Zero Day Attack 101: What It Is and How to Deal with It
Your Business Might Become the Target of a Zero Day Attack. Here’s How You Can Prevent It from Happening to You.
This post is also available in: Danish
The term zero day refers to a computer software vulnerability that is unknown to both the organizations using said software as well as the third-party vendors that develop it. Without proper mitigation, hackers can exploit this flaw in the security of a system to infect it or otherwise damage it. This is known as a zero day attack.
But what is a zero day attack? And, more importantly, how can you prevent one from damaging your enterprise? In the following lines, I will go over its definition and attack vectors, as well as give a few relevant examples to illustrate how it unfolds. Then, I will go over the basic concepts of dealing with a zero day attack in your enterprise. Let’s get into it.
What is a Zero Day Attack?
So, what is a zero day attack? As per the Heimdal Security Glossary,
A Zero Day (or Zero Hour or Day Zero) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or undisclosed to the software developer. Zero Day exploits (actual code that can use a security hole to carry out an attack) are used or shared by attackers before the software developer finds out about the vulnerability.
Zero Day Attack Vectors
Cybercriminals make use of various mediums to deliver their payload and infiltrate a company network. In the case of a zero day attack, three main vectors of attack can be identified:
- Malicious websites, which hackers use to exploit security vulnerabilities in your web browser. They are injected with malicious code that activates once users access infected pages. This zero day attack vector is particularly lucrative, as browsers are widely used by organizations and home users alike.
- Phishing emails, which sees cybercriminals send infected links or attachments by manipulating the Simple Mail Transfer Protocol (SMTP) communication system. Endpoint users are tricked into opening them via clever social engineering tactics, which can result in the corruption of an entire business network.
- Malware, which is specifically designed to abuse security gaps of common file types. This allows malicious third parties to gain access to and steal confidential data, as well as compromise part or the entirety of the attacked system.
Zero Day Attack Examples
The time span between a security gap’s discovery and its mitigation is known as a window of vulnerability. This is when a zero day attack can take place. I have comprised five examples below to better illustrate this type of incident, so let’s have a look at each one.
Image Source: Cybersecurity Glossary
In 2010, several APT groups based in China conducted a series of targeted attacks against U.S.-based private sector companies. This large-scale action is known as Operation Aurora. Suspected victims included Google, Yahoo, Adobe, Dow Chemical, Symantec, Juniper Network, Morgan Stanley, Rackspace, and Northrop Grumman. However, Google was the only one to admit to the zero day attack and place blame on Chinese industrial espionage. As a consequence, the company ceased its operation in China.
A malicious computer worm, Stuxnet is responsible for multiple zero day attacks in Iran, India, and Indonesia. First discovered in 2010 but with roots that spread as far as 2005, it affected manufacturing computers running programmable logic controller (PLC) software. The threat exploited a vulnerability in the Siemens Step7 PLC software, causing erratic behavior on the assembly line. Its primary targets were Iran’s uranium enrichment plants in an attempt to disrupt the country’s successful nuclear program.
Computer and network security company RSA was the target of a zero day attack in 2011, when hackers used a then-unpatched Adobe Flash Player vulnerability to enter its systems. Cybercriminals sent the malicious Flash attachment in the guise of an Excel spreadsheet to several employees. When one opened it, the macro surreptitiously installed the Poison Ivy remote administration tool, which allowed them to take control of the entire device. Attackers then proceeded to search for and copy sensitive company data to use for their own nefarious purposes.
The infamous 2014 zero day attack on American entertainment company Sony Pictures is a pivotal moment in cyber-history. Rumors that a certain nation-state actor infiltrated the enterprise’s systems as retaliation for a then-unreleased film parodying its totalitarian leader quickly arose and were debunked, creating a global buzz around the incident. The reality of the situation is unknown cybercriminals sought and successfully gained access to private corporate data, such as exec emails, business plans, and film release dates.
A very recent zero day attack that was made public not too many days ago is that on Microsoft, the esteemed Washington-based multinational technology company. You can read all about it on the Heimdal Security blog, where my colleague Bianca did a bang-up job of covering the incident. The operation is attributed to the Chinese hacker group Hafnium, and it affected Microsoft’s Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019.
How to Deal with a Zero Day Attack
A proper zero day attack strategy should consist of three main elements: detection, mitigation, and prevention. I have detailed each of them below, along with useful recommendations for cybersecurity tools that you can use at each point in the process.
#1 How to Detect a Zero Day Attack
Traditional cybersecurity tools such as intrusion prevention and detection systems detect incoming cyber-threats by comparing their signature against a list of known issues. However, zero day attacks have no signature because the vulnerability has not been analyzed yet. Chances are the criminals using it are among, if not the very first to discover it.
Therefore, zero day attacks are very hard to detect through standard methods. This is why your business needs advanced threat detection algorithms powered by artificial intelligence and sandbox analysis such as the ones offered by our Heimdal™ Next-Gen Endpoint Antivirus & MDM. When coupled with our proprietary offering of Heimdal™ Threat Prevention, it is the best line of defense your systems have against hackers that are looking to exploit gaps in your security.
Heimdal™ Threat Prevention
#2 How to Mitigate a Zero Day Attack
Zero day attacks are difficult to mitigate, as they can sneak into your systems undetected unless you have a robust NGAV and DNS filter combo protecting you. The one thing I recommend doing as soon as you get any indication that cybercriminals have infiltrated your network is to take the network offline and investigate to find the source of the incident. After you stop their spread, you can focus on patching the vulnerabilities present on your endpoints.
#3 How to Prevent a Zero Day Attack
Seeing as how tricky mitigation can be, prevention remains your best bet. The recommended way to completely prevent a zero day attack from taking hold of your corporate network is by applying patches as soon as they are released by their respective developers. An automatic software updater such as our Heimdal™ Patch & Asset Management can help you achieve that.
Final Thoughts on Zero Day Attacks
Protecting your business against zero day attacks is essential to the integrity of your data. This type of threat is especially slippery since it usually can’t be found on standard blacklists. For this reason, your company needs to have an adequate detection, mitigation, and prevention strategy in place. As always, Heimdal Security can help you with that, so don’t hesitate to reach out at email@example.com for a consultation.