Your Ultimate Guide to Zero-Day Attacks

By |2019-09-03T11:41:04-07:00March 14th, 2018|

In today’s world of business and commerce, hardly a single company or brand exists without an online presence. Likewise, the public is engaged in online activity for numerous purposes, from shopping and social activity to education and even work. As such, the safety and security of computer networks and software programs affect a sizable percentage of the global population. Anytime a company’s online security is breached, millions of dollars and untold volumes of private info are put at risk.

Zero day attacks occur out of the blue and are typically the work of unknown perpatrators

One of the biggest threats to the security of any company network or online software program is a zero-day attack, which can spread an infection faster than most companies can even react. Zero-day attacks are dangerous precisely because they are unexpected. Whereas companies can prepare themselves for known threats, zero-day attacks occur out of the blue and are typically the work of unknown perpetrators.

What Is a Zero-Day Vulnerability?

A zero-day exploit is a weakness within a computer network or software program that has been taken advantage of by hackers. When an exploit occurs, it is usually because the hackers have discovered the weakness before the system operators or software developers even notice it exists. Sometimes, even if the weaknesses are quickly noticed, hackers manage to exploit the opportunity before the programmers or developers have time to react.

The term “zero” refers to the same-day window in which exploits often occur. For instance, a global site host could release an upgrade to its platform on a select day, yet notice within 30 minutes of the launch that a vulnerability exists. However, a hacker could instantly spot this weakness within those 30 minutes, before the site developers have time to suspend the launch and develop a patch.

A zero-day exploit is typically launched with malware, which can spread like wildfire within minutes of its release. Before the site developers or system operators even have time to react, the virus could infect thousands of computers that access the site or download the infected software.

The Prevalence of Zero-Day Vulnerabilities and Attacks

In 2017, zero-day attacks increased from eight in the previous year to a whopping 49. And even in 2016, the Zero Day Initiative discovered several vulnerabilities — 135 in Adobe products, 76 in Microsoft products and 50 in Apple products.

Unfortunately, experts predict the frequency of these threats and attacks is only going to worsen with the prevalence of technology and the increase in the amount of code being created. One group, Cybersecurity Ventures, predicted that by 2021, there will be one new exploit every day. In 2015, there was about one per week.

In 2015, there was about one exploit per week. By 2021, there will be one new exploit every day.

The most significant attack as of late was the September 2017 Equifax breach, where hackers gained access to data from the major consumer credit reporting agency. The names, social security numbers, addresses and driver’s license numbers of more than 143 million people in the Equifax database were stolen.

Despite this, several government and IT organizations are working to counter these damages with the power of automation. One group leading the way is the U.S. Defense Advanced Research Projects Agency (DARPA). At a demonstration in August 2016, they showed the world how automated solutions can find bugs in different types of software, then write a more secure code to replace that faulty programming.

What Are Watering-Hole Attacks?

A watering-hole attack is a zero-day exploit in which a website that draws a group of web-users is targeted by a hacker. The typical motive behind such attacks is to infect many people within this group. In most cases, the malware will spread within seconds between users within the group who happen to be online at the time of the incident.

The two major web entities that have been targeted most often by hackers are Adobe and Microsoft. The latter accounted for a third of all such incidents during 2014. For obvious reasons, zero-day attack detection has become more critical than ever.

How Do Zero-Day Exploits Occur?

A zero-day exploit can occur in one of several ways. Most often, the attack is enabled by a hole in some programming code that the hacker discovers before the programmer has time to react. In cases like these, the hacker will be hours, if not days, ahead of the programmers, who likely won’t even realize there is a breach until thousands of users have already been affected.

In some cases, the malware creator will spread the infection via links in widely distributed emails. As soon as a user clicks on the link, his or her computer is infected with a code that allows the hacker to view and retrieve the unsuspecting person’s data.

5 Steps of a Zero-day Exploit

A zero-day exploit is usually carried out in five steps, which can be done just minutes after a security hole becomes available:

  1. Scan for Vulnerabilities: Hackers scan the codes of new software programs in search of vulnerabilities. In certain scenarios, the exploits are exchanged between hackers.
  2. Spot a Security Hole: Once a weakness has been spotted within a programming code, the attacker knows where to hit.
  3. Create an Exploitation Code: Now that the hacker knows the nature of the weakness, the game is on to develop a malware to take advantage of the situation.
  4. Infiltrate the System: Before the software developer discovers the hole or has time to react, the hacker must now slip past detection to infect the system.
  5. Launch the Exploit: With the malware code now ready, the hacker plants the virus on the Internet.

The main reason zero-day attacks occur is twofold. For starters, the fact that a security hole exists in the first place gives the hacker a unique opportunity. Second, the hacker will usually have a decent window of time to exploit the situation, since they usually are the one to first spot the hole. Even in cases where software developers discover the problem, the hacker will still have time to exploit the weakness before a patch is created.

Another problem is the time it can take to develop a patch that successfully fills a security hole. Programmers might know about a breach for weeks before they can develop a foolproof code and put an end to the problem. By that time, an untold number of computers could be infected.

In some cases, the security hole is discovered by a quick-thinking user with good intentions. However, the types of people who are quickest to spot vulnerabilities in software are generally the people most keen to exploit such vulnerabilities. When a hacker is the first to notice, they will likely either:

  • Develop malware and infect the system
  • Sell access to the security hole on the online black market

How to Detect a Zero-Day Attack

Preventing zero-day attacks is only possible if you know the types of vulnerabilities hackers typically exploit. Software programmers employ four basic methods to detect zero-day attacks.

