What is a zero-day?
cyberattack

What Is a Zero-Day?

Chief Editor 8 min read 0 Comments

What is a zero-day?

If you have been following news on cyber attacks, you would probably come across the term “zero day”. A zero-day attack can happen to any big corporation, organization, or government agency. The phrase zero day may look scary and technical, but the idea behind it is simple.
We will discuss in simple terms, by the end, you’ll understand what a zero-day is, why it’s called that, how a zero-day attack actually happens, some famous real-world examples, and what you and organizations can do to stay safer. No computer science degree required.

What Does “Zero-Day” Mean in Cybersecurity?

In cybersecurity, a zero-day is a security flaw in software, hardware, or firmware that the company responsible for it does not know about yet. Because the company doesn’t know it exists, they haven’t created a fix for it. This means anyone who finds out first will have an advantage over it.
The flaw might have been sitting over the program unnoticed for years or months. The danger lies when someone decides to find and abuse it before anyone realizes.
Most security tools work by recognizing known threats. Antivirus programs, firewalls, and other defenses are trained to spot patterns they’ve seen before. A zero-day has no known pattern, so programs often fail to detect it.
Organizations can’t defend against a zero-day until it’s been used against them, and they don’t learn it exists until the first attack occurs.
IBM’s X-Force threat intelligence team has recorded thousands of zero-day vulnerabilities since 1988, though they still make up only a small slice, roughly 3 percent, of all recorded security flaws. Rare, but powerful, and often devastating when they hit.

Why Is It Called “Zero-Day”?

This is one of the most common questions when someone comes across the term.
The “zero” refers to the number of days the software maker has had to fix the problem. When attackers discover and start using a flaw before the vendor even knows it exists, the vendor has had zero days to prepare a defense or release a patch. The clock started at zero, and the attack is already underway.
In other words, there is no warning and no time to prepare for the attack. The threat and the discovery arrive at the same moment, which is why it is always difficult to defend against it.
The term “zero day” originated in the world of software and media piracy. A pirated movie, song album, game, or software program is released at the same time or before the official release date, and is known as “zero day”.
The cybersecurity used the same phrase for the attack without anyone seeing it coming.
People say it or search it as “0-day” or “O-day.” It all means the same thing.

Breaking Down the Words: Vulnerability, Exploit, and Attack

A lot of people get confused by “zero-day vulnerability,” “zero-day exploit,” and “zero-day attack.” They actually have three different meanings.

Stage 1: The Zero-Day Vulnerability (The Weakness)

A zero-day vulnerability is a mistake or weakness that was there before or from the day it was built. This minor error is present as a simple coding error. The developer or the owner never knows it exists. These types of errors exist right from the launch of the software.

Stage 2: The Zero-Day Exploit (The Method of Attack)

Once an attacker finds a weakness in the website, they need to exploit it. A zero-day exploit is the specific method or technique that the attacker will develop to make a way into the website.
This exploit can be in any form, a phishing link through an email, where an employee of the firm will click into, and the attacker will get access to the website, making an entry into the network.
We have written a detailed post on how a cyberattack unfolds stage by stage. Check here.
Later, the stolen data will be sold on the dark web, or the attacker can ask for ransomware.

Stage 3: The Zero-Day Attack (The Actual Harm)

The zero-day attack is what happens when the stolen data is used to exploit a real target. Cyber criminals often buy data from the dark web to steal sensitive data, install malware, spy on people, disrupt services, or cause damage.
Since no one knows that this vulnerability exists, this attack can go on for a long time. Reports say that these attacks even happen for months, and are found only when something unusual happens or ends in ransomware.
Quick summary
Vulnerability = the hidden weakness
Exploit = the tool or method built to abuse the weakness.
Attack = the act of using that tool to cause harm

Real Zero-Day Attack Examples

Let’s look at some real examples to better understand the zero day.

Stuxnet – The Most Famous Zero-Day of All Time

What is a zero-day?

Stuxnet is the most famous zero-day attack in history.
In 2010, engineers at Iran’s Natanz nuclear facility were confused because the centrifuges that were used to enrich uranium were failing at an unusually high rate. They couldn’t find out why.
The security experts found that a worm known as Stuxnet is responsible for it.
Stuxnet was described as the world’s first true digital weapon. Because the facility was not connected to any internet devices, it was reported that Stuxnet spread through infected USB drives. Once the infected worm is inside, it looks for specific Siemens industrial control software, then it corrupts the software and orders the centrifuges to spin themselves to destruction while telling operators everything looks normal.
It is reported that Stuxnet has damaged a significant portion of Iran’s centrifuges.
Because it was a brand-new malware with no known signature, the existing security tools didn’t detect the attack.
Stuxnet proved that even remotely isolated, untouchable systems, nuclear plants, factories, and more secure infrastructure could be a victim of a zero-day attack.

