The worst security vulnerabilities are those that companies are unaware of. So what happens when these software flaws are used to attack?
Take the example of the Log4J issue in 2021, the MOVEit vulnerability of 2023, or the recently patched Ivanti flaws. These high-profile issues have one thing in common: Adversaries exploited holes in popular enterprise software before they could be found by security researchers or patched by the vendor, resulting in a flood of successful breaches.
These issues, known as zero-day exploits because an adversary exploited the vulnerability before it could be fixed, are a growing threat to all businesses.
So what exactly is a zero-day exploit, what software is at risk, and what can businesses do to protect themselves?
Understanding zero-day exploits
All security vulnerabilities are zero-day at some point. After all, security flaws can't be fixed until the provider knows about them. However, an attack that uses a zero-day issue will have the greatest impact on a business, simply because a patch is not yet available and you may not know you have been attacked.
Attacks that use zero-day vulnerabilities are particularly attractive to adversaries because their chances of success when systems are unpatched are high. “Exploitation of a vulnerability is more likely on day zero because there is no patch,” says Dan Llewellyn, CTO of xDesign.
In today's interconnected, software-driven world, security vulnerabilities are a fact. Often, zero-day exploits occur due to human error during the development process, says AJ Makwana, focal analyst at NormCyber. “When multiple departments are working on the code, there may not be strong enough policies in place to ensure that any changes to the code are properly reviewed. “Historically, these flaws are introduced due to a lack of security awareness.”
Attackers tend to spread their networks, which is why popular software is more likely to be at risk of zero-day attacks. For example, devices that use products from software giant Microsoft are at risk, says Jack Peters, customer solutions architect at M247. “On a global level, it is My dear that Windows 10 and 11 are installed on a total of 1.4 billion devices. “It is not surprising that opportunists seek victims through Windows firmware or Office Suite every time Microsoft releases an update.”
Additionally, Peters says, hackers can attack servers running MySQL, which was seen in the Progress Software MOVEit Transfer breach in May of last year. “This exploited vulnerabilities in outdated browser plugins or misconfigured VPN gateways to gain access to target systems. “The alarming thing about zero-day exploits is that there are numerous entry points that hackers can target.”
Adversaries will typically attack key systems with zero-day exploits, Makwana agrees. This can include authentication systems such as Active Directory, server architectures including Windows or Kubernetes servers, and edge systems such as firewalls, switches, routers, and wireless access points. “For most attackers, this will be the most difficult entry point. “Once they have a foothold through an exposed server, threat actors will look to leverage other exploits to move laterally across environments.”
How to detect zero-day exploits and protect your business
You can't prevent attacks you don't know about, but there are ways to detect adversaries using a zero-day exploit to attack your business. Detecting attacks that use zero-day exploits involves monitoring unusual activity that deviates from normal operations, says Michael Skelton, vice president of security operations and hacker success at Bugcrowd.
This includes unexpected system behaviors, unexplained network traffic spikes, and irregularities in user account activities, it says. Tools like intrusion detection systems (IDS) and security information and event management systems (SIEM) can help detect these anomalies, she adds.
Because zero-day exploits are inherently unknown, security teams should do everything they can to understand weaknesses in internal or customer environments and seek to mitigate any flaws with monitoring, Makwana says. “Detecting unwanted executions of abnormal software or scripts and external connections to unknown IP addresses are some great ways to monitor unauthorized access.”
This is usually done with a layered approach, he advises. “Gathering threat intelligence on known threat actors would help monitor rules and detect unwanted behavior such as data exfiltration.”
There's not much you can do about zero-day crashes until a patch is available. However, by staying ahead of emerging threats, it may be possible to implement measures to mitigate the risk of the flaw being used in an attack, says Leon Teale, senior penetration tester at IT Governance.
If a zero-day exploit is shared among the hacking community, especially if it affects software used by millions of systems, a company could be attacked, he says.
Therefore, it's a good idea to ensure that the IT or security team remains subscribed to articles that cover emerging threats or newly identified zero-days, Teale says. “This will ensure they can mitigate the risk as quickly as possible while waiting for the software vendor to release a security patch.”
When a fix is already available, the first thing you should do if you learn of a zero-day vulnerability is to patch your systems. Makwana recommends patching the most critical vulnerabilities, including zero-days, as quickly as possible. “The UK National Cyber Security Centre's Cyber Essentials scheme recommends 14 days as best practice.”
Overall, protecting your business from zero-day exploits requires a proactive, layered security approach, says Darren Anstee, chief security technology officer at NETSCOUT. “Organizations should ensure their systems and software are updated regularly to minimize vulnerabilities. “Strengthening access controls and network segmentation can also make it more difficult to access an exploitable system, limiting any lateral movement.”
This may mean applying zero-trust security, a strategy that makes your organization “trust nothing and verify everything.” A zero-trust approach will help minimize the impact of a zero-day exploit, Llewellyn says. “If a component is vulnerable and exploited, leading to full takeover of a device on your network, a zero trust approach can ensure that's where the problem ends.”