February 28, 2023 By Doug Bonderud 4 min read

Zero-day attacks are on the rise.

Not only was 2021 a record-breaking year for the total number of zero-day attacks, but it also accounted for 40% of the zero-day breaches over the last decade. In part, this race to zero is tied to the sheer number of web, mobile and cloud-based applications being developed and deployed. With so much code created so quickly, it’s not surprising that attackers are finding more digital doors unlocked.

The massive volume of users constantly connected to corporate networks also increases the success rate of zero-day efforts. If attackers can compromise even a single endpoint, they may be able to capture or exfiltrate data that allows them to dive undetected into zero-day exploits.

But what exactly is a zero-day attack? What are its common stages, and how can companies protect themselves?

What is a zero-day attack?

No piece of software is perfect. If cyber criminals can compromise application data and pinpoint potential threat vectors that IT teams don’t know about, the resulting attack leaves companies zero days to prepare and respond.

In practice, there are three components to a zero-day compromise: Zero-day vulnerabilities, zero-day exploits and zero-day attacks.

Zero-day vulnerabilities are undetected flaws in systems or software that could result in compromise. Zero-day exploits are the methods developed by attackers to take advantage of vulnerabilities. Lastly, zero-day attacks are the actions attackers take to use their exploit and compromise your system.

The biggest risk factor of a zero-day effort is the element of uncertainty. Since companies aren’t aware of flaws in their code until attackers attempt to exploit them, staying protected can be challenging. Instead, enterprises must remain on their toes.

Step by step: The killer connection

Zero-day attacks use what’s known as the “kill chain” — a series of interconnected steps which lead to data compromise.

While every zero-day issue differs depending on the application itself, the type of data stored and the ability of companies to detect these problems ASAP, most attacks follow a similar kill chain pattern. These are the most common steps.

Reconnaissance

Before attackers can create zero-day exploits and compromise critical systems, they need to know what they’re getting into. This is the role of reconnaissance. Depending on the nature of the software — proprietary vs. open-source — reconnaissance will look very different. Open-source code allows attackers to browse at their leisure, but exploits may not generate the same impact given the more cautious use of open-source solutions at scale.

Proprietary programs, meanwhile, typically secure their code using tools such as obfuscation and encryption. As a result, attackers will first look to gain system access via techniques such as social engineering, then conduct code observation.

Weaponization

With vulnerabilities identified, attackers can weaponize these zero-day issues into exploits. First, they write exploit code that allows them to leverage the vulnerability. Then they deploy this code themselves, sell it to the highest bidder or make it public knowledge to drive interest.

Implementation

Implementation comes next. Attackers deploy the exploit on your system or any other systems running your software. They accomplish implementation via malicious email attachments, unprotected form fields or brute-force efforts.

Exfiltration and exploration

Once inside your system, malicious actors may choose to exfiltrate key data or move laterally through your network to explore other data sources.

These steps parallel more familiar attacks, such as ransomware or phishing, but with the additional challenge of unpredictability. Since IT teams aren’t aware of zero-day vulnerabilities, their approach and impact may be unexpected.

Thankfully, problems tied to zero-day attacks often present the same way as their more commonplace counterparts. For example, if IT teams notice a sudden uptick in data transfer volumes or odd slowdowns in specific applications, this could indicate zero-day issues.

Zeroing in on effective defense

If zero-day attacks come without warning, what can companies do to bolster protection?

First, it’s worth recognizing that these attacks aren’t entirely without warning. Vulnerabilities in the code exist, whether or not attackers find them. With the right approach, it’s possible for teams to mitigate at least some of the risk tied to zero-day efforts.

Three approaches can help improve zero-day response.

Reliable input validation

Input validation is the process of testing all data inputs to ensure they’re properly formatted. If this process detects improper data formats, it may suggest the presence of a zero-day exploit attempting to gain access.

Regular vulnerability scans

Vulnerability scans can simulate software attacks. Regularly conducting these scans helps pinpoint potential issues. For example, if you’ve just deployed a new piece of software, vulnerability scanning can help detect possible weak points before attackers find them, in turn allowing IT teams to act.

Robust patch management

Along with scanning and validation, patch management also matters. While it’s true that zero-day exploits are naturally unpatched because they’ve never been detected before, this comes with a caveat, especially if your company is using new software created by a third party.

Here’s why: If you’re using a piece of recently released software but haven’t yet patched the application, it may still be vulnerable to the original zero-day vulnerability. Robust, automated patch management can help reduce this risk.

The race to zero

There are also other efforts to help mitigate the impact of zero-day issues, such as the zero-day initiative. This program provides monetary rewards for researchers who choose to report zero-day vulnerabilities rather than making them public or selling them on the black market.

Bottom line? The race to zero is still on as attackers look to leverage unknown vulnerabilities, create new exploits and compromise key software.

While it’s impossible to avoid damage from every zero-day attack, companies can mitigate their risk by validating inputs, regularly scanning for vulnerabilities and keeping patches up-to-date.

More from Risk Management

2024 trends: Were they accurate?

4 min read - The new year always kicks off with a flood of prediction articles; then, 12 months later, our newsfeed is filled with wrap-up articles. But we are often left to wonder if experts got it right in January about how the year would unfold. As we close out 2024, let’s take a moment to go back and see if the crystal balls were working about how the year would play out in cybersecurity.Here are five trends that were often predicted for…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today