Security buzzwords – zero day and APT

Information security / cybersecurity is all over the news these days with a serious hack / breach reported just about every week. News reporters and salesmen are happy to capitalise with catchy headlines and spreading of fear. On occasion, the truth gets lost while this is going on. Here are a few buzzwords / buzz-phrases that you may have come across, that may not mean what you think:

Zero day
A ‘zero-day vulnerability’ is a vulnerability that the maker of the product does not know about, but an attacker does. Once information about this vulnerability is known, the vendor has 0 days to fix it before it affects their customers. Plenty of vulnerabilities these days are discovered by ‘good guys’ – white-hat researchers – who report their findings to the producers of the software and give them a reasonable period (such as 90 days) before the information is made public. These vulnerabilities are not zero-days because the wider community (and malicious players in particular) typically learn about them only after the patch is released. A ‘zero-day exploit’ would be the use of such a vulnerability before the vendor learned of its existence.

Examples of misuse:
Vulnerability in LastPass misreported as zero-day by many reputable news sites: http://www.theregister.co.uk/2016/07/27/zero_day_hole_can_pwn_millions_of_lastpass_users_who_visit_a_site/
Nonsensical title talking about a ‘patched zero-day’: https://threatpost.com/patched-ie-zero-day-incorporated-into-neutrino-ek/119321/

APT / advanced persistent threat
An advanced persistent threat (APT) is a higher grade attacker than the usual. APT attacks tend to be targeted, stealthy, may involve a large number of steps, with multiple devices being infected and data being exfiltrated only in the later stages. Some of these will be so effective that they will remain undetected for years. On occasion, they can also reach computers that are not connected to a network. The level of sophistication is said to be such that only nation-states and big criminal organisations are said to have the expertise to carry out such attacks.

Some of the top names in security have ‘APT’ solutions. Do they work? They do detect some threats that traditional methods do not, but advanced persistent threats? No. Claims to detect APTs must be taken with some amount of caution. Malware testing company NSS labs came up with a few tests of increasing difficulty where none of the tested products detected the stealthy test. Their conclusion: “Novel anti-APT tools can be bypassed with moderate effort…” They were able to develop the test samples without having access to the APT solutions during test development and “resourceful attackers who may be able to buy these products will also be able to develop similar samples or even better ones.” Our takeaway from this: Make sure that the vendors claims are supported by evidence and seek unbiased sources when trying to find out more information.

Also check out this previous article: The horror of the security product presentation

Leave a Reply

Your email address will not be published. Required fields are marked *