  1. Statistical: Examines profile data to determine the probability and likely source of a given attack
  2. Signature: Analyzes data signatures and how they match with prior zero-day attacks
  3. Behavior: Studies the behavior of the hacking entity and its interaction with the site under attack
  4. Hybrid: Combines the three approaches above

Traditionally, hack-detection has relied on the cooperation of links along a network chain, but this can leave a system vulnerable at any given juncture, especially in the face of today’s more advanced methods of system hacking. To detect an advanced attack and thwart the issue before it becomes a problem, a more complex set of measures is required.

How to Prevent Zero-Day Attacks

Prevent a Zero-day Attack

A zero-day vulnerability will open your system to the possibility of an instant attack that could have disastrous results and grave financial consequences. Therefore, it’s crucial to be alert to this possibility and act if and when a vulnerability does appear. Some steps you can take include:

  • Employing the Most Advanced Security Software: Basic security software is simply not enough in today’s online climate, where hackers employ the most advanced means of system hacking. A software that only protects against known threats is no match for the hacker who develops new ways to attack.
  • Keeping Security Software Up-to-Date: As new methods of hacking become known, security software is updated to prevent such hacks. Only with regular, timely software updates can you effectively protect your network from a zero-day exploit.
  • Updating Your Browsers: Web browsers are among the most common targets of hackers. If your browser is out-of-date, it could be vulnerable to malware that did not exist when you first updated to that version of the browser. Even though today’s browsers — such as Firefox, Chrome and Opera — usually update automatically, you should still check periodically to ensure all the computers in your network are equipped with the latest version of each browser.
  • Implementing Security Protocols: For a network to be fully ready to act on a zero-day vulnerability, all company personnel must be trained on the best practices for security. Develop and implement a sequence of security measures and teach your workforce about when and how to enact these measures.

On rare occasions, even the most diligent organization can have its security compromised by a zero-day exploit. In the event of this happening to your company, make sure all your security measures are ready to go at a moment’s notice.

Even though it can take hours or days to develop a security patch, the spread of a worm or virus can immediately be halted if connections are limited to their barest essentials. The moment an infection becomes known, shut off all network connections that are not vital to the function of your business. This will block the spread of the virus and give your company time to assess the problem and develop a solution.

What Is a Zero-Day Market?

Not all hackers take direct advantage of zero-day vulnerabilities. In many cases, the hacker who spots the security hole will sell the code on the zero-day market, which essentially functions as a black market for hackers. Due to the rarity of such vulnerabilities, codes of this sort often command high bids among fellow hackers.

In rare cases, the hacker is a good guy who scans newly released software code in search of vulnerabilities. When the hacker spots a hole, he reports the issue to the software developers. Most of the time, the individual performs these actions in good faith with no monetary incentive. In some of these cases, they may request their good deed to be rewarded with payment from the company that could have been affected by the security hole.

Zero-day security holes can sell for as much as $250,000

Ultimately, the zero-day market attaches a monetary incentive to the discovery of coding vulnerabilities. According to an investigative study reported at, the code for a zero-day security hole can sell for as much as $250,000. The cost of certain codes is typically based on the popularity of the software or network in question, as well as the amount of hacking skills the discovery might have involved.

In general, the zero-day market consists of the following categories:

  • The Criminal Element: The black market of zero-day exploits, where code is sold for as high as six figures
  • The White-Hat Element: The benevolent side of the market, where hackers discover security holes and report such issues to programmers
  • The Grey Area: Such as researchers who work for the government selling security-hole codes to intelligence agencies, police forces and military branches for surveillance purposes

While the white-hat element can help in the defense against zero-day attacks, the ultimate solution to this problem would be to stop the criminal element in its tracks from all future hackings. But until the world’s software developers and network operators develop 100% foolproof systems, companies will have to remain diligent in their fight against zero-day attacks and remain on guard.

How to Prevent Zero-Day Attacks in Today’s Digital Landscape

As developers step up their efforts to make software programs hack-proof, hackers are also developing more advanced measures to bypass even the toughest, most complicated security algorithms. As such, the plague of zero-day exploits will not be eradicated anytime soon.

Consequently, some developers are hesitant to speak too openly about the problem, in part because there is no permeate solution, but also in fear of the possible negative impact such issues could have on their brand names. Of course, this very hesitance can feed into the problem and put users at risk, especially as hackers take this fear as a sign of encouragement for even bolder hacking measures.

Software companies and online networks must remain evermore determined to stay ahead of hackers with each new technological development. Companies should stay alert to information as it unfolds and ensure their staff is trained in the latest defense measures against zero-day hackers — including executives, board members, IT department employees and rank-and-file work staff.

Beyond the concerns of the industries directly hit by zero-day exploits, the consequences of said exploits impact vast segments of the public at large. With so much at stake, responding to zero-day exploits is one of the most crucial actions for an organization to take in the event of a breach.

Boost Your Zero-Day Prevention Plan With BlackStratus

At BlackStratus, our goal is to help organizations prevent security attacks. Browse our site for information about our products, or contact us to learn more about threat detection and prevention.

Related Posts

Guide to Detecting and Preventing Ransomware
Risk & Liability Assessment
Defending Against the Biggest Cybersecurity Threats in the Healthcare Industry

Don Carfagno

Strategic executive management and delivery responsibilities of BlackStratus MSP product line offerings of SIEM and Logging for direct, SOC-as-a-Service and channels. Operations professional with 20 years of security management experience. I place a high premium on cost reduction and containment for all aspects of a business. With many years of experience supporting software sales organizations I am uniquely trained to develop and coach cross functional teams. My main area of interest, what makes me want to come to work, is company building and creating successful teams. I enjoy to creating and championing the successful attitude throughout an organization.

LinkedIn Google+