Defending and remediating when there's already no time left.
GARTNER® THREAT EXPOSURE RESEARCHA zero-day attack is one that is discovered while it is already in progress, meaning a security team has “zero days” to prepare or remediate the vector through which the attacker gained entry.
Indeed, according to the National Institutes of Standards and Technology (NIST), a zero-day attack “exploits a previously unknown hardware, firmware, or software vulnerability.”
A zero-day vulnerability one that was previously unknown to the security organization and for which there is currently no existing patch or remedy. This means it must be developed quickly from the ground up before a threat actor finds it and exploits it. If the vulnerability has not yet been exploited, a security operations center (SOC) should consider itself extremely lucky.
But if there are signs the vulnerability has been exploited, then it's time to spring into action to try and limit the impact of the attack-in-progress.
A zero-day exploit is simply the threat actor moving into attack mode, exploiting the discovered vulnerability before any related security personnel have been made aware. From there, an attacker would hope they have a maximum amount of time to move around freely on the target network so they can steal as much data as possible.
Organizational reputation can be severely damaged if word of a zero-day exploit becomes public.
Zero-day attacks work by a threat actor implementing a phased attack approach to the target network. A threat actor, of course, begins by looking for vulnerabilities. After encountering one – and deciding it’s worth their time to attempt exploitation – the attacker will then deploy code to exploit the vulnerability.
From there, the attacker can pinpoint the vulnerable systems and begin infiltration of the network at that identified entry point. If they’ve gone undetected to this point, the attack can be fully deployed onto the target network so the threat actor can seek out valuable data, hold it for ransom, and/or sell it to the highest bidder.
A zero-day attack could be perpetrated by a threat actor group, working as a team to steal highly sensitive information from their victims. Or, it could be one highly sophisticated perpetrator, compromising dozens or hundreds of organizations simultaneously by leveraging custom tooling to exploit vulnerabilities.
According to Rapid7’s 2024 Attack Intelligence Report, vulnerabilities exploited in targeted zero-day attacks often have higher-profile backstories. This is also bound to occur naturally, as it’s never a good thing for any company’s reputation to find out their network has an active attack in progress – and it might have been happening for quite some time before it was discovered.
Many cybersecurity researchers now track the time between when vulnerabilities become known to the public and when they are reliably reported as exploited. This window of time is known as “time to known exploitation,” and it has narrowed considerably in the past few years largely as a result of zero-day attacks.
Zero-day attack are perhaps the most sensationalized cybersecurity stories in the world because defenders have literally no time to prepare for these malicious actions.
This means they can cause the ultimate frenzy and adrenaline spikes in an environment that was most likely, and very recently, going about business as usual. Let’s take a look at a few prominent examples of zero-day attacks from the recent past.
To put a cap on the sheer effectiveness, proliferation, and popularity of zero-day attacks with threat actors, 53% of new widespread threat vulnerabilities through the beginning of 2024 were exploited before software producers could implement fixes.
Identifying zero-day attacks requires a fundamental shift or addition to a SOC’s practices. Specifically, this means shifting to or incorporating proactive measures that enable security practitioners and analysts to go beyond the network perimeter.
In this way, they can actively hunt threats against known telemetry that has been identified in the wider security world as suspicious. With technology like enhanced endpoint telemetry, teams can quickly review logs and gain critical visibility into all endpoint activities. Let’s take a look at some other techniques for identifying zero-day attacks.
Managing vulnerabilities – or simply becoming aware of them – is perhaps the single most important thing SOCs can do when it comes to identifying potential zero-day attacks.
The overall goal, of course, would be to identify a critical vulnerability before it can be exploited. But if that’s not possible in every instance, then teams can leverage a competent vulnerability management (VM) tool to shrink the amount of time between exploitation and discovery.
This helps monitor network activity so that there is an ever-evolving, real-time record of what’s happening on a network. With network traffic analysis (NTA), a SOC not only gains improved visibility into devices across the network, but also has the ability to respond to investigations faster with rich detail and additional network context.
Observing and reporting on verified indicators of compromise (IOCs) can help the cybersecurity community as a whole to review these known IOCs so that they can identify them earlier along their own attack surfaces. IOCs are essentially data discovered in forensic analysis that can alert analysts to past/ongoing attacks or breaches.
Pivoting over to the prevention of zero-day attacks, there are several technologies and/or methodologies to aid practioners in what really amounts to seeing in the dark. The goal is to make visible what can be incredibly difficult to see and detect – so a team can act and take down fast.
The process of collecting forensic evidence of a past attack can help a SOC to understand if there was a historical attack that could still be ongoing. Digital forensics and incident response (DFIR) systems both collect this forensic data, also known as artifacts, and proactively hunt for potential IOCs.
For a security organization to monitor the business’ internet-facing assets, leveraging external attack surface management (EASM) can be very effective. An EASM platform can monitor for exposed credentials, public-cloud misconfigurations, and other vulnerabilities specific to assets that have a greater inherent exposure risk.
A system of this type is sort of a catch-all for the most sudden or imminent threats, of which zero-day attacks are most certainly a type. Essentially, intrusion detection and prevention systems (IDPS) work by passively motoring traffic and subsequently blocking suspicious or malicious behavior almost immediately after it’s flagged.
With this ultimate proactive security posture technique, teams can attempt to defend their network before any real damage can come to its perimeter. Maintaining real-time visibility into threat feeds, threat hunters can become extremely familiar with circulating threats and ready their network in case it comes their way.