Security professionals use the word “zero-day” to refer to unknown security weaknesses. Since these weaknesses are unknown, security researchers have had zero days to prepare a response.
When security teams encounter a known threat, they can rely on the collected experience of a worldwide network of security researchers when responding to it. They may already know how the threat works, what it targets, and how to remediate it effectively.
None of this is true in the zero-day threat scenario. Responding to a completely new and unknown threat is much more challenging than responding to a known one.
Zero-day vulnerabilities may exist in applications, assets, and operating systems from the moment they are released. The manufacturer and developers responsible aren’t aware of these vulnerabilities, and neither are customers.
As a result, the vulnerability may remain undetected for days, months, or years. At some point, someone discovers the security flaw. What happens next depends on whether the person who discovers it is a security researcher or a cybercriminal:
It’s important to keep in mind that merely announcing a zero-day vulnerability does not always mean an exploit for that vulnerability is ready. One report suggests it can take hackers up to two weeks to develop an exploit for a newly disclosed vulnerability.
However, many IT leaders neglect to patch these vulnerabilities within that time frame. This is an important—and entirely preventable—source of risk, because security patches typically include changelogs that practically instruct hackers how to breach unpatched systems.
All of these zero-day threats are different—they leverage different vulnerabilities and achieve different aims. This is part of what makes zero-day attacks some of the most difficult threats to respond to. However, there are things security leaders can do to improve their resilience to zero-day threats.
Having complete visibility and control over your security posture is vital for identifying zero-day vulnerabilities before hackers do. Most commercial vulnerability scanners simply look for known vulnerabilities, but in-depth vulnerability assessments and penetration tests can help security leaders find unknown vulnerabilities early.
Similarly, organizations that invest in robust patch management initiatives are better-protected against recently discovered zero-day threats. Comprehensive digital risk solutions give security teams the ability to observe their network the way hackers do—and potentially find zero-day vulnerabilities before they do.
Additionally, organizations that invest in high-quality curated threat intelligence feeds are more likely to get early warning into new zero-day vulnerabilities. They may also get valuable contextual information into new threats, like insight into which specific hardware models or software versions are susceptible.
Most traditional detection solutions are poorly equipped to detect zero-day exploits. If your Security Information and Event Management platform uses static rulesets to trigger alerts, it will miss zero-day threats because it doesn’t know what to look for.
However, if your SIEM is equipped with User Entity and Behavioral Analytics (UEBA) capabilities informed by dynamic custom rulesets, it may detect unusual behavior that indicates an unknown threat operating on your network. UEBA-enabled extended detection and response platforms also help drive early detection.
Behavioral analytics may notice indicators of compromise in endpoint device usage, network traffic, or other elements of your IT environment. Once detected, you’ll need to conduct a comprehensive investigation into that activity and determine whether the exploit is a real threat or a false positive.
Your incident response framework must include workflows for addressing unknown threats. This process will be more complex and time-consuming than conducting incident response against a known threat, but there are ways to make it more effective.
Relying on a reputable managed detection and response vendor that can provide scalable security operations expertise can dramatically improve the outcome of this scenario. Instead of dedicating limited in-house security resources to handling the crisis, your MDR vendor can bring in as much expertise as necessary to address the incident in real-time.
Experienced MDR vendors can also help your organization be better prepared for zero-day attacks. Conducting proactive threat hunting and investing in sophisticated behavioral analytics gives your security team the upper hand when addressing potential zero-day threats.
We’ve expanded our MDR capabilities with enhanced incident response and security services to better protect against evolving cyber threats.