What is a Zero Day Vulnerability?
A zero-day vulnerability (also called a zero-day threat) is an attack that exploits a security flaw for which no fix is in place. It is referred to as a “zero-day” threat because once the flaw is finally discovered, the developer or organization has “zero days” to come up with a solution.
What is a Vulnerability?
A security vulnerability is an unintentional flaw in software or hardware caused by a programming error or misconfiguration. Because security vulnerabilities are unintentional, they are difficult to detect and can go unnoticed for days, months, or sometimes even years.
How Do Zero-Day Vulnerabilities Work?
When attackers identify a previously unknown security vulnerability, they write code to target that specific vulnerability and package it into malware. The code, when executed, can compromise the system.
There are various ways for an attacker to exploit zero-day vulnerabilities. One common approach is to distribute malware through deceptive emails that contain attachments or links with embedded exploits. These malicious payloads are executed when the user interacts with the attachment or link.
A well-known zero-day attack involved Sony Pictures Entertainment in 2014,
when sensitive information was released to the public, such as unreleased film copies, email communications between senior employees, and business plans. The attackers used a zero-day vulnerability to obtain this information.
Zero-day vulnerabilities can negatively affect businesses in several ways. In addition to the loss of valuable or confidential data, customers may lose trust in the business, and the company may be forced to divert valuable engineering resources to fix the flaw.
what-is-zero-day
How to Detect Zero-Day Threats
By definition, zero-day threats are difficult to detect. Several strategies have been developed to help facilitate the detection process:
- Statistics-based detection: Using machine learning, historical data from past exploits is collected and a baseline level of safe behavior is established to detect zero-day threats in real time. However, this approach does not adapt to changes in patterns, and new attack profiles need to be created to account for changes.
- Signature-based detection: This method has been used since the early days of security monitoring. Existing databases of malware signatures – unique values that indicate the presence of malicious code – are referenced against local files and downloads when searching for potential new threats. The drawback of this method is that signatures can only identify already-known threats, so this method cannot detect most zero-day threats.
- Behavior-based detection: User interactions with existing software are analyzed to determine whether they are the result of malicious activity. Behavior-based detection aims to learn future behavior and attempt to prevent any unexpected behavior. It relies on predicting network traffic flow.
How to Prevent Zero-Day Attacks:
While no single approach can completely prevent security vulnerabilities from appearing in code, several tactics and tools can reduce their risks. Among the most important techniques for stopping vulnerability exploits are browser isolation and firewalls.
Browser Isolation:
Browsing activities such as opening an email attachment or filling out a form require interacting with code from untrusted sources, which allows attackers to exploit vulnerabilities. Browser isolation keeps browsing activity separate from end-user devices and corporate networks, so that potentially malicious code does not run on the user's device. Browser isolation can be done in three ways:
- Remote browser isolation: Web pages are loaded and code is executed on a remote cloud server, away from users' devices and organizations' internal networks.
- Local browser isolation: This works similarly to remote browser isolation, but takes place on an internally managed server.
- Client-side browser isolation: Web pages are still loaded on the user's device, but sandboxing — a security mechanism to keep programs running separately — ensures that content and code are separated from the rest of the device.
Firewall
A firewall is a security system that monitors incoming and outgoing traffic based on pre-defined security policies. Firewalls sit between trusted and untrusted networks (often the internet) to protect against threats, prevent malicious content from reaching a trusted network, and prevent sensitive information from leaving the network. They can be integrated into hardware, software, or a combination of both. By monitoring traffic, a firewall can block traffic that may be targeting a security vulnerability, thereby preventing a zero-day exploit.
