A zero-day vulnerability is a term given to a security flaw never previously seen in the wild. Usually, an attacker will probe a system until they discover a vulnerability. If it’s never been reported, it’s a "zero-day" because developers have had zero days to fix it. Taking advantage of the security flaw is a zero-day exploit, which often leads to a compromise of the target system. Zero-day vulnerabilities can be available for years before they’re reported. Attackers who find them will often sell their exploits on darknet markets.
How a Zero-Day Exploit Works
The type of exploit used to take advantage of a zero-day vulnerability depends on the flaw found. Several exploits could be used to take advantage of just one zero-day. For instance, a man-in-the-middle attack could be used to intercept data and perform an additional cross-site scripting (XSS) attack.
The workflow for a zero-day starts when an attacker finds the vulnerability. The vulnerability could be on hardware, firmware, software, or any other corporate system. The following steps provide a general workflow for a zero-day:
- Developers deploy an application or an update to an application that contains an unknown vulnerability.
- An attacker scans the software and finds a vulnerability, or an attacker finds a flaw in the source code after downloading it from the repository.
- An attacker uses tools and resources to exploit the vulnerability. This could be custom-code software the attacker writes or tools already in the wild.
- The vulnerability could be exploited for years before it’s noticed, but eventually, researchers, the public, or IT professionals identify attacker activity and report the vulnerability to developers.
The zero-day name references the amount of time the developers have to patch the vulnerability. At the time it’s discovered, developers have had zero days to patch it. Once a patch is deployed, the vulnerability is no longer considered a zero-day. Even though developers deploy a patch, the vulnerability can still stay active if administrators and users don’t install the update, and the system remains unpatched. Unpatched systems are the primary reason for critical data breaches. For instance, the Equifax data breach, where attackers exfiltrated hundreds of millions of records, was due to an unpatched public-facing web server.
How to Detect an Exploit
Developers don’t think like hackers, so it’s not uncommon for there to be at least one vulnerability in a large codebase. Attackers will scan software for weeks and review code searching for a mistake. Remote attackers use numerous tools to find vulnerabilities in cloud software, but organizations can take steps to detect suspicious behavior and stop zero-day exploits.
Some strategies available to detect suspicious activity and prevent a zero-day exploit include:
- Statistics-based monitoring: Anti-malware vendors publish statistics on previously detected exploits. These data points can be fed into a machine learning system to help detect current attacks. This type of detection is limited in finding advanced current threats so that it could be subject to false positives and false negatives.
- Signature-based detection: Every exploit has a digital signature. Digital signatures can also be fed into artificial intelligence systems and machine learning algorithms to detect variants of previous attacks.
- Behavior-based monitoring: Malware uses specific procedures to probe a system, and behavior-based detection sends alerts when suspicious traffic and scanning is detected on the network. Instead of analyzing signatures or in-memory activity, behavior-based detection identifies malware based on its interaction with devices.
- Hybrid detection: A hybrid approach uses a combination of the above three methods. It can even use all three monitoring and detection methods to be more effective at finding malware.
Why are Zero-Day Exploits Dangerous?
Since zero-day exploits are unknown, potential vulnerabilities are usually left undiscovered. The payload could be remote code execution, ransomware, credential theft, denial-of-service (DoS), or numerous other possibilities. The insidious nature of zero-day vulnerabilities could compromise organizations for months before it’s detected and contained.
With an unknown vulnerability, the organization could be the victim of an advanced persistent threat (APT). APTs are especially dangerous because these attackers leave backdoors and traverse the network using complex malware. It’s not uncommon for organizations to think that they have the threat contained, but an APT will stay present on the network until a full incident response and forensics investigation are completed.
Vulnerabilities don’t always start with misconfigurations or vulnerabilities on the corporate network. Businesses with a bring-your-own-device (BYOD) policy adds risk to the local network by allowing users to bring home devices to work. Should a user's device become compromised, it could lead to infection of the entire corporate network.
The longer a vulnerability stays hidden, the longer an attacker can exploit it. Unknown zero-day vulnerabilities could allow an attacker to potentially exfiltrate gigabytes of data. Usually, data is exfiltrated slowly to avoid detection, and it’s only after millions of records are lost before the organization detects the compromise.
How to Avoid and Recover from a Zero-Day Vulnerability?
Organizations and individuals have several options available to help them avoid and recover from a successful zero-day attack. Both organizations and individuals need to be proactive about anti-malware defenses. Defenses should be a combination of strategies and standard cybersecurity techniques that stop attackers and send notifications of possible vulnerabilities.
A few cybersecurity defenses that help stop zero-day exploits include:
- Antivirus applications: Whether it’s on a mobile device or a desktop, antivirus software should be installed. Advanced antivirus applications that incorporate artificial intelligence use malware patterns and behavior to detect threats instead of signature files like traditional antivirus.
- Firewalls: A firewall stops port scans and access to different services on a desktop or on the network. They can be used to filter out unauthorized traffic and network access.
- Monitoring applications: Monitoring systems are unusual for individual home networks, but they are necessary for organizations. Monitoring software detects unusual traffic activity, file access requests (both successful and failures), database reads, changes in operating system configurations, and many other attacker actions.
- Regularly review system configurations: Misconfigurations lead to open vulnerabilities—review system configurations to ensure that they block attackers, including internal threat actors.
- Educate users on the dangers of phishing: Giving users the tools to detect and report phishing will significantly reduce the risk of successful phishing and social engineering attacks.
Should the organization suffer from a successful compromise, incident response and investigations are the next steps. Reaction time counts after a breach to quickly contain and eradicate it from the environment. A full investigation may be needed to identify vulnerabilities and any backdoors left by the attacker. Digital forensics will help identify the attacker, which is critical during recovery, especially if the attacker was an insider.