Zero-day attacks are not a new concept. However, if an enterprise has not addressed them recently, now might be a good time to review what has been implemented and what is available to prevent serious enterprise compromises.
A zero-day threat or exploit is based on a vulnerability that was not previously detected. Without previous visibility, no one has any idea that the vulnerability exists, so the consequences can be catastrophic. A zero-day exploit occurs when someone, a bad actor, takes the vulnerability and creates code to take advantage of the vulnerability. Next, a zero-day attack occurs when the exploit is used to attack a system. So, a zero-day threat is the overall concept.
Figure 1 Zero-day threats are cyberattacks that occur before a vulnerability within software has been fixed. Source: Lanner
As shown in Figure 1, a threat can be thought of as a timeline. The tricky thing about a zero-day threat is that the attack takes place before anybody has a patch for the software vulnerability. That leaves an unfortunate “Window of Vulnerability” when the attack can run rampant before the vulnerability is patched.
The best method to address a zero-day threat is to use broad protections that can defend against a range of attacks. With this method, the defender is prepared for whatever the attacker may send their way.
In the cycle of defense, the defender is continuously trying to prevent, detect and respond to attacks. The defender starts by trying to prevent an attack from being successful. If defenders are not able to prevent an attack and the system is breached, the attack can be detected by some means and an appropriate response action is taken. Frequently, this takes the form of a system/software patch.
Whack-a-mole or swatting-mosquitos analogy
To employ a metaphor to illustrate the value of broad defenses mounted in advance, consider pesky mosquito attacks. There are many ways to deal with them. In a warm and wet climate, they are a constant problem. In this case, broad prevention may involve chemical treatment to stop them where and when they breed—in stagnant water. Another broad prevention step is window screens to keep them out of living quarters.
Detection must be performed after the prevention step is not 100% successful. For mosquitos, this takes the form of audible detection—hearing them before they bite. And the response is swatting the darn bugs. Those who have lived in a mosquito-filled area know that prevention is much better than detection and response.
The information security business uses a similar system called defense in depth where multiple layers are used in the prevention and detection processes. If one of these layers is skipped, the problem can get out of control. That’s why multiple layers of defense are required.
In information security, one of the multiple layers could involve a firewall on the network to keep the pesky bad guys out. Another software firewall can be running on each computer in the organization. Within the computer there are different layers of protection as well. For example, the operating system and software libraries are hardened as much as possible to minimize the impact of vulnerabilities. But even with the best preventative approaches, vulnerabilities still occur and cause system breaches.
While ideally the goal is keeping problems at zero, in reality, this goal is not achieved. When problems occur, they must be detected and responded to as soon as possible. Cyber resiliency is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources. This means not only prevention to keep the number of occurrences to a minimum but also detecting and responding.
Several detection techniques are used these days. Previously identified attacks can be found on a network using a Network Intrusion Detection System (NIDS) that monitors network traffic looking for malware signatures or anomalous traffic. Anti-virus software can be used to look for suspected malware on a computer. Once detected, the attack can be blocked.
To reduce the impact of an attack, more fundamental protection steps can be taken. For example, integral hardware security provides the means to keep secrets separate and safe.
Zero trust architecture
Another approach is zero trust architecture (ZTA). It assumes that there are no traditional network boundaries. Networks can be local, in the cloud, or a hybrid setup with resources anywhere as well as employees and others working in remote locations that need to access these networks.
ZTA is a hot topic because in 2021 an executive order from the U.S government declared that the U.S. government was switching to a ZTA. Instead of a firewall, as previously used (the “perimeter model”), ZTA takes a different approach. With the perimeter model, the firewall is a protected perimeter that keeps the enemy out. As long as the bad actors remained on the outside, everything was fine and safe. The problem is this does not really work. User devices and valuable services exist outside of the firewall.
Even if the security perimeter can be extended to include all resources, eventually a bad actor gets inside, and valuable content is at risk. This has even occurred even to the military networks that have an airgap to separate them from the outside world. Even with the best protection, a breach can occur because someone installs an infected thumb drive or an infected patch for software.
One example that shows the flaws of the perimeter model is the SolarWinds cyberattack in 2021. The cybersecurity attack by SolarWinds’ software is one of the most widespread and sophisticated hacking campaigns ever conducted against the federal government and private sector.
SolarWinds made software for high security government networks. It was installed on all the U.S. government computers, even the classified ones. Bad actors figured out how to infect development machines at SolarWinds and place malware in SolarWinds software so the next time a security software update occurred, the malware came inside the government’s firewall and easily spread through the network.
With ZTA, the perimeter approach is redefined. It is recognized that the bad guys will get inside the perimeter, or an insider is a bad guy, or an insider allows the infected software inside and it gets on the network somehow. With ZTA, nobody is simply trusted just because they are inside. To trust a computer or a user, they must be authenticated. The most fundamental principle of ZTA is to authenticate everything—every user and every device.
Ideally, multifactor authentication is performed, but this is not always possible. The bad guys are assumed to be inside, so secrets cannot be sent over the network without encrypting them. Every message transmitted on the network must be encrypted and authenticated.
