Zero-day threats can be the source of some of the most dangerous kinds of cyberattacks. Zero-day attacks take advantage of vulnerabilities that haven’t been discovered or are not publicly known yet. One of the things that makes these threats so dangerous is that they often come without warning, posing a huge risk to the companies or individuals at stake.
And even when discovered, zero-day vulnerabilities can take weeks to fix, leaving those who use the affected software at risk. And once a fix is available, the onus is on users to have a strong patch management program in place to apply the fix.
Zero-day vulnerabilities can range from simple bugs to new and undocumented risks in the software. Why do these vulnerabilities pose such a major security risk? The basic answer is because the risk is unknown to potential victims, and the attackers using zero day vulnerabilities are often sophisticated, sometimes operating with nation-state backing.
Hackers can write code to exploit that vulnerability and access your most critical data, stealing it and taking control of your systems. Or they can package malware that can be directly installed on your machine or come through an email attachment disguised as something trustworthy, like a document or link from your boss. If opened, the contents may be capable of corrupting files and stealing sensitive information, sometimes leaving you with no other option but to pay a ransom to recover the data.
Some of the more noteworthy recent zero day attacks happened to SolarWinds and its customers, when vulnerabilities in the Orion IT management platform left them exposed for months, and a massive ransomware attack on Kaseya’s customers also happened via an unknown vulnerability.
What Are Zero Day Threats?
Zero day threats are based on previously unknown vulnerabilities that surface either because they’re discovered by hackers – in which case no one will know about them until they become zero day attacks or exploits – or are found by the company that owns the software or by “white hat” hackers or security researchers who notify the company before publicizing their findings, sometimes through bug bounty programs.
Zero day threats are so named because the developers have “zero days” from the time the vulnerability is first known to prepare a patch before an attack can potentially be carried out by hackers, and in many cases they’re trying to fix a vulnerability while an attack is underway. The effects of this type of attack can be devastating, as they can cause major damage to a system due to their nature, as well as the sophistication of the adversary carrying out the attack.
How Dangerous Are Zero Day Threats?
Zero day threats are a major problem for businesses today. They can cause serious risks, with the damage sometimes irreversible.
A good example is the infamous WannaCry ransomware attack in May 2017 that hit corporate networks running Microsoft Windows throughout the world as part of a larger global cyberattack. WannaCry affected thousands of systems quickly due to a security hole known as EternalBlue. Microsoft quickly issued a patch – but slow updates by users left the hole open for NotPetya, a huge cyber attack that disabled systems and made them inaccessible just two months later.
In July 2021, another wave of attacks hit SolarWinds. This time, some security flaws in its Serv-U Managed File Transfer and Serv-U Secure FTP tools were exploited against “a limited, targeted set of customers.” The attack was linked to Chinese hackers, after earlier attacks were linked to both Russian and Chinese threat actors, thus demonstrating the immense threat that zero day attacks represent.
How Are Zero Day Threats Discovered?
Zero day vulnerabilities are discovered by various methods. This includes attacks, vulnerability tools, by developer or security teams, or by security researchers and bug bounty hunters who search for bugs in software.
Both “black hat” and white hat hackers often use common vulnerability scanning tools to find these security holes. These tools scan a network looking for potential vulnerabilities that can be exploited. Once they have been found, they need to be patched as soon as possible to keep the threat from spreading to other computers and devices on a network, as well as to other organizations.
Zero day threats are discovered by many people and organizations. The list below shows some other methods cybersecurity experts use to discover new zero day threats:
- Monitoring the news on social media and the internet, watching for sudden changes in cyber activities
- Tracking recent trends in malware code and technique updates
- Monitoring domain name registrars, looking for domains with similar characteristics or patterns that may be tied to a threat actor or group
- Monitoring infrastructure like Domain Name Servers (DNS) and web servers for malicious activity
- Applying predictive analysis and modeling to look for anomalies in traffic data
Some code debugging and code security tools use machine learning, AI and predictive analytics to find vulnerabilities based on previous patterns.
Some firms hire security researchers and bug bounty hunters to find vulnerabilities in software and operating systems in exchange for cash rewards. Other useful strategies for discovering these attacks include scanning the internet for malware, monitoring the dark web, and monitoring security forums. The more these processes can be automated via AI and other tools, the better informed and prepared security teams will be.
How to Prevent Zero Day Attacks
Zero day threats and attacks can be quite difficult to detect and stop. With prevention being the best cure, there are cybersecurity approaches organizations can use to stop security threats before they happen.
Use endpoint security tools
More and more, security teams need to be using tools that offer behavioral detection and machine learning-based detection that can identify attacks based on patterns rather than traditional signatures. These may be the best way to stop zero day attacks, and many EDR tools offer behavioral detection (and so do some consumer antivirus tools these days).
A UEBA engine can detect malware that is still unknown to the signature database by scanning files and data flows using advanced algorithms to identify malicious traffic patterns, and UEBA can also be used as an additional layer of protection for high-risk critical assets, such as IoT devices, by monitoring their network activity in real-time and detecting any unusual behavior from them.
Employees clicking on malicious links or downloading malicious files are still one of the biggest sources of attacks, so repeat employee cybersecurity training often.
Put recovery strategies in place
Incident response and a clean air-gapped backup copy of your data are critical cybersecurity tools these days.
Ensure your systems are up to date
Patch, patch, and patch again. It’s amazing how many companies don’t get that simple task right.
Trust no one
With all the threats out there, it’s inevitable that most organizations will be breached, so instead of relying solely on “perimeter” defenses like firewalls, assume that you’ll be breached at some point and try to limit the damage through technologies like zero trust and microsegmentation. Such technologies can protect your most critical assets even if bad guys breach the perimeter.
Prepare for Zero Day Attacks
An unfortunate reality of cybersecurity in 2021 is that you can’t anticipate every possible attack. The best any organization can do is to have the tools and training in place to prepare for the inevitable. The results of a cyber attack can be severely damaging, so your preparation should be equal to the threat.
Further reading: Top Breach and Attack Simulation (BAS) Vendors