A zero-day vulnerability is a term given to a security flaw never previously seen in the wild. Usually, an attacker will probe a system until they discover a vulnerability. If it’s never been reported, it’s a “zero-day” because developers have had zero days to fix it. Taking advantage of the security flaw is a zero-day exploit, which often leads to a compromise of the target system. Zero-day vulnerabilities can be available for years before they’re reported. Attackers who find them will often sell their exploits on darknet markets.
How a Zero-Day Exploit Works
The type of exploit used to take advantage of a zero-day vulnerability depends on the flaw found. Several exploits could be used to take advantage of just one zero-day. For instance, a man-in-the-middle attack could be used to intercept data and perform an additional cross-site scripting (XSS) attack.
The workflow for a zero-day starts when an attacker finds the vulnerability. The vulnerability could be on hardware, firmware, software, or any other corporate system. The following steps provide a general workflow for a zero-day:
- Developers deploy an application or an update to an application that contains an unknown vulnerability.
- An attacker scans the software and finds a vulnerability, or an attacker finds a flaw in the source code after downloading it from the repository.
- An attacker uses tools and resources to exploit the vulnerability. This could be custom-code software the attacker writes or tools already in the wild.
- The vulnerability could be exploited for years before it’s noticed, but eventually, researchers, the public, or IT professionals identify attacker activity and report the vulnerability to developers.
The zero-day name references the amount of time the developers have to patch the vulnerability. At the time it’s discovered, developers have had zero days to patch it. Once a patch is deployed, the vulnerability is no longer considered a zero-day. Even though developers deploy a patch, the vulnerability can still stay active if administrators and users don’t install the update, and the system remains unpatched. Unpatched systems are the primary reason for critical data breaches. For instance, the Equifax data breach, where attackers exfiltrated hundreds of millions of records, was due to an unpatched public-facing web server.
How to Detect an Exploit
Developers don’t think like hackers, so it’s not uncommon for there to be at least one vulnerability in a large codebase. Attackers will scan software for weeks and review code searching for a mistake. Remote attackers use numerous tools to find vulnerabilities in cloud software, but organisations can take steps to detect suspicious behaviour and stop zero-day exploits.
Some strategies available to detect suspicious activity and prevent a zero-day exploit include:
- Statistics-based monitoring: Anti-malware vendors publish statistics on previously detected exploits. These data points can be fed into a machine learning system to help detect current attacks. This type of detection is limited in finding advanced current threats so that it could be subject to false positives and false negatives.
- Signature-based detection: Every exploit has a digital signature. Digital signatures can also be fed into artificial intelligence systems and machine learning algorithms to detect variants of previous attacks.
- Behaviour-based monitoring: Malware uses specific procedures to probe a system, and behaviour-based detection sends alerts when suspicious traffic and scanning is detected on the network. Instead of analysing signatures or in-memory activity, behaviour-based detection identifies malware based on its interaction with devices.
- Hybrid detection: A hybrid approach uses a combination of the above three methods. It can even use all three monitoring and detection methods to be more effective at finding malware.
Why are Zero-Day Exploits Dangerous?
Since zero-day exploits are unknown, potential vulnerabilities are usually left undiscovered. The payload could be remote code execution, ransomware, credential theft, denial-of-service (DoS), or numerous other possibilities. The insidious nature of zero-day vulnerabilities could compromise organisations for months before it’s detected and contained.
With an unknown vulnerability, the organisation could be the victim of an advanced persistent threat (APT). APTs are especially dangerous because these attackers leave backdoors and traverse the network using complex malware. It’s not uncommon for organisations to think that they have the threat contained, but an APT will stay present on the network until a full incident response and forensics investigation are completed.
Vulnerabilities don’t always start with misconfigurations or vulnerabilities on the corporate network. Businesses with a bring-your-own-device (BYOD) policy adds risk to the local network by allowing users to bring home devices to work. Should a user's device become compromised, it could lead to infection of the entire corporate network.
The longer a vulnerability stays hidden, the longer an attacker can exploit it. Unknown zero-day vulnerabilities could allow an attacker to potentially exfiltrate gigabytes of data. Usually, data is exfiltrated slowly to avoid detection, and it’s only after millions of records are lost before the organisation detects the compromise.
How to Avoid and Recover from a Zero-Day Vulnerability?
Organisations and individuals have several options available to help them avoid and recover from a successful zero-day attack. Both organisations and individuals need to be proactive about anti-malware defences. Defences should be a combination of strategies and standard cybersecurity techniques that stop attackers and send notifications of possible vulnerabilities.
A few cybersecurity defences that help stop zero-day exploits include:
- Antivirus applications: Whether it’s on a mobile device or a desktop, antivirus software should be installed. Advanced antivirus applications that incorporate artificial intelligence use malware patterns and behaviour to detect threats instead of signature files like traditional antivirus.
- Firewalls: A firewall stops port scans and access to different services on a desktop or on the network. They can be used to filter out unauthorised traffic and network access.
- Monitoring applications: Monitoring systems are unusual for individual home networks, but they are necessary for organisations. Monitoring software detects unusual traffic activity, file access requests (both successful and failures), database reads, changes in operating system configurations, and many other attacker actions.
- Regularly review system configurations: Misconfigurations lead to open vulnerabilities—review system configurations to ensure that they block attackers, including internal threat actors.
- Educate users on the dangers of phishing: Giving users the tools to detect and report phishing will significantly reduce the risk of successful phishing and social engineering attacks.
Should the organisation suffer from a successful compromise, incident response and investigations are the next steps. Reaction time counts after a breach to quickly contain and eradicate it from the environment. A full investigation may be needed to identify vulnerabilities and any backdoors left by the attacker. Digital forensics will help identify the attacker, which is critical during recovery, especially if the attacker was an insider.
Proofpoint Threat Response Solutions
Find out how Proofpoint Threat Response solutions enables security teams to respond to threats that are targeting people in their organisation.
Ransomware Survival Guide
Ransomware is an old threat that won’t go away. Download the Proofpoint 2022 Ransomware Survival Guide to learn what to do before, during, and after an attack.
Protect Your Enterprise with Targeted Attack Protection
Get ransomware protection and prevention from Proofpoint's Targeted Attack Prevention (TAP). Stop advanced threats and attacks before they reach your inbox.