February 28, 2023 By Doug Bonderud 4 min read

Zero-day attacks are on the rise.

Not only was 2021 a record-breaking year for the total number of zero-day attacks, but it also accounted for 40% of the zero-day breaches over the last decade. In part, this race to zero is tied to the sheer number of web, mobile and cloud-based applications being developed and deployed. With so much code created so quickly, it’s not surprising that attackers are finding more digital doors unlocked.

The massive volume of users constantly connected to corporate networks also increases the success rate of zero-day efforts. If attackers can compromise even a single endpoint, they may be able to capture or exfiltrate data that allows them to dive undetected into zero-day exploits.

But what exactly is a zero-day attack? What are its common stages, and how can companies protect themselves?

What is a zero-day attack?

No piece of software is perfect. If cyber criminals can compromise application data and pinpoint potential threat vectors that IT teams don’t know about, the resulting attack leaves companies zero days to prepare and respond.

In practice, there are three components to a zero-day compromise: Zero-day vulnerabilities, zero-day exploits and zero-day attacks.

Zero-day vulnerabilities are undetected flaws in systems or software that could result in compromise. Zero-day exploits are the methods developed by attackers to take advantage of vulnerabilities. Lastly, zero-day attacks are the actions attackers take to use their exploit and compromise your system.

The biggest risk factor of a zero-day effort is the element of uncertainty. Since companies aren’t aware of flaws in their code until attackers attempt to exploit them, staying protected can be challenging. Instead, enterprises must remain on their toes.

Step by step: The killer connection

Zero-day attacks use what’s known as the “kill chain” — a series of interconnected steps which lead to data compromise.

While every zero-day issue differs depending on the application itself, the type of data stored and the ability of companies to detect these problems ASAP, most attacks follow a similar kill chain pattern. These are the most common steps.


Before attackers can create zero-day exploits and compromise critical systems, they need to know what they’re getting into. This is the role of reconnaissance. Depending on the nature of the software — proprietary vs. open-source — reconnaissance will look very different. Open-source code allows attackers to browse at their leisure, but exploits may not generate the same impact given the more cautious use of open-source solutions at scale.

Proprietary programs, meanwhile, typically secure their code using tools such as obfuscation and encryption. As a result, attackers will first look to gain system access via techniques such as social engineering, then conduct code observation.


With vulnerabilities identified, attackers can weaponize these zero-day issues into exploits. First, they write exploit code that allows them to leverage the vulnerability. Then they deploy this code themselves, sell it to the highest bidder or make it public knowledge to drive interest.


Implementation comes next. Attackers deploy the exploit on your system or any other systems running your software. They accomplish implementation via malicious email attachments, unprotected form fields or brute-force efforts.

Exfiltration and exploration

Once inside your system, malicious actors may choose to exfiltrate key data or move laterally through your network to explore other data sources.

These steps parallel more familiar attacks, such as ransomware or phishing, but with the additional challenge of unpredictability. Since IT teams aren’t aware of zero-day vulnerabilities, their approach and impact may be unexpected.

Thankfully, problems tied to zero-day attacks often present the same way as their more commonplace counterparts. For example, if IT teams notice a sudden uptick in data transfer volumes or odd slowdowns in specific applications, this could indicate zero-day issues.

Zeroing in on effective defense

If zero-day attacks come without warning, what can companies do to bolster protection?

First, it’s worth recognizing that these attacks aren’t entirely without warning. Vulnerabilities in the code exist, whether or not attackers find them. With the right approach, it’s possible for teams to mitigate at least some of the risk tied to zero-day efforts.

Three approaches can help improve zero-day response.

Reliable input validation

Input validation is the process of testing all data inputs to ensure they’re properly formatted. If this process detects improper data formats, it may suggest the presence of a zero-day exploit attempting to gain access.

Regular vulnerability scans

Vulnerability scans can simulate software attacks. Regularly conducting these scans helps pinpoint potential issues. For example, if you’ve just deployed a new piece of software, vulnerability scanning can help detect possible weak points before attackers find them, in turn allowing IT teams to act.

Robust patch management

Along with scanning and validation, patch management also matters. While it’s true that zero-day exploits are naturally unpatched because they’ve never been detected before, this comes with a caveat, especially if your company is using new software created by a third party.

Here’s why: If you’re using a piece of recently released software but haven’t yet patched the application, it may still be vulnerable to the original zero-day vulnerability. Robust, automated patch management can help reduce this risk.

The race to zero

There are also other efforts to help mitigate the impact of zero-day issues, such as the zero-day initiative. This program provides monetary rewards for researchers who choose to report zero-day vulnerabilities rather than making them public or selling them on the black market.

Bottom line? The race to zero is still on as attackers look to leverage unknown vulnerabilities, create new exploits and compromise key software.

While it’s impossible to avoid damage from every zero-day attack, companies can mitigate their risk by validating inputs, regularly scanning for vulnerabilities and keeping patches up-to-date.

More from Risk Management

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

GenAI: The next frontier in AI security threats

3 min read - Threat actors aren’t attacking generative AI (GenAI) at scale yet, but these AI security threats are coming. That prediction comes from the 2024 X-Force Threat Intelligence Index. Here’s a review of the threat intelligence types underpinning that report.Cyber criminals are shifting focusIncreased chatter in illicit markets and dark web forums is a sign of interest. X-Force hasn’t seen any AI-engineered campaigns yet. However, cyber criminals are actively exploring the topic. In 2023, X-Force found the terms “AI” and “GPT” mentioned…

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today