Zero-day attacks. If the term conjures up images of a sci-fi movie with doomsday scenarios, the associations are not entirely without relevance given their potentially destructive nature, particularly for financial services, healthcare, and government organizations that represent the most frequently targeted. According to the Ponemon Institute’s 2018 State of Endpoint Security Risk report, the average cost of cybercrime for an organization increased to $13 million in 2018, up from $1.4 million in 2017. Most alarmingly, 76 percent of successful cyberattacks on organization endpoints last year were the result of zero-day exploits.
A zero-day refers to both an unpatched software vulnerability previously unknown to the software vendor and the code attackers use to take advantage of said vulnerability. A zero-day exploit refers to code that attackers use to slip through the hole in the software and plant a virus, Trojan horse or other malware onto a computer or device. The term “zero-day” refers to the number of days that the software vendor has known about the hole.
The timeline of a zero-day exploit runs something like this.
Software is developed, but unknown to the developers it contains a security vulnerability. A bad actor then identifies the vulnerability and exploits it before the developer discovers it or has an opportunity to release an update or patch to fix it. Attackers release malware to exploit the software while the vulnerability is still open and unpatched. After hackers release the malware, infiltrated organizations or the public detect data or identity theft, or other nefarious activities, or the developer discovers the vulnerability and creates a patch.
Adobe products, including Flash and Reader, Internet Explorer, Mozilla Firefox, Java, Windows XP, and many other software products and browsers have been victimized by zero-day exploits over the years. Additionally, nearly one out of three malware attacks begin as zero-day exploits which cannot be detected by traditional antivirus programs.
The Advantages of a Preemptive Defense
Because it often takes days, weeks, months, and in some cases even years before a software developer learns of a vulnerability that led to a zero-day exploit, it’s critical that organizations take proactive and preemptive measures to protect themselves.
By using high-fidelity models of network devices that reflect known and potential vulnerabilities, cyber defense experts can use network simulation to devise defensive strategies against zero-day attacks. By definition, zero-day attacks target vulnerabilities which are unknown to the software architects and would be cyber defenders. This makes them particularly dangerous because they have free rein until a counter-measure is developed and deployed. Since network simulation can be used to model and study the effects of exploiting not only known vulnerabilities but also potential vulnerabilities, how potential future attacks can compromise the system can be studied and preemptive counter-measures developed to vanquish them.
Visualizations and data collection from these simulations can provide detailed insights to planners and cyber defense specialists. While the simulation is executing, real-time visualization and statistics display can be used to gain valuable insight into the network dynamics, including how malware spreads within the network. Post-simulation, statistical data collected during the simulation can be analyzed to help identify potential issues. These analyses can also be used to evaluate the effectiveness of counter-measures.
SCALABLE’s cyber simulation and training products, EXata and Network Defense Trainer (NDT), provide several tools for easily creating models of real networks, visualizing the network during simulation, and collecting detailed statistics for post-simulation analysis. EXata and NDT were designed to leverage parallel discrete event simulation and parallel computing technology to support high-fidelity, at-scale network simulations that also run faster than real-time. Therefore, network behavior under different operational conditions and cyberattacks can be studied in a reasonable time, making EXata and NDT particularly useful for assessing cyber resilience of both commercial and tactical networks.