Zero-day attacks are on the rise.
Not only was 2021 a record-breaking year for the total number of zero-day attacks, but it also accounted for 40% of the zero-day breaches over the last decade. In part, this race to zero is tied to the sheer number of web, mobile and cloud-based applications being developed and deployed. With so much code created so quickly, it’s not surprising that attackers are finding more digital doors unlocked.
The massive volume of users constantly connected to corporate networks also increases the success rate of zero-day efforts. If attackers can compromise even a single endpoint, they may be able to capture or exfiltrate data that allows them to dive undetected into zero-day exploits.
But what exactly is a zero-day attack? What are its common stages, and how can companies protect themselves?
What is a zero-day attack?
No piece of software is perfect. If cyber criminals can compromise application data and pinpoint potential threat vectors that IT teams don’t know about, the resulting attack leaves companies zero days to prepare and respond.
In practice, there are three components to a zero-day compromise: Zero-day vulnerabilities, zero-day exploits and zero-day attacks.
Zero-day vulnerabilities are undetected flaws in systems or software that could result in compromise. Zero-day exploits are the methods developed by attackers to take advantage of vulnerabilities. Lastly, zero-day attacks are the actions attackers take to use their exploit and compromise your system.
The biggest risk factor of a zero-day effort is the element of uncertainty. Since companies aren’t aware of flaws in their code until attackers attempt to exploit them, staying protected can be challenging. Instead, enterprises must remain on their toes.
Step by step: The killer connection
Zero-day attacks use what’s known as the “kill chain” — a series of interconnected steps which lead to data compromise.
While every zero-day issue differs depending on the application itself, the type of data stored and the ability of companies to detect these problems ASAP, most attacks follow a similar kill chain pattern. These are the most common steps.
Reconnaissance
Before attackers can create zero-day exploits and compromise critical systems, they need to know what they’re getting into. This is the role of reconnaissance. Depending on the nature of the software — proprietary vs. open-source — reconnaissance will look very different. Open-source code allows attackers to browse at their leisure, but exploits may not generate the same impact given the more cautious use of open-source solutions at scale.
Proprietary programs, meanwhile, typically secure their code using tools such as obfuscation and encryption. As a result, attackers will first look to gain system access via techniques such as social engineering, then conduct code observation.
Weaponization
With vulnerabilities identified, attackers can weaponize these zero-day issues into exploits. First, they write exploit code that allows them to leverage the vulnerability. Then they deploy this code themselves, sell it to the highest bidder or make it public knowledge to drive interest.
Implementation
Implementation comes next. Attackers deploy the exploit on your system or any other systems running your software. They accomplish implementation via malicious email attachments, unprotected form fields or brute-force efforts.
Exfiltration and exploration
Once inside your system, malicious actors may choose to exfiltrate key data or move laterally through your network to explore other data sources.
These steps parallel more familiar attacks, such as ransomware or phishing, but with the additional challenge of unpredictability. Since IT teams aren’t aware of zero-day vulnerabilities, their approach and impact may be unexpected.
Thankfully, problems tied to zero-day attacks often present the same way as their more commonplace counterparts. For example, if IT teams notice a sudden uptick in data transfer volumes or odd slowdowns in specific applications, this could indicate zero-day issues.
Zeroing in on effective defense
If zero-day attacks come without warning, what can companies do to bolster protection?
First, it’s worth recognizing that these attacks aren’t entirely without warning. Vulnerabilities in the code exist, whether or not attackers find them. With the right approach, it’s possible for teams to mitigate at least some of the risk tied to zero-day efforts.
Three approaches can help improve zero-day response.
Reliable input validation
Input validation is the process of testing all data inputs to ensure they’re properly formatted. If this process detects improper data formats, it may suggest the presence of a zero-day exploit attempting to gain access.
Regular vulnerability scans
Vulnerability scans can simulate software attacks. Regularly conducting these scans helps pinpoint potential issues. For example, if you’ve just deployed a new piece of software, vulnerability scanning can help detect possible weak points before attackers find them, in turn allowing IT teams to act.
Robust patch management
Along with scanning and validation, patch management also matters. While it’s true that zero-day exploits are naturally unpatched because they’ve never been detected before, this comes with a caveat, especially if your company is using new software created by a third party.
Here’s why: If you’re using a piece of recently released software but haven’t yet patched the application, it may still be vulnerable to the original zero-day vulnerability. Robust, automated patch management can help reduce this risk.
The race to zero
There are also other efforts to help mitigate the impact of zero-day issues, such as the zero-day initiative. This program provides monetary rewards for researchers who choose to report zero-day vulnerabilities rather than making them public or selling them on the black market.
Bottom line? The race to zero is still on as attackers look to leverage unknown vulnerabilities, create new exploits and compromise key software.
While it’s impossible to avoid damage from every zero-day attack, companies can mitigate their risk by validating inputs, regularly scanning for vulnerabilities and keeping patches up-to-date.