A Definition of Zero-day
A zero-day may refer to one of two things: a zero-day vulnerability or a zero-day exploit. Simply put, a zero-day vulnerability is an unpatched software flaw previously unknown to the software vendor, and a zero-day exploit is a hacking attack that leverages a zero-day vulnerability to compromise a system or device. The term “zero-day” actually refers to the number of days the software vendor has been aware of the vulnerability or its exploit. The term originated from the days of digital bulletin boards, when “zero-day” referred to the number of days since a new software program had been released to the public. In those days, zero-day software was unreleased software that was highly desired by hackers who wanted to obtain it first.
Zero-Day Vulnerability
A zero-day vulnerability refers to a security flaw in software that is unknown to the software maker or to antivirus vendors. These security holes can exist in any type of software and are particularly common to browser software, operating system software, and widely-used software from companies such as Adobe, Oracle, and Apple. While the vulnerability may not be known publicly, it can be discovered by researchers or attackers.
Companies are unaware of zero-day vulnerabilities until they are disclosed, so until then there are no security patches available to fix these flaws. Because the window between the discovery of a zero-day vulnerability and the issuing of a patch to fix it presents a valuable opportunity to attackers seeking to exploit the flaw, zero-day vulnerabilities are often bought and sold by cyber criminals operating on the black market. Prices for zero-day vulnerabilities and exploit kits vary greatly, but can fetch upwards of $5,000 or more. Of course, vulnerabilities that exist in multiple versions of a major operating system or other software will be much more valuable than those that exist only in a single software version.
Zero-Day Exploit
A zero-day exploit refers to code that attackers use to exploit a zero-day vulnerability. Hackers can use zero-day exploits to gain access to data or networks or install malware onto a device. Some of the most valuable exploits today are those that bypass built-in security protections. Unfortunately, antivirus signatures cannot detect zero-day exploits; however, next-gen security solutions like endpoint detection and response may detect a zero-day using heuristics, or behavior-tracking algorithms that spot suspicious or malicious behavior.
What Does Zero-day Mean for My Organization?
Both zero-day vulnerabilities and zero-day exploits are extremely valuable. Criminal hackers and spies engaged in state-sponsored or corporate espionage rely on zero-day vulnerabilities and zero-day exploits to carry out attacks and compromise sensitive data. Zero-days are becoming more common, partly because of the emergence of the large market for buying and selling zero-day vulnerabilities and corresponding exploit kits.
While zero-day exploits are becoming increasingly common, a recent article in CSO Online points out that many businesses are ill-prepared to defend against zero-day attacks, primarily because “much of the conventional wisdom about security is reactive and most of the security tools available are only effective against known threats.” Modern enterprises taking a proactive approach to security are better prepared to defend against ruthless attackers.
The best defense against zero-day attacks is one that is focused on detection and response, as prevention efforts typically fail against unknown vulnerabilities or exploits. Data visibility is key to early detection of a zero-day attack or compromise – by monitoring all data access and activity for anomalous behavior, enterprises can quickly identify and contain compromises before data is lost and the damage is done.
