Table of Contents
Zero-Day Exploit Definition
A zero-day vulnerability is a term given to a security flaw never previously seen in the wild. Usually, an attacker will probe a system until they discover a vulnerability. If it’s never been reported, it’s a “zero-day” because developers have had zero days to fix it. Taking advantage of the security flaw is a zero-day exploit, which often leads to a compromise of the target system. Zero-day vulnerabilities can be available for years before they’re reported. Attackers who find them will often sell their exploits on darknet markets.
Cybersecurity Education and Training Begins Here
Here’s how your free trial works:
- Meet with our cybersecurity experts to assess your environment and identify your threat risk exposure
- Within 24 hours and minimal configuration, we’ll deploy our solutions for 30 days
- Experience our technology in action!
- Receive report outlining your security vulnerabilities to help you take immediate action against cybersecurity attacks
Fill out this form to request a meeting with our cybersecurity experts.
Thank you for your submission.
How a Zero-Day Exploit Works
The type of exploit used to take advantage of a zero-day vulnerability depends on the flaw found. Several exploits could be used to take advantage of just one zero-day. For instance, a man-in-the-middle attack could be used to intercept data and perform an additional cross-site scripting (XSS) attack.
The workflow for a zero-day attack starts when an attacker finds the vulnerability. The vulnerability could be on hardware, firmware, software, or any other corporate system. The following steps provide a general workflow for a zero-day:
- Developers deploy an application or an update to an application that contains an unknown vulnerability.
- An attacker scans the software and finds a vulnerability, or an attacker finds a flaw in the source code after downloading it from the repository.
- An attacker uses tools and resources to exploit the vulnerability. This could be custom-code software the attacker writes or tools already in the wild.
- The vulnerability could be exploited for years before it’s noticed, but eventually, researchers, the public, or IT professionals identify attacker activity and report the vulnerability to developers.
The zero-day name references the amount of time the developers have to patch the vulnerability. At the time it’s discovered, developers have had zero days to patch it. Once a patch is deployed, the vulnerability is no longer considered a zero-day. Even though developers deploy a patch, the vulnerability can still stay active if administrators and users don’t install the update, and the system remains unpatched. Unpatched systems are the primary reason for critical data breaches. For instance, the Equifax data breach, where attackers exfiltrated hundreds of millions of records, was due to an unpatched public-facing web server.
Threat Response Solutions
Accelerate investigation, prioritise threats, and resolve incidents with less time and effort
- Statistics-based monitoring: Anti-malware vendors publish statistics on previously detected exploits. These data points can be fed into a machine learning system to help detect current attacks. This type of detection is limited in finding advanced current threats so that it could be subject to false positives and false negatives.
- Signature-based detection: Every exploit has a digital signature. Digital signatures can also be fed into artificial intelligence systems and machine learning algorithms to detect variants of previous attacks.
- Behaviour-based monitoring: Malware uses specific procedures to probe a system, and behaviour-based detection sends alerts when suspicious traffic and scanning is detected on the network. Instead of analysing signatures or in-memory activity, behaviour-based detection identifies malware based on its interaction with devices.
- Hybrid detection: A hybrid approach uses a combination of the above three methods. It can even use all three monitoring and detection methods to be more effective at finding malware.
Why Are Zero-Day Exploits Dangerous?
Since zero-day exploits are unknown, potential vulnerabilities are usually left undiscovered. The payload could be remote code execution, ransomware, credential theft, denial-of-service (DoS), or numerous other possibilities. The insidious nature of zero-day vulnerabilities could compromise organisations for months before it’s detected and contained.
With an unknown vulnerability, the organisation could be the victim of an advanced persistent threat (APT). APTs are especially dangerous because these attackers leave backdoors and traverse the network using complex malware. It’s not uncommon for organisations to think that they have the threat contained, but an APT will stay present on the network until a full incident response and forensics investigation are completed.
Vulnerabilities don’t always start with misconfigurations or vulnerabilities on the corporate network. Businesses with a bring-your-own-device (BYOD) policy adds risk to the local network by allowing users to bring home devices to work. Should a user's device become compromised, it could lead to infection of the entire corporate network.
The longer a vulnerability stays hidden, the longer an attacker can exploit it. Unknown zero-day vulnerabilities could allow an attacker to potentially exfiltrate gigabytes of data. Usually, data is exfiltrated slowly to avoid detection, and it’s only after millions of records are lost before the organisation detects the compromise.
Targeted Attack Protection
Stay ahead of attackers with an innovative approach that detects, analyses and blocks advanced threats before they reach your inbox
Should the organisation suffer from a successful compromise, incident response and investigations are the next steps. Reaction time counts after a breach to quickly contain and eradicate it from the environment. A full investigation may be needed to identify vulnerabilities and any backdoors left by the attacker. Digital forensics will help identify the attacker, which is critical during recovery, especially if the attacker was an insider.