Security researchers use “zero-day” to exploits, vulnerabilities, and attacks that leverage unknown security weaknesses. This name indicates that the cybersecurity industry has had “zero days” to prepare for the threat scenario in question.
The situation is different when dealing with a known threat. Security teams can rely on the collected experience of a worldwide network of researchers and vendors when responding to known threats. They may already know how the threat works, what it targets, and how to remediate it effectively.
In a zero-day threat scenario, none of this is true. Your team must respond to a completely new and unknown threat, without any outside context or history to rely on.
The Difference Between Zero-Day Exploits, Vulnerabilities, and Attacks
The cybersecurity industry differentiates between zero-day exploits, vulnerabilities, and attacks. Each of these terms has a distinct meaning:
- Zero-day exploits are unknown techniques threat actors use to compromise targeted systems. When threat actors compromise a system using a new, unknown method, it is a zero-day exploit.
- Zero-day vulnerabilities are flaws and security weaknesses that the global cybersecurity community has no awareness of. Threat actors may discover these vulnerabilities before security researchers do.
- Zero-day attacks occur when threat actors identify a zero-day vulnerability and leverage an exploit against it. There is no time for the target to prepare for this kind of attack in advance.
Understanding the Zero-Day Lifecycle:
Zero-day vulnerabilities can exist undetected in any application or IT asset. The vendors responsible for releasing these assets as products are not aware of these vulnerabilities, and neither are their customers.
That means these vulnerabilities can remain undetected for days, months, or even years. At some point, someone will discover the security flaw. What happens next depends on who that person is:
- If security researchers find the flaw first, they can either warn the public or keep it a secret while working on a fix. Warning the public can help drive awareness, but may broadcast the vulnerability to cybercriminals who didn’t know about it before. However, keeping it a secret may enable hackers who already know about the flaw.
- If cybercriminals find the flaw first, they are likely to leverage it in a cyberattack. This may not happen immediately. Hackers may share this information between themselves or wait for a high-value opportunity to use it.
Merely announcing a zero-day vulnerability does not always mean an exploit for that vulnerability is ready. According to one report, it can take hackers up to two weeks to develop exploits for newly disclosed vulnerabilities.
However, many IT leaders neglect to patch these vulnerabilities that quickly. This is an important and entirely preventable source of risk. Patching zero-day vulnerabilities as soon as they are discovered is vital to ensuring predictable security performance in the long term.
Examples of Zero-Day Attacks:
- Stuxnet. Stuxnet is one of the most famous zero-day attacks in history. It disabled nuclear facilities in Iran in 2010, while also spreading across the world at an extraordinary pace. Researchers believe the US and Israeli governments worked together to develop Stuxnet, but this theory has never been confirmed.
- Kaseya. The REvil cybercrime group conducted a zero-day attack against Kaseya’s virtual system administrator (VSA) software in July 2021. This impacted 60 Kaseya customers and ultimately affected 1500 downstream partners and customers.
- SonicWall VPN. In February 2021, threat actors compromised SonicWall’s secure mobile access (SMA) devices. The company took two months to patch the vulnerability, leaving sensitive data exposed during that time.
- Log4Shell. This headline-making zero-day vulnerability enabled hackers to remotely control devices running Java apps. Since the Java library in question is included in many popular applications, hundreds of millions of devices were at risk. This vulnerability was present since 2013 and was only discovered eight years later, in 2021.
- Google Chrome. Threat actors exploited an unknown remote code execution vulnerability in Google Chrome in early 2022. This attack sent victims to spoofed websites that would install remote access malware on their devices.
All of these zero-day threats are unique—they leverage different vulnerabilities to achieve different goals. This is part of what makes zero-day attacks so dangerous and difficult to predict. However, you can improve your resilience to zero-day threats.
How To Identify Zero-Day Vulnerabilities Early On
Identifying zero-day vulnerabilities before hackers do requires visibility and control over your security posture. Most vulnerability scanners simply look for known vulnerabilities, but in-depth assessments and penetration testing can help bring zero-day vulnerabilities to the surface.
At the same time, security leaders who invest in comprehensive patch management are well-protected against new zero-day threats. Continuous monitoring gives security teams the ability to view their network the way hackers do and find zero-day vulnerabilities early in the attack cycle.
Investing in high-quality curated threat intelligence feeds can provide insight into new zero-day vulnerabilities as they are discovered. These feeds may also obtain valuable context about new threats, like insight into exactly which components of your tech stack are vulnerable.
How To Detect Zero-Day Exploits in Real-Time
Traditional detection solutions are not well-equipped to detect zero-day threats. Security Information and Event Management platforms that use static rulesets to trigger alerts will miss zero-day threats, since they don’t know what to look for.
Equipping your SIEM with User Entity and Behavioral Analytics (UEBA) provides new capabilities. You can now use dynamic custom rulesets that can detect unusual behavior and trigger alerts against unknown threats. Extended Detection and Response (XDR) platforms can complement UEBA-enhanced SIEM performance as well.
Working together, these tools may notice indicators of zero-day activity in endpoint devices, network traffic patterns, or other parts of your environment. Once this activity is detected, you’ll still need to conduct an investigation and determine whether the activity represents a zero-day threat or a false positive.
How To Conduct Incident Response Against Zero-Day Attacks
Your incident response framework should include workflows for responding to unknown threats. This will be a more complex and time-consuming process than launching incident response actions against known threats, but you can make it more efficient.
Entrusting incident response to a managed detection and response vendor that can provide scalable security operations expertise can dramatically improve the outcome of zero-day scenarios. Instead of diverting in-house security talent to handling zero-day crises, your MDR vendor can bring in the resources necessary to address the incident as it occurs.
Experienced MDR vendors can also help your organization prepare itself for zero-day attacks. Conduct proactive threat hunting and invest in sophisticated behavioral analytics so your security team has the upper hand when addressing potential zero-day threats.