February 28, 2023 By Doug Bonderud 4 min read

Zero-day attacks are on the rise.

Not only was 2021 a record-breaking year for the total number of zero-day attacks, but it also accounted for 40% of the zero-day breaches over the last decade. In part, this race to zero is tied to the sheer number of web, mobile and cloud-based applications being developed and deployed. With so much code created so quickly, it’s not surprising that attackers are finding more digital doors unlocked.

The massive volume of users constantly connected to corporate networks also increases the success rate of zero-day efforts. If attackers can compromise even a single endpoint, they may be able to capture or exfiltrate data that allows them to dive undetected into zero-day exploits.

But what exactly is a zero-day attack? What are its common stages, and how can companies protect themselves?

What is a zero-day attack?

No piece of software is perfect. If cyber criminals can compromise application data and pinpoint potential threat vectors that IT teams don’t know about, the resulting attack leaves companies zero days to prepare and respond.

In practice, there are three components to a zero-day compromise: Zero-day vulnerabilities, zero-day exploits and zero-day attacks.

Zero-day vulnerabilities are undetected flaws in systems or software that could result in compromise. Zero-day exploits are the methods developed by attackers to take advantage of vulnerabilities. Lastly, zero-day attacks are the actions attackers take to use their exploit and compromise your system.

The biggest risk factor of a zero-day effort is the element of uncertainty. Since companies aren’t aware of flaws in their code until attackers attempt to exploit them, staying protected can be challenging. Instead, enterprises must remain on their toes.

Step by step: The killer connection

Zero-day attacks use what’s known as the “kill chain” — a series of interconnected steps which lead to data compromise.

While every zero-day issue differs depending on the application itself, the type of data stored and the ability of companies to detect these problems ASAP, most attacks follow a similar kill chain pattern. These are the most common steps.

Reconnaissance

Before attackers can create zero-day exploits and compromise critical systems, they need to know what they’re getting into. This is the role of reconnaissance. Depending on the nature of the software — proprietary vs. open-source — reconnaissance will look very different. Open-source code allows attackers to browse at their leisure, but exploits may not generate the same impact given the more cautious use of open-source solutions at scale.

Proprietary programs, meanwhile, typically secure their code using tools such as obfuscation and encryption. As a result, attackers will first look to gain system access via techniques such as social engineering, then conduct code observation.

Weaponization

With vulnerabilities identified, attackers can weaponize these zero-day issues into exploits. First, they write exploit code that allows them to leverage the vulnerability. Then they deploy this code themselves, sell it to the highest bidder or make it public knowledge to drive interest.

Implementation

Implementation comes next. Attackers deploy the exploit on your system or any other systems running your software. They accomplish implementation via malicious email attachments, unprotected form fields or brute-force efforts.

Exfiltration and exploration

Once inside your system, malicious actors may choose to exfiltrate key data or move laterally through your network to explore other data sources.

These steps parallel more familiar attacks, such as ransomware or phishing, but with the additional challenge of unpredictability. Since IT teams aren’t aware of zero-day vulnerabilities, their approach and impact may be unexpected.

Thankfully, problems tied to zero-day attacks often present the same way as their more commonplace counterparts. For example, if IT teams notice a sudden uptick in data transfer volumes or odd slowdowns in specific applications, this could indicate zero-day issues.

Zeroing in on effective defense

If zero-day attacks come without warning, what can companies do to bolster protection?

First, it’s worth recognizing that these attacks aren’t entirely without warning. Vulnerabilities in the code exist, whether or not attackers find them. With the right approach, it’s possible for teams to mitigate at least some of the risk tied to zero-day efforts.

Three approaches can help improve zero-day response.

Reliable input validation

Input validation is the process of testing all data inputs to ensure they’re properly formatted. If this process detects improper data formats, it may suggest the presence of a zero-day exploit attempting to gain access.

Regular vulnerability scans

Vulnerability scans can simulate software attacks. Regularly conducting these scans helps pinpoint potential issues. For example, if you’ve just deployed a new piece of software, vulnerability scanning can help detect possible weak points before attackers find them, in turn allowing IT teams to act.

Robust patch management

Along with scanning and validation, patch management also matters. While it’s true that zero-day exploits are naturally unpatched because they’ve never been detected before, this comes with a caveat, especially if your company is using new software created by a third party.

Here’s why: If you’re using a piece of recently released software but haven’t yet patched the application, it may still be vulnerable to the original zero-day vulnerability. Robust, automated patch management can help reduce this risk.

The race to zero

There are also other efforts to help mitigate the impact of zero-day issues, such as the zero-day initiative. This program provides monetary rewards for researchers who choose to report zero-day vulnerabilities rather than making them public or selling them on the black market.

Bottom line? The race to zero is still on as attackers look to leverage unknown vulnerabilities, create new exploits and compromise key software.

While it’s impossible to avoid damage from every zero-day attack, companies can mitigate their risk by validating inputs, regularly scanning for vulnerabilities and keeping patches up-to-date.

More from Risk Management

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today