide reporting on failed exploit attempts in addition to blocked exploits.

How effective is it? Based on internal tests, Memory Exploit Mitigation alone was able to block more than 60 percent of the zero-day exploit attacks from the last five years, with no reliance on prior knowledge of the attacks. Additional attacks were neutralized by the other capabilities built into Symantec Endpoint Protection, providing a highly effective combined defense against unknown threats.

The threat landscape is always changing, and customers are demanding more from their endpoint products. We hear all the time from customers that they "want additional controls, not an additional agent." With Symantec Endpoint Protection 14, we're delivering just that – a variety of new and established techniques for prevention, detection and response from a single agent. As Forrester wrote it in its recent Wave report on endpoint security suites: "Almost every possible attack surface is covered when buyers utilize the full extent of this portfolio."

Check out our webinar on next-generation endpoint protection with Adrian Sanabria from 451 Research, and watch this space for weekly blog posts that drill deeper into key capabilities with insights from Symantec and third-par