What is a zero day attack and how does this relate to an organizations vulnerability window?
Software vendors continuously search for overlooked vulnerabilities and upon discovering such, issue a code fix also known as ‘patch’. However, a zero-day vulnerability is a software weakness that is found by attackers before the vendor has discovered the flaw. Show
In this article, we’ll provide insight into the workings behind zero-day attacks, discuss top zero-day vulnerability trends and see some examples of zero-day attacks. This is part of an extensive series of guides about cybersecurity. In this article, you will learn:
What Is a Zero-Day Attack?From time to time, vulnerabilities are discovered in computing systems. These vulnerabilities represent security holes that allow attackers to gain unauthorized access to, damage or compromise a system. Known vulnerabilities are documented in public repositories such as the National Vulnerability Database (NVD). Both software vendors and independent security researchers are constantly on the lookout for new vulnerabilities in software products. When a vulnerability is discovered, it is the software vendor’s responsibility to quickly issue a patch that addresses the security issue – users of the software can then install the patch to protect themselves. A zero-day (or 0-day) attack is a software vulnerability exploited by attackers before the vendor has become aware of it. At that point, no patch exists, so attackers can easily exploit the vulnerability knowing that no defenses are in place. This makes zero-day vulnerabilities a severe security threat. Once attackers identify a zero day vulnerability, they need a delivery mechanism to reach the vulnerable system. In many cases the delivery mechanism is a socially engineered email – an email or other message that is supposedly from a known or legitimate correspondent, but is actually from an attacker. The message tries to convince a user to perform an action like opening a file or visiting a malicious website, unwittingly activating the exploit. What Is a Zero-Day Exploit and Why Is it Dangerous?A zero-day exploit is when an attacker leverages a zero-day vulnerability to attack a system. These exploits are especially dangerous because they are more likely to be successful than attacks against established vulnerabilities. On day zero, when a vulnerability is made public, organizations have not yet had a chance to patch the vulnerability, making the exploit possible. Something that makes zero-day exploits even more dangerous is that some advanced cybercriminal groups use zero-day exploits strategically. These groups reserve zero-day exploits for use with high-value targets, such as medical or financial institutions, or government organizations. This reduces the chance that a vulnerability is discovered by the victim and can increase the lifespan of the exploit. Even after a patch is developed, users must still update their systems. If they don’t, attackers can continue to take advantage of a zero-day exploit until the system is patched Anatomy of a Zero-Day AttackA zero-day attack typically proceeds as follows:
Who are the Attackers?Threat actors who plan and carry out zero-day attacks can belong to several categories:
Targeted vs. Non-Targeted Zero-Day AttacksTargeted zero-day attacks are carried out against high profile targets, such as government or public institutions, large organizations, and senior employees who have privileged access to corporate systems, access to sensitive data, intellectual property or financial assets. Non-targeted zero-day attacks are typically waged against a large number of home or business users who use a vulnerable system, such an operating system or browser.Often, the attacker’s goal will be to compromise these systems and use them to build massive botnets. A recent example was the WannaCry attack, which used the EternalBlue exploit in the Windows SMB file protocol to compromise over 200,000 machines in one day. Non-targeted attacks can also target hardware, firmware and Internet of Thing (IoT) Zero-Day Vulnerability TrendsZero-day exploits seen in the wild grew from eight in 2016 to 49 in 2017. The Trend Micro Zero Day Initiative, a network of researchers that encourages zero-day research, found 382 new vulnerabilities in the first half of 2018. Not all vulnerabilities are actively targeted by attackers and only some have exploits available. Experts anticipate that zero-day exploits will become much more frequent. Cybersecurity Ventures expects that by 2021, attackers will launch a new exploit daily. In 2015, there was approximately one exploit per week. Examples of Zero-Day AttacksThe following are three examples of high profile zero-day attacks, illustrating the severe risk zero-day attacks pose for organizations. StuxnetStuxnet was labelled as the world’s first cyber weapon. It was malware was used to break into Iran’s uranium enrichment centrifuges in 2006. Many experts believe that the National Security Agency (NSA) created the zero-day exploit. Stuxnet infected a specific industrial control system, and sped up or slowed down the centrifuges to the point where they destroyed themselves. During this process Iranian monitoring systems made it appear that systems were operating normally. RSAIn 2011, attackers used an unpatched vulnerability in Adobe Flash Player to gain entry into the network of security vendor RSA. The attackers distributed emails via Excel spreadsheet attachments to RSA employees; the attachments activated a Flash file, which exploited the zero-day Flash vulnerability. The data stolen included key information used by RSA customers in SecurID security tokens. SonyIn 2014, a zero-day attack targeted Sony Pictures. While the details of the vulnerability exploited in the attack remain unknown, the attack brought down Sony’s network, and attackers leaked sensitive corporate data on file sharing sites, including personal information about Sony employees and their families, internal correspondence, information about executive salaries, and copies of unreleased Sony films. Attackers used a variant of the Shamoon wiper malware to erase multiple systems on Sony’s corporate network. The Zero-Day MarketA zero-day vulnerability is a valuable asset. It is vulnerable to software vendors, who want to protect their users, and valuable to attackers who can use them to their advantage. Three markets have emerged, on which both legitimate and malicious researchers trade zero-day vulnerabilities and exploits:
