What Is a Zero-Day Exploit?

A zero-day vulnerability is a term given to a security flaw never previously seen in the wild. Usually, an attacker will probe a system until they discover a vulnerability. If it’s never been reported, it’s a “zero-day” because developers have had zero days to fix it. Taking advantage of the security flaw is a zero-day exploit, which often leads to a compromise of the target system. Zero-day vulnerabilities can be available for years before they’re reported. Attackers who find them will often sell their exploits on darknet markets.

The type of exploit used to take advantage of a zero-day vulnerability depends on the flaw found. Several exploits could be used to take advantage of just one zero-day. For instance, a man-in-the-middle attack could be used to intercept data and perform an additional cross-site scripting (XSS) attack.

The workflow for a zero-day starts when an attacker finds the vulnerability. The vulnerability could be on hardware, firmware, software, or any other corporate system. The following steps provide a general workflow for a zero-day:

1. Developers deploy an application or an update to an application that contains an unknown vulnerability.
2. An attacker scans the software and finds a vulnerability, or an attacker finds a flaw in the source code after downloading it from the repository.
3. An attacker uses tools and resources to exploit the vulnerability. This could be custom-code software the attacker writes or tools already in the wild.
4. The vulnerability could be exploited for years before it’s noticed, but eventually, researchers, the public, or IT professionals identify attacker activity and report the vulnerability to developers.

The zero-day name references the amount of time the developers have to patch the vulnerability. At the time it’s discovered, developers have had zero days to patch it. Once a patch is deployed, the vulnerability is no longer considered a zero-day. Even though developers deploy a patch, the vulnerability can still stay active if administrators and users don’t install the update, and the system remains unpatched. Unpatched systems are the primary reason for critical data breaches. For instance, the Equifax data breach, where attackers exfiltrated hundreds of millions of records, was due to an unpatched public-facing web server.

Since zero-day exploits are unknown, potential vulnerabilities are usually left undiscovered. The payload could be remote code execution, ransomware, credential theft, denial-of-service (DoS), or numerous other possibilities. The insidious nature of zero-day vulnerabilities could compromise organizations for months before it’s detected and contained.

With an unknown vulnerability, the organization could be the victim of an advanced persistent threat (APT). APTs are especially dangerous because these attackers leave backdoors and traverse the network using complex malware. It’s not uncommon for organizations to think that they have the threat contained, but an APT will stay present on the network until a full incident response and forensics investigation are completed.

Vulnerabilities don’t always start with misconfigurations or vulnerabilities on the corporate network. Businesses with a bring-your-own-device (BYOD) policy adds risk to the local network by allowing users to bring home devices to work. Should a user's device become compromised, it could lead to infection of the entire corporate network.

The longer a vulnerability stays hidden, the longer an attacker can exploit it. Unknown zero-day vulnerabilities could allow an attacker to potentially exfiltrate gigabytes of data. Usually, data is exfiltrated slowly to avoid detection, and it’s only after millions of records are lost before the organization detects the compromise.

Organizations and individuals have several options available to help them avoid and recover from a successful zero-day attack. Both organizations and individuals need to be proactive about anti-malware defenses. Defenses should be a combination of strategies and standard cybersecurity techniques that stop attackers and send notifications of possible vulnerabilities.

A few cybersecurity defenses that help stop zero-day exploits include:

• Antivirus applications: Whether it’s on a mobile device or a desktop, antivirus software should be installed. Advanced antivirus applications that incorporate artificial intelligence use malware patterns and behavior to detect threats instead of signature files like traditional antivirus.
• Firewalls: A firewall stops port scans and access to different services on a desktop or on the network. They can be used to filter out unauthorized traffic and network access.
• Monitoring applications: Monitoring systems are unusual for individual home networks, but they are necessary for organizations. Monitoring software detects unusual traffic activity, file access requests (both successful and failures), database reads, changes in operating system configurations, and many other attacker actions.
• Regularly review system configurations: Misconfigurations lead to open vulnerabilities—review system configurations to ensure that they block attackers, including internal threat actors.
• Educate users on the dangers of phishing: Giving users the tools to detect and report phishing will significantly reduce the risk of successful phishing and social engineering attacks.

Should the organization suffer from a successful compromise, incident response and investigations are the next steps. Reaction time counts after a breach to quickly contain and eradicate it from the environment. A full investigation may be needed to identify vulnerabilities and any backdoors left by the attacker. Digital forensics will help identify the attacker, which is critical during recovery, especially if the attacker was an insider.