Security professionals use the word “zero-day” to refer to unknown security weaknesses. Since these weaknesses are unknown, security researchers have had zero days to prepare a response. 

When security teams encounter a known threat, they can rely on the collected experience of a worldwide network of security researchers when responding to it. They may already know how the threat works, what it targets, and how to remediate it effectively. 

None of this is true in the zero-day threat scenario. Responding to a completely new and unknown threat is much more challenging than responding to a known one. 

The difference between zero-day exploits, vulnerabilities, and attacks  

• Zero-day exploits refer to tactics, techniques, and procedures threat actors use to compromise targeted systems. The act of exploiting a zero-day vulnerability is a zero-day exploit. 

• Zero-day vulnerabilities are unknown flaws and security weaknesses that threat actors can target. Threat actors who discover these vulnerabilities will likely exploit them before security researchers can fix them. 

• Zero-day attacks happen when threat actors leverage a zero-day vulnerability in an active cyberattack scenario. There is no time to research or prepare for the attack before encountering it. 

Understanding the zero-day lifecycle: 

Zero-day vulnerabilities may exist in applications, assets, and operating systems from the moment they are released. The manufacturer and developers responsible aren’t aware of these vulnerabilities, and neither are customers. 

As a result, the vulnerability may remain undetected for days, months, or years. At some point, someone discovers the security flaw. What happens next depends on whether the person who discovers it is a security researcher or a cybercriminal: 

• If security researchers find the flaw first, they can either warn the public or keep it a secret. Warning the public comes with the risk of broadcasting the vulnerability to cybercriminals. Keeping it a secret allows researchers to quietly fix the problem, at the risk of enabling hackers who already know about the flaw. 

• If cybercriminals find the flaw first, they will probably use it in a cyberattack. This doesn’t always happen immediately. Hackers may circulate information between themselves and wait for a high-value opportunity to leverage an unknown threat.

It’s important to keep in mind that merely announcing a zero-day vulnerability does not always mean an exploit for that vulnerability is ready. One report suggests it can take hackers up to two weeks to develop an exploit for a newly disclosed vulnerability. 

However, many IT leaders neglect to patch these vulnerabilities within that time frame. This is an important—and entirely preventable—source of risk, because security patches typically include changelogs that practically instruct hackers how to breach unpatched systems. 

Examples of zero-day attacks: 

1. Stuxnet. Stuxnet is one of the most famous examples of a zero-day attack, used to disable nuclear facilities in Iran in 2010. Many researchers believe the US and Israeli governments worked together to develop Stuxnet, but this has not been confirmed. 

1. Kaseya. In July 2021, the REvil cybercrime group conducted a zero-day attack against Kaseya’s virtual system administrator (VSA) software. This attack impacted 60 Kaseya customers and ultimately affected 1500 third-party companies downstream. 

1. SonicWall VPN. Hackers compromised SonicWall’s secure mobile access (SMA) devices in February 2021. The company patched the vulnerability two months later in April. 

1. Log4Shell. This was a zero-day vulnerability that enabled hackers to remotely control devices running Java apps. Since the affected library was used in many popular applications, it put hundreds of millions of devices at risk. This flaw was present since 2013, but it was only discovered in 2021. 

1. Google Chrome. In early 2022, hackers exploited a previously unknown remote code execution vulnerability in the Google Chrome web browser. Threat actors used this exploit to send victims to spoofed websites that would install remote access malware on their devices. 

All of these zero-day threats are different—they leverage different vulnerabilities and achieve different aims. This is part of what makes zero-day attacks some of the most difficult threats to respond to. However, there are things security leaders can do to improve their resilience to zero-day threats. 

How to identify zero-day vulnerabilities early on 

Having complete visibility and control over your security posture is vital for identifying zero-day vulnerabilities before hackers do. Most commercial vulnerability scanners simply look for known vulnerabilities, but in-depth vulnerability assessments and penetration tests can help security leaders find unknown vulnerabilities early. 

Similarly, organizations that invest in robust patch management initiatives are better-protected against recently discovered zero-day threats. Comprehensive digital risk solutions give security teams the ability to observe their network the way hackers do—and potentially find zero-day vulnerabilities before they do. 

 Additionally, organizations that invest in high-quality curated threat intelligence feeds are more likely to get early warning into new zero-day vulnerabilities. They may also get valuable contextual information into new threats, like insight into which specific hardware models or software versions are susceptible. 

How to detect zero-day exploits in real-time 

Most traditional detection solutions are poorly equipped to detect zero-day exploits. If your Security Information and Event Management platform uses static rulesets to trigger alerts, it will miss zero-day threats because it doesn’t know what to look for.  

However, if your SIEM is equipped with User Entity and Behavioral Analytics (UEBA) capabilities informed by dynamic custom rulesets, it may detect unusual behavior that indicates an unknown threat operating on your network. UEBA-enabled extended detection and response platforms also help drive early detection.  

Behavioral analytics may notice indicators of compromise in endpoint device usage, network traffic, or other elements of your IT environment. Once detected, you’ll need to conduct a comprehensive investigation into that activity and determine whether the exploit is a real threat or a false positive. 

How to conduct incident response against zero-day attacks 

Your incident response framework must include workflows for addressing unknown threats. This process will be more complex and time-consuming than conducting incident response against a known threat, but there are ways to make it more effective. 

 Relying on a reputable managed detection and response vendor that can provide scalable security operations expertise can dramatically improve the outcome of this scenario. Instead of dedicating limited in-house security resources to handling the crisis, your MDR vendor can bring in as much expertise as necessary to address the incident in real-time. 

Experienced MDR vendors can also help your organization be better prepared for zero-day attacks. Conducting proactive threat hunting and investing in sophisticated behavioral analytics gives your security team the upper hand when addressing potential zero-day threats.