Table of Contents
A zero-day vulnerability is a term given to a security flaw never previously seen in the wild. Usually, an attacker will probe a system until they discover a vulnerability. If it’s never been reported, it’s a “zero-day” because developers have had zero days to fix it. Taking advantage of the security flaw is a zero-day exploit, which often leads to a compromise of the target system. Zero-day vulnerabilities can be available for years before they’re reported. Attackers who find them will often sell their exploits on darknet markets.
La Formazione sulla Cybersecurity Inizia Qui
Ecco come funziona la tua prova gratuita:
- Parla con i nostri esperti di sicurezza informatica per valutare il tuo ambiente e identificare la tua esposizione al rischio di minacce
- Entro 24 ore e con un minimo di configurazione, implementeremo i nostri strumenti per 30 giorni
- Prova la nostra tecnologia in prima persona!
- Ricevi un rapporto che delinea le tue vulnerabilità di sicurezza per aiutarti a prendere subito provvedimenti adeguati contro gli attacchi alla tua sicurezza informatica
Compila questo modulo per richiedere un incontro con i nostri esperti di sicurezza informatica.
Grazie per esserti registrato per la nostra prova gratuita. Un rappresentante di Proofpoint si metterà in contatto con te a breve, guidandoti nei prossimi passi da seguire.
How a Zero-Day Exploit Works
The type of exploit used to take advantage of a zero-day vulnerability depends on the flaw found. Several exploits could be used to take advantage of just one zero-day. For instance, a man-in-the-middle attack could be used to intercept data and perform an additional cross-site scripting (XSS) attack.
The workflow for a zero-day starts when an attacker finds the vulnerability. The vulnerability could be on hardware, firmware, software, or any other corporate system. The following steps provide a general workflow for a zero-day:
- Developers deploy an application or an update to an application that contains an unknown vulnerability.
- An attacker scans the software and finds a vulnerability, or an attacker finds a flaw in the source code after downloading it from the repository.
- An attacker uses tools and resources to exploit the vulnerability. This could be custom-code software the attacker writes or tools already in the wild.
- The vulnerability could be exploited for years before it’s noticed, but eventually, researchers, the public, or IT professionals identify attacker activity and report the vulnerability to developers.
The zero-day name references the amount of time the developers have to patch the vulnerability. At the time it’s discovered, developers have had zero days to patch it. Once a patch is deployed, the vulnerability is no longer considered a zero-day. Even though developers deploy a patch, the vulnerability can still stay active if administrators and users don’t install the update, and the system remains unpatched. Unpatched systems are the primary reason for critical data breaches. For instance, the Equifax data breach, where attackers exfiltrated hundreds of millions of records, was due to an unpatched public-facing web server.
Threat Response Solutions
Accelerate investigation, prioritize threats, and resolve incidents with less time and effort
- Statistics-based monitoring: Anti-malware vendors publish statistics on previously detected exploits. These data points can be fed into a machine learning system to help detect current attacks. This type of detection is limited in finding advanced current threats so that it could be subject to false positives and false negatives.
- Signature-based detection: Every exploit has a digital signature. Digital signatures can also be fed into artificial intelligence systems and machine learning algorithms to detect variants of previous attacks.
- Behavior-based monitoring: Malware uses specific procedures to probe a system, and behavior-based detection sends alerts when suspicious traffic and scanning is detected on the network. Instead of analyzing signatures or in-memory activity, behavior-based detection identifies malware based on its interaction with devices.
- Hybrid detection: A hybrid approach uses a combination of the above three methods. It can even use all three monitoring and detection methods to be more effective at finding malware.
Why Are Zero-Day Exploits Dangerous?
Since zero-day exploits are unknown, potential vulnerabilities are usually left undiscovered. The payload could be remote code execution, ransomware, credential theft, denial-of-service (DoS), or numerous other possibilities. The insidious nature of zero-day vulnerabilities could compromise organizations for months before it’s detected and contained.
With an unknown vulnerability, the organization could be the victim of an advanced persistent threat (APT). APTs are especially dangerous because these attackers leave backdoors and traverse the network using complex malware. It’s not uncommon for organizations to think that they have the threat contained, but an APT will stay present on the network until a full incident response and forensics investigation are completed.
Vulnerabilities don’t always start with misconfigurations or vulnerabilities on the corporate network. Businesses with a bring-your-own-device (BYOD) policy adds risk to the local network by allowing users to bring home devices to work. Should a user's device become compromised, it could lead to infection of the entire corporate network.
The longer a vulnerability stays hidden, the longer an attacker can exploit it. Unknown zero-day vulnerabilities could allow an attacker to potentially exfiltrate gigabytes of data. Usually, data is exfiltrated slowly to avoid detection, and it’s only after millions of records are lost before the organization detects the compromise.
Targeted Attack Protection
Stay ahead of attackers with an innovative approach that detects, analyzes and blocks advanced threats before they reach your inbox
Should the organization suffer from a successful compromise, incident response and investigations are the next steps. Reaction time counts after a breach to quickly contain and eradicate it from the environment. A full investigation may be needed to identify vulnerabilities and any backdoors left by the attacker. Digital forensics will help identify the attacker, which is critical during recovery, especially if the attacker was an insider.