The MOVEit Attack

MOVEit is a popular software that organizations use to transfer files securely. A cybercriminal group discovered a zero-day vulnerability in the software, a type of flaw known as SQL injection. It is then used to break into the systems of organizations worldwide.
The attackers stole data from hundreds of organizations, including government agencies, universities, banks, and major healthcare networks.
This is an example of a supply chain attack; instead of attacking each victim individually, the criminals found one flaw in a widely used tool and used it to attack everyone who relied on that tool.

“First-Day” Attack vs. Zero-Day: What’s the Difference?

As we have seen so far about zero-day attacks, they are nothing but flaws that no one knows about.
The first day, one day, the N-day attack is different. It is about making an attack with the flaw that has already been discovered and publicly disclosed.
The first-day attack occurs on the first day or within 24 hours of the public disclosure of the flaw.
Whereas one day is the later day, 1 or after 24 hours, and “N” refers to the number of days involved in making the attack.
Why would the one-day, N-day attack still succeed? Because there is no actual solution to the flaw, the attacker uses the publicly available information to make an attack. In most scenarios, the attacker succeeds. The organizations will also take time to fix the software and provide an update.

Zero-Day Protection: How to Protect?

An honest answer is that you cannot protect against a zero-day attack. Zero-day attacks may come to light once the flaw has been found, which will take months for the owners to find that they are under attack.
The goal is to protect and reduce the risk of attack.
Keep Everything Updated: We often discuss this, updating every software from time to time. To a common man using a mobile phone and computer, a software update immediately after the release will help reduce damage. Institutions and organizations must conduct mandatory security audits if they handle millions of public and sensitive data. An audit is a must so that new changes can be made to existing software and updates can be made periodically.
Use Layered Security: Always build a tool with multiple layers of security. So that if an attacker finds a flaw and breaks it, the data should still be behind 10 layers (an example: you can set it to 3, 4, or 5 layers). For organizations, there should be multiple anti-virus protection and email filtering for every employee to prevent a possible attack.
Focus on Behavior, Not Just Signatures: Do not rely on regular signatures in the network, which provide positive results for cyber protection. Always look for network traffic, suspicious behavior, and unwanted logs that attempt to access files, and make a note of them and alert authorities, even if it is not a flaw or an attack. By encouraging this, an attack that might occur years later can be prevented.
Have a Response and Recovery Plan: Organizations must have a recovery plan if they have been a victim of a zero-day attack. They must prepare for this scenario and make a list of what to do , whom to contact, recovering the backups, keeping the data safe, and locking existing files. A plan B for a zero-day attack is a must.
Practice Good Basic Hygiene: Teach your employees basic things and make a habit of it. Since phishing is a common issue of this zero-day attack, teach them how to be suspicious of emails and links.
None of this guarantees safety, but it reduces the risk to below high.

Why Zero-Days Matter to Everyone

You must have a thought that I’m not a government organization, nor do I run a private bank why should I be worried?
Today, we rely mostly on the devices we use and the websites we visit. Every single click or scroll you make is stored somewhere in the world. Any of the companies that you use may be under an attack of a zero-day. Your device may be compromised by a single link you click; your bank balance can be wiped out in seconds. So, updating your software and having an anti-virus on your devices will not be a waste of time and money.
So, it is important to know the basics and teach others, too.

Final thoughts about zero day:

Now we have a clear picture of what a zero-day attack is. Whether you make security for yourself or the organization you work with, this will definitely be helpful for you at some point.
So, stay calm if something has happened. It has happened, let it go, but immediately safeguard other valuable data that can be stolen in the same attack.
Flaws happen, we should be ready to overcome the mistakes and losses.
Stay safe, stay alert!

References

  1. IBM — What is a Zero-Day Exploit? https://www.ibm.com/think/topics/zero-day
  2. Wikipedia — Stuxnet. https://en.wikipedia.org/wiki/Stuxnet
Written by

Chief Editor

View all posts →

Leave a Comment

Your email won't be published.