Zero-Day - A Hacker’s Pleasure

Hackers were able to exploit a little known zero-day vulnerability within Sony’s network to gain access to a veritable mountain of data and help them disrupt a substantial amount of the studios network infrastructure.  The idea of Zero-Day attacks are nothing new to the cybersecurity community but the majority of the public and even Sony execs have had a difficult time wrapping their heads around it.  What is it?  What does it do?  How did they do it?  What can be done to prevent it? These questions were asked repeatedly in the weeks and months after the attack which occurred in late 2014.

Zero-Day attacks or vulnerabilities get their name from the fact that programmers, developers and code-writers have no time, literally zero days, to correct a program’s code before it can be exploited.  The existence of the vulnerability itself may have been caused by an oversight, an error, or even something as little as a mistyped line of code in the software.  Small a flaw as they may be, they are still chinks in the armor and can be exploited by a hacker with the eye to find them and the skills to take advantage of them.

When hackers find these vulnerabilities they act upon them, attacking them and either release malicious code into the network or extract data from it.  However, money speaks louder than code and if a hacker deems that they are better off selling the information then they can sell the existence of the vulnerability as well as its exploit on the black market.  That sounds like something out of a movie!  It does, on the Dark Web (the notorious digital black market) there are entire marketplaces dedicated to the rent, sale and re-sale of zero-day attacks. Scary stuff.

The Sony case is interesting because it seems to be as a result of a complex and highly targeted attack.  Yes, the vulnerability existed within Sony’s network but hackers had to get to it first.  It appears that the hackers employed a spear phishing attack by inserting malicious code into an email which was sent to an unsuspecting employee.  Once the attachment containing the malicious code was opened it quickly created an opening in Sony’s system in which the hackers were able to take advantage of the vulnerability.  The result, Sony suffered the worst corporate hack in history.

In an attempt to identify and patch these Zero-Day vulnerabilities, developers, programmers, companies and cybersecurity firms employ “Red Teams”.  These are freelance hackers paid to attack and seek out vulnerabilities within their clients’ systems.  This sole practice has prevented many hack and security attacks, but no human created system is perfect and one or two elements will tend to get overlooked from time to time.  It is at those times that you hope these hackers don’t sniff out the weakness in your companies code.

So what can be done to combat these zero-day attacks? Well, not a great deal as coders are human beings that do make mistakes! However if you are writing code of any kind, as the old saying goes, measure thrice, check twice, cut once. Check, check, check again and then implement it. And make sure you test your code before the application or software you’re writing goes from development to production stages. If you can afford a security audit of your code and application, as well as an external vulnerability check from a strong security professional (or indeed a Red Team), that is a very wise precaution.