The ZTA architecture can be highly effective against zero-day threats because it limits the damage that an attacker can do. No longer can an attacker simply breach the perimeter and run amok. Because no network is trusted and every device and user are authenticated, the attacker is constantly presented with hurdles that limit his or her ability to spread within the organization.
A false sense of security
One of the situations that happens all too frequently is security experts think they have been entirely successful and think the war is over just because the most recent battle has been won. In doing so, they forget that the next battle is imminent. A sure sign of this type of thinking occurs when no bad guys are ever detected inside the firewall or on the network. Bad guys do eventually get into every network. Lack of detection is more likely to be an indication that the existing detection techniques are inadequate.
For the most up-to-date detection, a variety of techniques are used such as honeypots and honeynets. In addition to looking for patterns or a signature on the network to indicate the presence of malware, a very attractive target—a honeypot or honeynet—can be installed on the network. This is a computer that presents itself as a valuable and vulnerable target if someone is scanning the computers on the network.
In reality, this computer is not used for anything except as a trap for attackers. When it is attacked, the honeypot sets off alarms within the network. Now the defender knows that the attacker is there and responds appropriately with additional information from the alarm that can provide additional defense. Referring again to the mosquito analogy, a honeypot is a computer version of a mosquito black light attracter and zapper.
The use of honeypots is a common approach, but it needs to be done more often and even by companies that are not necessarily that large but have proprietary/secret information they really want to protect. While network intrusion detection is quite common, the honeypot is not as common since it requires a staff of personnel to set up the honeypot and monitor the alarms. However, network intrusion detection systems also require monitors and without the proper monitoring, alarms can go off and no one detects them or the breach that caused them to go off. This can occur because false positives are common, so real positives tend to be ignored.
Managed security services
False positives are one of the reasons that enterprises enlist the help of managed security services. By paying a third party, security monitoring can be outsourced to experts whose fulltime job is detecting real threats. With the number of clients they have, the threats can be detected from many locations. Detection at one client can lead them to analyze similar occurrences at their other clients. This can be very effective for zero-day attacks.
For these types of attacks, it’s very helpful to have computer security experts handling network and computer security with a staff that can be there 24/7/265. For companies with recognized security concerns, a managed security provider could be the right solution. This can be accomplished through a large cloud network to store and transmit the most important data. Large cloud providers can invest significant capital and resources to provide the highest security with the latest techniques to their clients. It’s all part of the service.
Applying security techniques to embedded systems
All of the principles that have been discussed can be employed in embedded systems. This includes defense in depth, cyber resiliency and zero trust using hardware security for the most critical secrets and security for software running on that system. The hardware security can be accomplished with a trusted platform module (TPM) or secure element (SE), a microcontroller (MCU) that includes a separate security core. To provide strong protection against zero-day threats in embedded systems, secrets should be kept in hardware. The key is to include security measures in each device and also outside the device.
A device can be a part of a larger system or network, perhaps a Wi-Fi network, that could be present in a smart home, a smart car, or other places. For smart homes, the recently introduced Matter standard builds in extra layers of security for defense in depth. Matter adds another layer of encryption and authentication on top the network used in the home. Matter even includes and embodies a ZTA. Every device in the Matter fabric gets authenticated using strong cryptography to make sure it is trustworthy enough to join the fabric.
With the Matter standard, these security techniques are coming into the smart home. As time goes on, more techniques including network intrusion detection, automated response and honeynets will be used in the smart home and other places to counter bad guys who want to expand their cyberattacks to smart homes.
Future cars, with their increasing communication capabilities, will have even more need for protection from the ever-changing cybersecurity landscape. Figure 2 shows the implementation of different layers of security in the automobile.
Figure 2 Current and future vehicle architectures will increasingly require different layers of security. Source: Infineon
As a design example of hardware security, shown in Figure 3, the OPTIGA Trust M can easily and safely interface with a PSoC 6 MCU. The PSoC 6 microcontroller has a separate core that can be dedicated for security and secrets can be kept in the core and restricted to that core and processor. They cannot be accessed even if the main processor is infected.
Figure 3 Connecting the host PSoC 6 microcontrollers to OPTIGA Trust M via a shielded I2C interface provides an additional layer of security. Source: Infineon
Next, OPTIGA TRUST M protects sensitive security tokens on the device such as X.509 certificates and private keys. Design engineers can use these security tokens for certificate-based mutual authentication in Matter or to connect devices to Amazon Web Services (AWS) IoT Core.
While the threats discussed here are nothing new, it is hoped that awareness can provide new motivation to explore the latest techniques to protect enterprises, smart homes, smart cars, and more against security threats. Attacks like SolarWinds provide periodic wakeup calls to those who have come to accept a false sense of security in minimally protected networks and devices.
For embedded systems designers who are ready to implement improved security, controllers and development tools for embedded systems are available. In this manner, zero-day threats can be stopped before they spread, even in embedded systems.
Steve Hanna is a distinguished engineer at Infineon Technologies.