The Security Value of Exploit Protection

February 4, 2021 | 2 minute read

An exploit attack occurs when a malicious actor takes advantage of a software vulnerability to penetrate and then damage or steal information from a computer system. One feature that Cybereason provides to protect users from exploit attacks is our Exploit Protection. The following is a quick rundown of some of the key terms for understanding exploit attacks.

VULNERABILITIES AND EXPLOITS

A software vulnerability is a flaw in a system or program that can leave that system or program open to attack. For example, in a drive-by download, a user clicks a link in an email and is redirected to a malicious website, which takes advantage of browser vulnerabilities to invisibly load malware onto the user’s computer.

The Common Vulnerabilities and Exposures (CVE) project includes a list of known vulnerabilities. Each vulnerability has an ID that indicates the year that the vulnerability was discovered. For example, the CVE-2016-0778 vulnerability was discovered in 2016.

A computer exploit refers to a piece of software code that takes advantage of that software vulnerability or of a different bug for malicious use. Some typical examples of software that is prone to vulnerabilities include operating systems, browsers, Microsoft Office, and third-party applications These types of software often become exposed to potential exploit attacks because they are so widely used.

EXPLOIT ATTACKS

An exploit attack is the actual use of a zero day exploit to penetrate, cause damage to or steal data from a system affected by a vulnerability. In general, attackers planning an exploit attack search for outdated systems that contain critical bugs or vulnerabilities, and then deploy targeted malware which exploits those vulnerabilities. 

Exploits typically use shellcode to infect endpoints or devices and to infiltrate an organization. Shellcode is a small malware payload that downloads additional malware from attacker-controlled networks. Exploit attacks may inflict various types of damage, such as malware infections, loss of personally identifiable information (PII), loss of business data, and more.

ZERO-DAY VULNERABILITIES AND EXPLOITS

When software vendors find vulnerabilities in their products, they quickly release patches for these vulnerabilities. Most exploits take advantage of known vulnerabilities, either before the software vendor releases a patch, or by attacking systems that remain unpatched. 

A zero-day (or 0-day) vulnerability is a software vulnerability that an attacker has found, but the vendor does not yet know about — and thus has no defenses against. The attack that takes advantage of this vulnerability is known as a zero-day exploit. In some zero-day exploits, malicious actors have exploited vulnerabilities for days or even months before the manufacturer becomes aware of the problem.

Some advanced cybercriminal groups use zero-day exploits strategically, targeting highly sensitive organizations such as medical, financial, or government organizations. This allows attackers both to infiltrate highly sensitive data and to limit the exposure of the vulnerability to choice organizations only, thereby increasing the lifespan of the attack and reducing the chance of the vulnerability being discovered.

THE CHALLENGES OF PROTECTING AGAINST EXPLOIT ATTACKS

Protecting against exploit attacks can be challenging for several reasons. First, while organizations typically put processes in place to routinely patch critical operating systems and applications, organizations who do not apply patches on time expose their system to attackers who prey on freshly discovered vulnerabilities. 

Second, even if an organization applies all of the available patches on time, zero-day exploits still pose a risk. 

Third, traditional antivirus and endpoint security solutions only identify malicious payloads that involve a file that has the .exe extension, and fall short when the payload is more advanced or if the payload is launched in earlier stages of the exploit attack.

HOW EXPLOIT PROTECTION WORKS

Attackers use many different techniques when planning an attack, for example, heap spraying, unauthorized code execution, buffer overflows, and so on. A dedicated endpoint protection platform can detect these behaviors and reduce the risk of utilizing exploits to infiltrate and corrupt the system.

Cybereason Exploit Protection uses various security mitigation techniques to prevent attackers from successfully exploiting software vulnerabilities. Although it is impossible to patch an unknown or zero-day vulnerability, Exploit Protection uses known attack patterns and techniques to block exploits before the exploit can be carried out, even when the exploit originates from a zero-day vulnerability.

Limor Wainstein
About the Author

Limor Wainstein

Limor Wainstein, Senior Technical Writer at Cybereason, has been working in the hi-tech industry as a technical writer and editor for over 13 years. She’s authored and edited highly technical software documentation and dev guides in the areas of computer/network security, middleware, mobile development and APIs.

All Posts by Limor Wainstein