Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

Zero-Day Vulnerability Explained

Find out how zero-day vulnerabilities become zero-day exploits and zero-day attacks, and how to defend your network from zero-day attacks and exploits.
Michael Buckbee
3 min read
Published March 29, 2020
Last updated June 16, 2023

A zero-day vulnerability is a software bug or exploit that hasn’t been patched. It’s like a hole in the bottom of your shoe that you haven’t noticed yet, but a curly-mustachioed villain has found it and is considering putting rusty nails on your gas pedal. Hackers can use these bugs and exploits to steal your data before you’re able to find and patch the weakness.

What are Vulnerabilities?

Vulnerabilities allow attackers to slip past your defenses and into your network, like the unpatched software that allowed the Equifax hack.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

As security professionals, we regularly deal with all kinds of vulnerabilities like software bugs, hacks, and human vulnerabilities.

Software bugs – like the one that led to the Equifax data breach – are faults in the code that hackers can use to get through to your data. Software hacks use existing functionality as part of an attack: the Golden Ticket attack, for instance, is a privilege escalation hack that takes advantage of the way Microsoft Kerberos functions normally. Human vulnerabilities are exploited most frequently by social engineering attacks, which often abuse trust (or naiveté) to steal passwords or send money to African princes.

What Makes a Zero-Day Vulnerability?

attributes of zero day vulnerability attack

In short, urgency and immediacy make a zero-day vulnerability.

These are software bugs that developers have zero days to fix because by the time they’re identified, they are already massive security risks that could cause significant damage. Most of the time, zero-day bugs are not public knowledge and are patched before attackers can build an exploit kit to take advantage of the flaw.

As long as the zero-day vulnerability is not public, developers have time on their side. However, once the exploit becomes public knowledge, it becomes a race for developers to get a patch out before damage is done.

Many organizations offer bounties for discovering zero-day vulnerabilities in their software. Microsoft and Google offer cash rewards for reporting vulnerabilities to them directly, with some rewards north of $100k.

Zero-Day Exploit

A zero-day exploit is different from a zero-day vulnerability. Zero-day exploits do not have to be existing vulnerabilities: they could be a brand new malware of ransomware program. A zero-day exploit is a brand new kind of attack in progress that requires immediate remediation.

When a zero-day vulnerability isn’t discovered and patched before the attackers find the flaw, however, it becomes a zero-day exploit as well.

Zero-day exploits are difficult to detect and defend against: they are unknown until it’s too late, and their nature is under-researched. Signature-based security solutions can’t detect a zero-day exploit, and there are no software vulnerability patches immediately available. You need to react to zero-day exploits quickly to prevent widespread damage to the network or data theft.

How to Defend Against Zero-Day Attacks

You can create a secure network that is resilient against zero-day attacks. By monitoring data and comparing current activity to an established baseline, you can detect abnormalities caused by zero-day attacks. Every cyberattack – zero-day or otherwise – leaves digital footprints in both the data and on the network.

For example, a zero-day exploit that grants an attacker access to a user account will likely cause that user account act abnormally. The attacker might try to search the network for credit card numbers or password lists, or try to elevate the account to a Domain Admin. With Varonis, either of those activities will trigger one of several behavior-based threat models and flag it as suspicious activity. So what can you do to protect yourself against zero-day vulnerabilities?

how to defend against zero day attacks

  • Monitor your core data – including files, folders, emails, Active Directory, VPN, DNS, and Web Proxies – for behaviors that could indicate a zero-day cyberattack
  • Enforce a least-privilege model to prevent lateral movement and data exfiltration from a zero-day attack
  • Update software and security (including IPS and Endpoint) packages as soon as they are available to defend against known zero-day vulnerabilities
  • Back up critical systems and establish recovery and incident response plans
  • Enforce strict software and internet use policies and train users to identify phishing attacks and other security risks

That last point is key. Empower the team to report behaviors on their systems that are out of place – employees are often the last line of defense against a zero-day attack.

Zero-Day Attack Examples

Each year there are at least a dozen or so different zero-day vulnerabilities identified and patched by software vendors. One of the most infamous is the Strutshock vulnerability used in the Equifax data breach. Developers patched that vulnerability in March of 2017, but Equifax didn’t apply the update – making it a zero-day attack.

Other notable zero-day attacks:

Tips to Prevent Zero-Day Vulnerabilities

Protecting your network from zero-day attacks requires behavior-based data monitoring that helps protect against both known and unknown threats. Varonis establishes behavioral baselines to detect unusual behavior in unusual activity in your network, and alerts on suspicious activity so you can respond and stop the threat before it becomes a data breach. Signature-based systems won’t detect a zero-day exploit, but a data-centric solution can detect the digital footprints of a zero-day exploit attack in progress.

See how Varonis detects attacks with a free 1:1 demo – and discover the best practices to defend against zero-day attacks.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

how-to-use-powershell-for-privilege-escalation-with-local-computer-accounts
How To Use PowerShell for Privilege Escalation with Local Computer Accounts
Privilege escalation is when an attacker is able to exploit the current rights of an account to gain additional, unexpected access. While this can be caused by zero-day vulnerabilities, state-level...
threat-update-#12---does-zerologon-change-the-game?
Threat Update #12 - Does Zerologon Change the Game?
Cybercriminals are using the Zerologon exploit to fast track lateral movement and privilege escalation. If left unpatched, the exploit lets attackers use the password of the primary domain controller to...
government-hacking-exploits,-examples-and-prevention-tips
Government Hacking Exploits, Examples and Prevention Tips
In this guide, we’ll explore how governments launch attacks, the different government hacking exploits and how you can defend yourself.
threat-update-29-–-exchange-vulnerability-detection-tips-&-tools
Threat Update 29 – Exchange Vulnerability Detection Tips & Tools
Many organizations are still dealing with the mass exploitation of on-prem Exchange servers from four Zero-Day vulnerabilities. Teams are struggling to identify and patch all of their affected servers, and...