The worst security vulnerabilities are the ones businesses don’t know about. So, what happens when these software flaws are used to attack?
Take the example of the Log4J issue in 2021, the MOVEit vulnerability of 2023, or the recently patched Ivanti flaws. These high-profile issues have one thing in common: Adversaries used the holes in popular enterprise software before they could be found by security researchers or patched by the vendor, resulting in a deluge of successful breaches.
Known as zero-day exploits, because an adversary has taken advantage of the vulnerability before it can be fixed, these issues are a growing threat to all businesses.
So, what exactly is a zero-day exploit, which software is at risk and what can businesses do to protect themselves?
Understanding zero-day exploits
All security vulnerabilities are zero-day at some point. After all, security flaws cannot be patched until the vendor knows about them. However, an attack using a zero-day issue will have the most impact on a business, quite simply because a patch isn’t yet available and you might not know you’ve been breached.
Attacks using zero-day vulnerabilities are particularly attractive to adversaries because their chance of success when systems are unpatched is high. “The exploitation of a vulnerability is more likely on day zero because a patch doesn’t exist,” says Dan Llewellyn, director of technology at xDesign.
In today’s software-driven, interconnected world, security vulnerabilities are a matter of fact. Often, zero-day exploits occur due to human error during the development process, says AJ Makwana, focal analyst at NormCyber. “Where code is worked on by multiple departments, there may not be robust enough policies to ensure that any changes to code are properly reviewed. Historically, these flaws are introduced due to a lack of security awareness.”
Attackers tend to cast their nets wide, which is why popular software is more likely to be at risk from zero-day exploits. For example, devices using software giant Microsoft’s products are at risk, says Jack Peters, customer solutions architect at M247. “Worldwide, it’s estimated that Windows 10 and 11 are installed on a total of 1.4 billion devices. It’s not surprising that opportunists will look to target victims through Windows firmware or Office Suite every time an update is rolled out by Microsoft.”
Additionally, says Peters, hackers can target servers running on MySQL, which was seen in the Progress Software MOVEit Transfer breach in May last year. “This exploited vulnerabilities in outdated browser plugins or misconfigured VPN Gateways to gain access to target systems. The alarming thing about zero-day exploits is that there are numerous entry points for hackers to target.”
Adversaries will usually target key systems with zero-day exploits, agrees Makwana. This can include authentication systems such as Active Directory, server architectures including Windows server or Kubernetes, and systems on the perimeter such as firewalls, switches, routers, and wireless access points. “For most attackers, this will be the hardest point of entry. Once they have a foothold via an exposed server, threat actors will then look to leverage other exploits to move laterally around environments.”
How to spot zero-day exploits and protect your business
You can’t prevent attacks you don’t know about, but there are ways to detect adversaries using a zero-day exploit to target your business. Spotting attacks utilizing zero-day exploits involves monitoring for unusual activity that deviates from normal operations, says Michael Skelton VP of security operations and hacker success at Bugcrowd.
This includes unexpected system behavior, unexplained network traffic spikes and irregularities in user account activities, he says. Tools such as intrusion detection systems (IDS) and security information and event management (SIEM) systems can aid in detecting these anomalies, he adds.
As zero-day exploits are inherently unknown, security teams should do their best to understand internal or customer environments’ weak points and look to mitigate any flaws with monitoring, says Makwana. “Detecting unwanted execution of abnormal software or scripts and external connections to unknown IP addresses are some great ways to monitor for unauthorized access.”
Usually, this is done with a layered approach, he advises. “Gathering threat intelligence on known threat actors would help to monitor rules detect unwanted behaviors such as data exfiltration.”
There isn’t much you can do about zero-day flaws themselves until a patch is available. However, if you stay ahead of emerging threats, it might be possible to apply steps to mitigate the risk of the flaw being used in an attack, says Leon Teale, senior penetration tester at IT Governance.
If a zero-day exploit is shared among the hacking community, especially if it affects a piece of software used by millions of systems, a business could find itself being targeted, he says.
Therefore, it’s a good idea to ensure the IT or security team stays subscribed to articles covering emerging threats or newly identified zero days, says Teale. “This will ensure they can mitigate the risk as soon as possible while waiting for the software vendor to release a security patch.”
When a fix is already available, the first thing you should do if you hear about a zero-day vulnerability is patch your systems. Makwana recommends patching the most critical vulnerabilities, including zero-days, as quickly as possible. “The UK National Cyber Security Center’s Cyber Essentials scheme recommends 14 days as best practice.”
Overall, protecting your business from zero-day exploits requires a proactive and layered security approach, says Darren Anstee, chief technology officer for security at NETSCOUT. “Organizations must ensure their systems and software are regularly updated to minimize vulnerabilities. Strengthening access controls and network segmentation can also make it harder to reach an exploitable system, limiting any lateral movement.”
This can mean applying zero trust security – a strategy that sees your organization “trust nothing and verify everything”. A zero-trust approach will help minimize the impact of a zero-day exploit, says Llewellyn. “If one component is vulnerable and exploited, leading to a full takeover of a device on your network, a zero trust approach can ensure this is where the issue ends.”
More on cyber security
