A zero-day threat is a computer threat based on an unknown vulnerability. Zero-day threats are particularly pernicious for two reasons:
- The standard method of threat protection, vulnerability signatures, are not available.
- Cyber criminals are willing to pay a lot of money for 0-day vulnerabilities.
Given the increase in 0-day threats, another form of malware detection is needed. Enter heuristics. Heuristics algorithms attempt to detect anomalous behavior without using signatures. The problem is that the more aggressive the heuristic algorithm, the more false positives are generated. If a security product generates too many false positives it stops being used. Security operations quickly tires of the wasted efforts generated by these wild goose chases.
Therefore as bad as 0-day threats are, heuristics algorithms by themselves cannot succeed. If an algorithm can successfully detect 95 out of 100 0-day threats but also generates 200 false positive alerts, by itself, it will be considered a failure.
What to do?
The answer is to combine aggressive heuristics with a second stage of analysis where the possibly malicious code, which causes the algorithm to generate an alert, is actually executed to determine if it is really malicious. With the development of virtualization and sandboxing technology, this is actually now possible.
So a successful 0-day threat protection solution must combine aggressive heuristics with virtual machine sandboxes to actually test questionable code. FireEye is such a solution.