A zero-day vulnerability is a software bug or exploit that hasn’t been patched. It’s like a hole in the bottom of your shoe that you haven’t noticed yet, but a curly-mustachioed villain has found it and is considering putting rusty nails on your gas pedal. Hackers can use these bugs and exploits to steal your data before you’re able to find and patch the weakness.
What are Vulnerabilities?
Vulnerabilities allow attackers to slip past your defenses and into your network, like the unpatched software that allowed the Equifax hack.
As security professionals, we regularly deal with all kinds of vulnerabilities like software bugs, hacks, and human vulnerabilities.
Software bugs – like the one that led to the Equifax data breach – are faults in the code that hackers can use to get through to your data. Software hacks use existing functionality as part of an attack: the Golden Ticket attack, for instance, is a privilege escalation hack that takes advantage of the way Microsoft Kerberos functions normally. Human vulnerabilities are exploited most frequently by social engineering attacks, which often abuse trust (or naiveté) to steal passwords or send money to African princes.
What Makes a Zero-Day Vulnerability?
In short, urgency and immediacy make a zero-day vulnerability.
These are software bugs that developers have zero days to fix because by the time they’re identified, they are already massive security risks that could cause significant damage. Most of the time, zero-day bugs are not public knowledge and are patched before attackers can build an exploit kit to take advantage of the flaw.
As long as the zero-day vulnerability is not public, developers have time on their side. However, once the exploit becomes public knowledge, it becomes a race for developers to get a patch out before damage is done.
Many organizations offer bounties for discovering zero-day vulnerabilities in their software. Microsoft and Google offer cash rewards for reporting vulnerabilities to them directly, with some rewards north of $100k.
A zero-day exploit is different from a zero-day vulnerability. Zero-day exploits do not have to be existing vulnerabilities: they could be a brand new malware of ransomware program. A zero-day exploit is a brand new kind of attack in progress that requires immediate remediation.
When a zero-day vulnerability isn’t discovered and patched before the attackers find the flaw, however, it becomes a zero-day exploit as well.
Zero-day exploits are difficult to detect and defend against: they are unknown until it’s too late, and their nature is under-researched. Signature-based security solutions can’t detect a zero-day exploit, and there are no software vulnerability patches immediately available. You need to react to zero-day exploits quickly to prevent widespread damage to the network or data theft.
How to Defend Against Zero-Day Attacks
You can create a secure network that is resilient against zero-day attacks. By monitoring data and comparing current activity to an established baseline, you can detect abnormalities caused by zero-day attacks. Every cyberattack – zero-day or otherwise – leaves digital footprints in both the data and on the network.
For example, a zero-day exploit that grants an attacker access to a user account will likely cause that user account act abnormally. The attacker might try to search the network for credit card numbers or password lists, or try to elevate the account to a Domain Admin. With Varonis, either of those activities will trigger one of several behavior-based threat models and flag it as suspicious activity. So what can you do to protect yourself against zero-day vulnerabilities?
- Monitor your core data – including files, folders, emails, Active Directory, VPN, DNS, and Web Proxies – for behaviors that could indicate a zero-day cyberattack
- Enforce a least-privilege model to prevent lateral movement and data exfiltration from a zero-day attack
- Update software and security (including IPS and Endpoint) packages as soon as they are available to defend against known zero-day vulnerabilities
- Back up critical systems and establish recovery and incident response plans
- Enforce strict software and internet use policies and train users to identify phishing attacks and other security risks
That last point is key. Empower the team to report behaviors on their systems that are out of place – employees are often the last line of defense against a zero-day attack.
Zero-Day Attack Examples
Each year there are at least a dozen or so different zero-day vulnerabilities identified and patched by software vendors. One of the most infamous is the Strutshock vulnerability used in the Equifax data breach. Developers patched that vulnerability in March of 2017, but Equifax didn’t apply the update – making it a zero-day attack.
Other notable zero-day attacks:
Tips to Prevent Zero-Day Vulnerabilities
Protecting your network from zero-day attacks requires behavior-based data monitoring that helps protect against both known and unknown threats. Varonis establishes behavioral baselines to detect unusual behavior in unusual activity in your network, and alerts on suspicious activity so you can respond and stop the threat before it becomes a data breach. Signature-based systems won’t detect a zero-day exploit, but a data-centric solution can detect the digital footprints of a zero-day exploit attack in progress.
See how Varonis detects attacks with a free 1:1 demo – and discover the best practices to defend against zero-day attacks.