Cybersecurity

What’s a zero-day attack (and how can you prepare for one)?

Zero-day attacks are especially difficult to defend against because by their very nature, no one sees them coming.
article cover

Amelia Kinsinger

3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

On Nov. 24, 2021, an Alibaba Cloud Security engineer noticed that a certain string of text, when inserted into Java’s logging utility Log4j, could execute remote code.

Cue the alarms, as vendors, security experts, and end-users spread the word about the hole in the massively used software, including US Secretary of Homeland Security Alejandro Mayorkas.

Companies had no time—ahem, zero days—to fix the problem, as a race began between patch-makers and threat actors looking to exploit the open systems. The industry-wide distress signal aimed to prevent the zero-day vulnerability from becoming a zero-day attack. But what exactly is a zero-day attack?

What is a zero-day attack?

A zero-day attack is when an attacker finds and exploits a weakness that is unknown to the vendor responsible for patching it. The hole can be found in software, operating systems, browsers, Java logging utilities…you name it.

In 2021, the cybersecurity firm Mandiant identified 80 actively exploited zero days, more than double the previous record in 2019. Google’s “Project Zero” initiative noted 18 unpatched and exploited zero-day vulnerabilities in 2022’s first half, affecting platforms including Apple iOS, Google Pixel, Linux, and Windows.

Some real zeros:

  • The “Follina” attack executed malicious PowerShell commands via the Microsoft Diagnostic Tool (MSDT) and Office applications. Exploits were first seen in April 2022, weeks before Microsoft’s patch.
  • In late 2022, a flaw allowed attackers to gain access into the Exchange Server.
  • A notable zero-day attack in 2021 hit the IT monitoring provider SolarWinds—and its customers. Hackers hit a remote-code execution flaw in the company’s Serv-U product.

Be a zero hero

In the aftermath of zero-day damage, defenses like backups and, of course, patching are essential. But how do you defend against a threat you don’t see coming?

Keep the attack surface small, said Johannes Ullrich, dean of research for the SANS Institute.

“Basically, limit the number of doors and windows that you have, which means uninstall software that you don’t need, remove accounts that you don’t need from the system, limit internet access to a particular system,” Ullrich told IT Brew.

And if an IT team can’t eliminate an essential application, like Office, altogether, perhaps attack paths can be blocked. In Follina’s case, for example, a drastic measure might be to block attachments in the organization.

If a zero-day exploit is a way into a house’s doors and windows, tactics like microsegmentation contain the burglary to a hallway. An Exchange server, for example, can sit in its own DMZ— a segregated, access-restricted part of the network—for example, so that an email compromise doesn’t jump to the rest of the network.

A zero day will be a bad day, no doubt, said Brian Haugli, CEO at the cybersecurity and privacy firm SideChannel, but one that can hopefully be contained.

“Let’s make sure that the entire rest of our company isn’t also compromised,” Haugli told IT Brew.


Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

I
B