Vulnerabilities in their core are flaws on software of hardware. A zero-day attack occurs when a vulnerability is exploited before the developer of a system or application has the opportunity to create a patch that fixes this vulnerability. Once a patch is written and used, the exploit used to perform the attack is no longer called a zero-day exploit.
These attacks are hard to detect and are rarely discovered right away because only the attacker is aware of the existence of the vulnerability and the ways to exploit it. It could take days or even months (or more) before the developers learn of the vulnerability which led to an attack.
“Day-Zero” is the day the vendor of the vulnerable product learns of the vulnerability and begins working to produce a fix.
Systems Targeted by Zero-Day Attacks
A zero-day attack can exploit vulnerabilities in a variety of systems:
- Operating Systems
- Web browsers
- Open source components
- Office applications
- Hardware
- IoT
The Timeline of a Zero-Day Attack
- Vulnerable code is released as part of an application or software deployed by users.
- Attackers have discovered the vulnerability and found techniques to exploit the vulnerability.
- The vendor becomes aware of the vulnerability but a patch is still not available.
- The vendor or security researchers uncover the vulnerability making the public aware of it.
- If malware was developed to exploit the vulnerability, antivirus vendors can identify its signature in order to protect against it.
- The vendor eventually releases a fix for the vulnerable software, even though this could take days or even months depending on the complexity.
- Organizations employ their patch management process to install the software fix on their systems.
Well-known examples of Zero-Day Attacks
How to Defend
Employ Additional Measures to defend against zero-day attacks. Some common practices are:
- Practice a secure software development lifecycle to ensure code security and secure design architecture, thus minimizing potential vulnerabilities.
- Have a solid vulnerability and patch management program. Update your software the soonest possible especially critical security updates.
- Deploy layered security controls to protect your information assets. These controls include network segregation, firewalls, OS and application security hardening, network and host-based Intrusion Prevention Systems (IPS), and endpoint security controls.
- Enforce the least privilege when granting permissions to systems and applications, and when configuring firewall rules.
- Have a tested backup and recovery strategy for your critical systems.
- When a zero-day is publicly disclosed and no patch is available, you can use segmentation to lock down traffic between workloads and between workloads and users to only specific ports, protocols, and services.
- Have an incident response plan ready!
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.
