This specification relates to the field of computer security, and more particularly to a computer security vulnerability remediation system.
One species of computer attack is the “advanced persistent threat” (APT), in which a malicious actor systematically attacks a computer system or network. An APT attack may begin when the malicious actor discovers a vulnerability and prepares malicious code to exploit the vulnerability (sometimes called an “exploit”). The exploit may include a malicious payload designed to harm the target computer or expose data. In other words, the exploit takes advantage of a vulnerability to grant a malicious actor access to a vulnerable machine. The payload then deploys to create a desired effect.
A prior art method of security remediation includes matching suspect code to a signature of a known exploit. A network protected by prior art methods may, however, still be susceptible to exploits of “zero-day” vulnerabilities.
The term “zero-day” as used in this specification refers to the time elapsed since a vulnerability has been publicly disclosed. Day D−N may refer to the date when a malicious actor identifies a vulnerability. Day D0, or “zero day,” refers to the day when the exploit is first released into the wild. D0 is generally the first day on which a vendor becomes aware of the exploit in its code and can begin working on a patch to cure the vulnerability. The vendor then tests the patch and deploys the patch on day DN. The period between D−N and DN represents the malicious actor's “window of opportunity.” The period between D0 and DN represents the time during which vulnerable machines are at risk of an exploit.
In the worst cases, the gap between D−N and DN can be years. For example, in 2008 a vulnerability was discovered in Microsoft Internet Explorer that had existed in all versions since at least 2001.