In cyber circles, the term zero-day could inspire excitement or fear, depending on which side of the attack you’re on. Yes, there are sides—the digital world is a binary one, in which people and machines engage in a fierce cyber warfare.
For a threat actor, zero-day is a means to an end. For everyone else, zero days is the time in which a vulnerability is disclosed, and you have a short span of time to patch it. If you can patch it on time, you’ll have won the battle. Otherwise, a threat actor might make off with your data, take over your site, or sabotage you network.
In order to understand what zero-day means, you’ll need to gain a better understanding of the core principles of cyber attacks—vulnerabilities, exploits and threats—as explained in this section.
What Is a Vulnerability?
In cyber security, the term vulnerability applies to any flaw that can be used to initiate an attack against a network, system or device. Threat actors use vulnerabilities to compromise security perimeters.
Vulnerabilities can be generally classified according to the location of the flaw, as follows:
Software vulnerabilities—pieces of code that can be used to initiate attacks, such as a bug created by human error, or a code distortion created by a forced injection of malware.
Network vulnerabilities—intentional or accidental flaws in the design of the network architecture, and insecure open-source connections and APIs.
Hardware vulnerabilities—hardware flaws due to a decay in the physical conditions of the components or the intentional sabotage by external or insider threats.
What Is an Exploit?
In cyber security, an exploit is the method threat actors use to take advantage of (exploit) a security flaw (vulnerability).
An exploit can be a piece of code (injections), a program (usually malware or ransomware), an automated bot (exploit kits) or a human being. The latter is called an insider threat, which is a term that refers to people with authorized access to the company network, who are blackmailed or tricked into initiating an attack from the inside.
Threat actors often use an exploit kit, which is a collection of exploits, to search for vulnerabilities and/or exploit a security vulnerability through an injection of code or malware. Some exploit kits are fully automated, while others have a manual component. Exploits play a major role in long-term and strategic attacks, such as an Advanced Persistent Threat (APT) attack.
What Is a Threat?
In cyber security, the term “threat” refers to a potential danger to the security perimeter. Unpatched or unknown vulnerabilities, which exist in the network, system or device, and endanger the network, are a threat. Once the vulnerability is exploited, it becomes a risk that needs to be remediated as soon as possible.
Since there are thousands of known vulnerabilities, and potentially thousands of unknown vulnerabilities, prioritizing the remediation of vulnerabilities has become a common practice in cyber security. Some security teams approach vulnerability management manually, and others make use of automated tools.
Now that you have gained a better understanding of the terms “vulnerability”, “exploit” and “threat”, and how they operate within the sphere of cyber security, you’ll be better prepared for reading about the term “zero-day”, including its connection to the core concepts we learned.
What Is the Meaning of the Term Zero-Day?
In cyber security, the term zero-day is used to describe the initial discovery of a vulnerability. Once the vulnerability is discovered—by the technology vendor, the network administrator, the security team or a vulnerability library, such as the National Vulnerability Database (NVD)—there’s a race between threat actors and security teams.
This time-sensitive battle has been given the name zero-day, which originates from the time of digital bulletin boards, when threat actors attempted to steal software before it was released. Nowadays, it’s a matter of whether the security teams manage to patch the vulnerability before the threat actors manage to exploit the vulnerability. Whoever wins the battle wins the data.
What Is a Zero-Day Vulnerability?
When a vulnerability is disclosed to the public, and it is deemed a critical threat that requires immediate remediation, it is called a zero-day vulnerability.
What Is a Zero-Day Exploit?
A zero-day exploit can tip the scales in favor of a threat actor, because they provide them with the means to exploit a zero-day vulnerability before security teams get the chance to patch.
The Zero-Day Black Market
System administrators and users are usually left in the dark until a vulnerability is disclosed to the public. Once the vulnerability is disclosed, it takes time for the community to find a solution and then apply the fixes.
Threat actors take advantage of this zero-day period of time, by creating, selling and buying zero-day exploit kits. There is also a thriving black market for zero-day vulnerabilities. Prices can range from a few thousand dollars to tens and even hundreds of thousands.
How Zero-Day Vulnerabilities Work
There is no one particular way to launch a zero-day attack. The only limitation is the imagination, skills and resources of the threat actor. These factors will determine the types and amount of zero-day vulnerabilities and exploits the threat actors can find or create.
The only qualifier for a zero-day initiative is to have as much of a head start on the security team as possible. For some threat actors, that means buying a zero-day vulnerability or exploit kit in the black market. For others, it means sending a bot to scan for vulnerabilities. And there are the threat actors who band together to raise an APT group for devising strategic zero-day attacks.
The Connection between APT and Zero-Day Initiatives
An advanced persistent threat (APT) is a long-term and strategic attack campaign, designed and deployed by threat actors, for the purpose of initiating a zero-day attack. The goal of an APT initiative is to infiltrate the network and remain undetected for long periods of time, during which the threat actors can achieve their goal.
Objectives of an APT can range from data extractions (as in the case of the Equifax breach), file inclusion (RFI), cross-site scripting (XSS) and SQL injection, or backdoor shells and Trojans that help the threat actors expand their reach within the network.
If the APT initiative is successful, the threat actors would have found an unknown or zero-day vulnerability, persisted in applying a zero-day exploit, and made off with the prize. Threat actors typically go after data, specifically intellectual property, and sensitive and financial information. An APT can also result in ransomware, site takeovers, and sabotage to the infrastructure.
Hopefully, by the time you reach this section, you’ll have gained a better understanding of the term zero-day and how it applies in cyber security.
Here’s a quick summary to keep the information fresh in your mind:
A vulnerability is a flaw in the security perimeter
An exploit is a method of using a vulnerability to breach the security perimeter
A threat is a potential danger to the security perimeter
The term zero-day refers to unknown or newly disclosed vulnerabilities or exploits
Threat actors often launch APT attacks to initiate zero-day attacks
Companies like Cynet provide security teams with the technology required to prevent and block zero-day attacks. Be sure to check out some of the available solutions, because you’ll need all the help to win the zero-day race.