What Is a “Zero-Day” Attack? A Cybersecurity Nightmare Explained
By Ashley Brooks on 04/26/2021
Cybersecurity is becoming more important by the day as an ever-growing portion of people’s lives is tied to an online world. Talk of viruses, cyberwarfare and brute-force attacks makes cybersecurity experts sound more like they’re on the frontlines of a battlefield than working behind computer screens.
In some ways, cybersecurity has become a battle—one that never stops or calls a truce. Some of these attacks are easy enough to protect against, but others are the nightmare of cybersecurity pros everywhere. A zero-day attack falls into the latter category.
What is a zero-day attack, and what can cybersecurity experts do to stop them? We spoke with experts in the field to get to the bottom of this type of cyber threat.
What is a zero-day attack?
A zero-day attack occurs when hackers take advantage of a software or network vulnerability that developers don’t know about. Think of it as having a broken window in your garage—but you don’t know it’s broken. Until you fix it, wrongdoers could take advantage of the situation without your knowledge.
“The name derives from the fact that developers are completely unaware of the weak point until after the attack occurs,” says Kristen Bolig, founder of SecurityNerd. “They’ve known about the vulnerability for zero days.”
The term “zero day” only refers to the fact that developers are unaware of the situation. As soon as they discover it, it’s no longer considered a zero-day attack or exploit. This means a zero-day attack can come in many different forms, from malware to spear phishing.
According to a 2017 report from Cybersecurity Ventures, zero-day attacks briefly decreased from 2014 to 2016, but now they are once again becoming more commonplace.1 This report predicted that zero-day attacks would rise from one per week in 2015 to one per day in 2021, largely due to the expanding use of technology.1 Put simply, the more code there is in the world, the more opportunities there are to find weak spots.
The growing remote workforce caused by the COVID-19 pandemic may also be playing a part in this increase. When companies allow their employees to work remotely without having the proper network protections in place, they become easier targets for zero-day attacks that may exploit devices many organizations wouldn’t have on their radars—for example, smart refrigerators and televisions sharing the same network. “They have affected virtually any kind of enterprise—from government agencies to big-name companies and Internet of Things devices,” Bolig says.
The implications of zero-day attacks
Not only are zero-day attacks on the rise, but they also tend to be more serious than other type of cybersecurity breaches. There’s big money to be made in discovering and selling these “zero-day exploits,” such as hackers who sold code that exploited a Zoom vulnerability for half a million dollars at the beginning of the pandemic. This has given rise to an entire economic market surrounding the demand for zero-day exploits.
Dan L. Dodson, CEO of Fortified Health Security, finds that the real question is not, “Who is most vulnerable to zero-day attacks?” but “Who are the most valuable targets?”
“Entities with access to information relevant to national security or valuable trade secrets would likely top the list,” Dodson says. The more sensitive the information being breached, the more damage a zero-day attack is capable of. Healthcare systems, which house sensitive medical and financial information for patients, can be especially vulnerable to these types of attacks.
Those with nefarious intentions aren’t the only ones making use of zero-day vulnerabilities. Government agencies, such as the National Security Agency (NSA), keep close tabs on zero-day exploits, storing them for future use in their own operations. “Government agencies also use them to fight back against known security threats. They can gain valuable insights and information against hackers and organizations that they perceive to be a risk,” Bolig says.
How to recover from a zero-day attack
The solution to zero-day attacks is simple in theory, if not in execution: patches. Just like a bandage that closes a scraped knee and protects it from germs, a software patch is a piece of code that improves security and closes the vulnerability being exploited. “Software patches will identify and destroy zero-day attacks, so it’s important to run them as soon as you are aware of the attack,” Bolig says.
That’s the catch—you can only run a patch if you’re aware that a vulnerability exists. Zero-day exploits and related vulnerabilities have an astonishingly long lifespan, running an average of 6.9 years according to data from a RAND Corporation report.2
Step one to stopping a zero-day attack is finding it in the first place. There’s no foolproof system for this since zero-day attacks can come in many forms. However, experts share that routinely running updates and having a “defense in depth” approach that layers multiple types of security measures can help developers detect zero-day attacks faster.
Once a vulnerability has been identified, it’s all hands on deck to create and employ a patch and communicate any information breaches to stakeholders. This is an urgent task, but it’s maybe not the dramatic race to save the day you’re probably envisioning. A 2015 report found that it takes an average of 100 to 120 days for most companies to patch vulnerabilities—which gives hackers plenty of time to exploit the data they find in the meantime.3
That lengthy time to create a patch is part of why it’s so important to have a response plan in place so that developers aren’t scrambling in the moment. “The key to recovery from any attack, regardless of impact, is to have clearly defined and well-rehearsed incident response procedures,” Dodson says.
How to prevent zero-day attacks
Of course, it’s best to prevent a zero-day attack from occurring in the first place. Unfortunately, that’s easier said than done. Many companies rely on artificial intelligence (AI) to shut down threats and other suspicious activity in a process called “signature detection.” But the whole point of zero-day attacks is exploiting vulnerabilities that are unknown, meaning that AI programs aren’t able to look for them.
Prevention relies largely on human developers who thoroughly follow best practices to stop all types of attacks before they start. This includes strategies like performing regular penetration testing and offering “bug bounties,” in which companies reward “good hackers” who identify and alert them to vulnerabilities.
Examples of this prevention strategy include Google’s Project Zero, a team of security analysts tasked with finding zero-day vulnerabilities, and the Zero-Day Initiative (ZDI), an organization devoted to rewarding researchers who identify vulnerabilities, then passing the information along to affected vendors so it can be fixed.
By making good use of the efforts of these researchers and the skilled developers employed by tech companies, zero-day attacks can be reduced or minimized.
Do you have what it takes to fight zero-day attacks?
What is a zero-day attack? Now you know all about these challenging cybersecurity threats and how tricky they can be to stop.
But you’ve never been someone who backs down from a challenge! If you think you have what it takes to fight zero-day attacks and minimize any damage done by them, learn more by checking out our article “How to Become an Information Security Analyst and Fill the Gap in the Tech Field.”
1“Zero Day Report 2017,” Cybersecurity Ventures [accessed March 2021] https://cybersecurityventures.com/zero-day-vulnerabilities-attacks-exploits-report-2017/
2Ablon, L., & Bogart, A., Rand Corporation, “Zero Days, Thousands of Nights The Life and Times of Zero-Day Vulnerabilities and Their Exploits.” [accessed March 2021] https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf
3Kenna Security, "New Kenna Research: The Remediation Gap” [accessed March 2021], https://www.kennasecurity.com/blog/new-kenna-research-remediation-gap-greg-howard/