Industry Trends

Lessons Learned from Zero Day Hunters

By Jonas Walker and Douglas Santos | April 30, 2021

FortiGuard Labs Perspectives

The cyber threat landscape can be highly unpredictable. Security teams today have been spread increasingly thin, often face multiple threats on multiple fronts. Things like ransomware, sophisticated malware, and phishing attacks are targeting vulnerabilities in the core network, home offices, IoT devices, cloud networks, DevOps environments, and the digital supply chain. But perhaps the most challenging of what threat hunters face are zero day attacks. Because they exploit unknown vulnerabilities or use previously unknown methods, they can be very difficult to detect before it’s too late. 

Fortunately, there are ways to identify these threats and stay ahead of cybercriminals. And who better to learn how to find and neutralize these attacks than professional zero day hunters? FortiGuard Labs' Jonas Walker and Douglas Santos share some perspective about how FortiGuard Labs proactively discovers zero day vulnerabilities, and what others can learn from their experience. 

Q: What is a zero day attack?

Jonas - The term ‘zero day’ comes from the world of pirated digital media, but in this case, it refers to how long a vendor has been aware of a particular vulnerability, which is zero days. Bad actors launch their attacks with no warning, using a vulnerability the vendor was unaware of, which means there are no patches, software updates, or even documentation available to help organizations defend against these exploits. 

Zero day attacks have traditionally been aimed at major enterprises and government agencies. They give attackers the largest possible payoff because once the vulnerability is reported, vendors release patches, defenses are raised, and the opportunity window begins to close. These criminals usually target hardware and connected devices, and in the case of spear-phishing, they specifically target the devices or accounts of executives because they usually have the most network privilege to access things like financial information and R&D resources. 

Q: How does FortiGuard Labs find zero day attacks?

Douglas - At FortiGuard Labs, we have developed a fuzzing framework to discover vulnerabilities. Fuzzing is a sophisticated technique used by professional threat researchers to discover vulnerabilities in hardware and software interfaces and applications. Researchers overload the software with data that is invalid or unexpected to monitor for events such as crashes, undocumented jumps to debug routines, failing code assertions, and potential memory leaks. 

However, this requires a lot of resources. So we’ve begun testing machine learning models to enable the process to become more efficient and effective. But it also requires specific expertise, because in addition to efficiency, fuzzing also requires that you are aware of the structure of the software being examined and the different kinds of data needed to effectively fuzz it. For example, to test a web browser we need to run different types of HTML files or Javascripts to test the software. But if we are looking at a word processor, the type of files we inject during the fuzzing process would be different. And if a crash occurs, all we know is that something inside the application is wrong. Then the analysis begins. This is obviously a long process, as there are more vulnerabilities out there than there are people to run fuzzing applications, so automating this process is very important. 

Jonas - Definitely. Another example is testing an application that expects some kind of input. So for example, a simple application that requires a username and password usually expects a password with a certain number of numbers or characters. But what if instead of 10 or 15 characters, you send 2 million characters? The goal is to find every way possible to give the application unexpected information so it will crash. Then, once the application crashes, you have to check to see if you are able to override certain registers or memory locations to discover a zero day vulnerability. Machine learning is very useful in this process because of its ability to understand and use different kinds of algorithms to identify vulnerabilities. 

Q: What happens after a zero day attack is identified or exploited?

Jonas - At FortiGuard Labs, we immediately begin working with the companies and vendors once we’ve identified a zero day in their software. We then don’t report the vulnerability until they have been able to put appropriate security layers in place and patch the flaw before it’s exploited. Our lab also develops our own patching, which means that while we are waiting for a vendor to create a patch we go ahead and create signatures for our own security tools so our customers are pre-protected. We also share this information with our CTA (Cyber Threat Alliance) community. Hackers, on the other hand, have a financial incentive to sell their zero day discoveries on the dark market. 

Douglas - Sometimes it takes users a while to deploy a patch and update their systems. In the meantime, researchers like us, who work for security vendors, work to create signatures and implement protections in our security tools to identify attacks and protect customers against potential exploits that might target these zero day vulnerabilities.

Q: How do organizations protect themselves from zero days? 

Douglas - Companies need to commit to developing and enhancing a zero day plan—one that includes proactive and reactive measures. Just because the general security community is not aware of a particular zero day or a particular vulnerability doesn't mean that it doesn't exist. Having an effective patch management plan is also essential to the success of a response plan. Patches cannot prevent an attack targeting a new exploit if launched before a patch is applied. So any response plan must also include a timeline that deploys patches quicker and more securely. 

Jonas - Security strategies need to have an integrated approach of protection that includes both detection and prevention to ensure full coverage support. This means integrating traditional protection solutions with newer detection and response technologies through a common platform so all security solutions, regardless of where they are deployed, can be simultaneously updated with new threat intelligence.

Find out more about why FortiGuard Labs is an industry leader in zero day discoveries with over 900 vulnerabilities discovered to date.

Learn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and Services portfolio.

Learn more about Fortinet’s free cybersecurity training initiative or about the Fortinet NSE Training programSecurity Academy program, and Veterans program.