Zero Day Protection and PreventionZero day attacks are difficult to defend against, but there are ways to prepare. Read our guide to zero-day protection to understand four best practices that can help you prevent zero-day attacks:
Zero-Day Attack Protection with CynetThe Cynet 360 Advanced Threat Detection and Response platform provides protection against threats including zero-day attacks, advanced persistent threats (APT), advanced malware, and trojans that can evade traditional signature-based security measures. Block exploit-like behaviorCynet monitors endpoints memory to discover behavioral patterns that are typical to exploit such as unusual process handle request and others, These patterns are common to the vast majority of exploits, whether known or new and provides effective protection even from zero-day exploits. Block exploit-derived malwareCynet employs multi-layered malware protection that includes ML-based static analysis, sandboxing, process behavior monitoring. In addition, they provide fuzzy hashing and threat intelligence. This ensures that even if successful zero-day exploit establishes a connection with the attacker and downloads additional malware, Cynet will prevent this malware from running so no harm can be done. Uncover hidden threatsCynet uses an adversary-centric methodology to accurately detect threats throughout the attack chain. Cynet thinks like an adversary, detecting behaviors and indicators across endpoints, files, users, and networks. They provide a holistic account of the operation of an attack, irrespective of where the attack may try to penetrate. Accurate and preciseCynet uses a powerful correlation engine and provides its attack findings with near-zero false positives and free from excessive noise. This simplifies the response for security teams so they can react to important incidents. You can carry out automatic or manual remediation, so your security teams have a highly effective yet straight-forward way to detect, disrupt, and respond to advanced threats before they have a chance to do damage. Learn more about Cynet’s Next-Generation Antivirus (NGAV) Solution. Learn More About Zero-Day Attacks5 Ways to Defend Against Zero-Day Malware In computing, the term zero day refers to the unknown. If a vulnerability, exploit, or threat of any kind is not known to security researchers, it can be classified as a “zero day attack”. Learn what is zero day malware, and why it can get past traditional signature-based antivirus. Discover 5 ways you can use to defend against zero day malware. Read more: 5 Ways to Defend Against Zero-Day Malware Zero-Day Exploit: Recent Examples and Four Detection Strategies Zero-day exploits are techniques used by malicious actors to attack a system that has a vulnerability, while the users and developers of the system are still unaware of the vulnerability. Understand why zero-day exploits are so severe, see examples of devastating breaches caused by zero days, and learn how to detect zero day attacks. Read more: Zero-Day Exploit: Recent Examples and Four Detection Strategies Zero-Day Attack Prevention: 4 Ways to Prepare A zero-day vulnerability is a weakness in a computer system that can be exploited by an attacker, and which is undetected by affected parties. A zero-day attack is an attempt by a threat actor to penetrate, damage, or otherwise compromise a system that is affected by an unknown vulnerability. By nature of the attack, the victim will not have defenses in place, making it highly likely to succeed. What happens if your organization is the victim of a zero-day exploit? Understand how to protect your organization against surprising and unknown attacks. Read more: Zero-Day Attack Prevention: 4 Ways to Prepare See Our Additional Articles on Key Cybersecurity TopicsTogether with our content partners, we have authored in-depth articles, guides, and explainers on several other topics that can also be useful as you explore the world of cybersecurity. Network Attacks
Advanced Persistent Threat
Malware
EDR
XDR
Malware
What is a zeroA zero-day attack exploits an unpatched vulnerability, and could significantly affect organizations using vulnerable systems. Until a patch becomes available, it is often a race between threat actors trying to exploit the flaw and vendors or developers rolling out a patch to fix it.
What do you mean by zeroIf a hacker manages to exploit the vulnerability before software developers can find a fix, that exploit becomes known as a zero day attack. Zero day vulnerabilities can take almost any form, because they can manifest as any type of broader software vulnerability.
What is zeroA zero-day (0day) exploit is a cyber attack targeting a software vulnerability which is unknown to the software vendor or to antivirus vendors. The attacker spots the software vulnerability before any parties interested in mitigating it, quickly creates an exploit, and uses it for an attack.
What is a 0A zero-day (or 0-day) vulnerability is a software vulnerability that is discovered by attackers before the vendor has become aware of it. By definition, no patch exists for zero day vulnerabilities and user systems have no defenses in place, making attacks highly likely to succeed.
|