Alessandra Peters

20/08/2022

Zero Day Attacks in 2022: Not Just a Patching Problem

When asked to name some of the most dangerous threats to their organisation right now, almost all security executives in a recent Ponemon Institute survey mentioned zero-day attacks.

Unfortunately, the more than 600 security professionals Ponemon spoke to are not wrong to be worried about newly emergent threats. Zero-day attacks are definitely on an upward trend. Out of all the security threats that researchers at Rapid7 identified last year, more than half started with a zero-day exploit. 

To avoid the consequences of a successful zero-day attack, i.e., data theft, financial loss, and reputational damage, organisations need to think beyond patching, which often comes too late, and invest in adequate cybersecurity tools. 

Traditional cybersecurity tools won’t stop zero days. Because zero-day attacks are unknown threats, they can bypass signature-based solutions like antivirus software and intrusion detection systems (IDS). At the same time, tools like endpoint detection and response (EDR) and security information and event management (SIEM) are not entirely effective either, whether because they don’t provide 360-degree visibility or generate too much “noise data.” 

Instead, businesses need to look to automated threat detection, investigation, and response platforms like SenseOn that provide a complete view into an organisation’s entire digital estate and use machine learning and behavioural analytics to spot abnormalities before it’s too late.

What Is a Zero-Day Attack?

A zero-day attack starts with a zero-day vulnerability, i.e., a gap in a system or device that hasn’t been patched. When a cybercriminal comes across a vulnerability that is yet to be mitigated, they can share/sell it or create an exploit (“zero-day exploit”) to get into victim systems (“zero-day attack.”) 

Zero-day exploits are challenging to detect because they:

For this reason, zero-day attacks have a high success rate. And unfortunately, many businesses don’t have adequate defences in place to protect against them. 

What a Zero-Day Attack Looks Like In 2022

A typical zero-day attack in 2022 involves the following steps:

1. Zero-day vulnerability discovery

Hackers look through code for flaws or buy zero-day vulnerabilities on the dark web. As a typical organisation’s attack surface has grown due to remote work and the internet of things, it has become easier to find and abuse software vulnerabilities. 

2. Exploit created to leverage vulnerability

Attackers next use tools and resources to take advantage of the security vulnerability. This could involve writing zero-day malware or utilising already existing tools. 

However, there’s some good news. As cyber defences improve, cybercriminals can’t always get away with using just one exploit. Often, they have to link together several exploits for a successful zero-day attack. These “exploit chains” need more zero days and are therefore more expensive for attackers to carry out. 

“Every time an attacker has a full chain and wants to use it, that’s a risk. The possibility that the zero-day chain or some aspects of that intrusion gets detected can be a very expensive cost for the attacker,” said Matt Tait, COO of Corellium, during Black Hat 2021. 

3. Attack launched

Attackers look for vulnerable systems and launch the zero-day exploit. In some cases, attackers may already have a target in mind.

The attack vectors used by threat actors in a zero-day attack depend mostly on the zero-day vulnerability uncovered. For example, Google’s Project Zero, which studies zero-day exploits used in the wild, found that the most targeted products in the first half of 2022 were the operating systems Windows and macOS/iOS and web browsers Firefox and Chrome. 

About a quarter of all the zero-days the group came across in the wild last year targeted the Chrome browser, whereas others took advantage of vulnerabilities in Windows, Internet Explorer, Android, iOS, and Microsoft Exchange Server. Notably, the group did not encounter any in-the-wild zero days that exploited cloud-based applications. 

Zero-day attacks can be deployed through methods like phishing emails and text messages. However, some zero-day attacks are zero-click, meaning that they don’t require any action from the victim, like a keypress or mouse click (for instance, to download an email attachment or click on a link within a malicious text message). 

This means that even vigilant users can’t avoid these types of “double whammy” attacks, and training is inefficient. 

4. Vulnerability awareness & patching  

The vendor discovers the vulnerability (frequently following a successful attack). How quickly a software update is released depends on the software vendor and vulnerability. Many security patches for critical vulnerabilities are released on the same day they’re found. In rare cases, it might take vendors several months to push out a patch. 

Zero-day vulnerabilities are not always shared with the public. However, last year was “the first full year that Apple and Android publicly disclosed what vulnerabilities they had that were known to be in the wild, which contributed to at least 12 total vulnerabilities that the industry wouldn’t have known about otherwise,” said Maddie Stone, a researcher at Google Project Zero. 

But just because a patch is available doesn’t mean mitigation is automatically achieved. The reason why is that not every organisation will deploy the patch fast enough. 

Even after Atlassian patched a flaw affecting its Confluence Data Center and Server, a number of organisations were attacked by threat actors who exploited the vulnerability to deploy Cerber ransomware, z0miner crypto miner, and Mirai-like bots, reported Sophos.

Defending Against Zero-Day Attacks

Every cyber attack, regardless of whether it’s zero-day or n-day (i.e., an attack that targets a vulnerability that has a patch available), leaves footprints in the system and is therefore not untraceable. 

However, traditional tools like signature-based antivirus solutions and even EDR tools are not enough to detect and defend against them. Although EDR tools use behaviour monitoring to discover unusual activity, it only does so on the endpoint, leaving critical cybersecurity blind spots. Similarly, while SIEM platforms can connect event data from a range of sources across a company’s network, they can be resource-intensive and noisy, spitting out way too many alerts for security teams to go through. 

Instead, what organisations need to do is double down on security basics like backing up critical systems, implementing zero-trust, and establishing an incident response plan.

But beyond that, companies need a tool that, in addition to using behavioural analytics and machine learning to determine a baseline of “normal” behaviour and monitoring anything that doesn’t correspond to that, also consolidates their security stack to give better visibility, multiple perspectives, and context. This is what SenseOn was designed to do.

Sign up to our newsletter

Join thousands of like-minded professionals who are already 
receiving our blog updates and best practice guides.