A zero-day vulnerability is a security flaw in an operating system, application, or device that typically has been identified by threat actors, may or may not have been disclosed to or by the software vendor that created the software with the flaw, and has not yet been patched.
In some cases, the term “zero-day vulnerability” gets inadvertently mixed up with other related terms that actually have contextually different meanings, including:
- Zero-day exploit – this is a method or technique used by attackers to take advantage of the zero-day vulnerability for initial access, elevated privileges, discovery, or data exfiltration
- Zero-day attack – this refers to an overarching attack that involves using the zero-day exploit.
For example, last year, Internet-facing Microsoft Exchange servers were the target of an attack by a threat group Hafnium. According to Microsoft, the group took advantage of four zero-day vulnerabilities:
- A server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
- An insecure deserialization vulnerability in the Unified Messaging service, allowing Hafnium to run code as SYSTEM on the Exchange server.
- Two post-authentication arbitrary file write vulnerabilities in Exchange, allowing Hafnium to write a file to any path on the server.
The four vulnerabilities are the zero-day vulnerabilities, Hafnium’s methods of taking advantage of these are the zero-day exploits, and the Hafnium attack overall is a zero-day attack.
Why Be Concerned About Zero-Day Vulnerabilities?
Zero-day vulnerabilities have been around as long as there have been modern-day computers. The issue isn’t the presence of the vulnerability, but the existence of threat actors intent on discovering and misusing these vulnerabilities as part of cyberattacks. Modern-day ransomware gangs are now soliciting zero-day exploits from the dark web to the tune of millions of dollars – turning the finding of zero-day vulnerabilities into a viable business practice.
So, why should MSPs be concerned?
Think about the problem these vulnerabilities create: a zero-day exploit that takes advantage of a zero-day vulnerability uses a specific method that has never been seen before. Assuming you have some form of endpoint security in place, depending on how the solution detects malicious code and/or behaviors, a zero-day exploit may run undetected, providing the threat actor with access in stealth.
Further reading Why Dark Web Monitoring Should Be Top of Mind for MSPs
Addressing Zero-Day Vulnerabilities
While, at first glance, logic would dictate that you can’t protect against a threat no one is aware of, the first way to deal with a zero-day vulnerability is to continually check with the vendor for a patch or workaround to secure the system or application.
In the case of zero-day vulnerabilities on endpoints (those that exist within the operating system, services, or applications), it’s necessary for MSPs to take advantage of security solutions that do not require threat intelligence updates to identify a zero-day exploit that hasn’t been seen before… ever.
Deep Learning-based detection on the endpoint provides the MSP and its customers with an ability to identify not only when code is malicious, but down to specifically which parts are malicious, ensuring that evasion and obfuscation techniques designed to keep malicious code from being detected are useless.
By updating systems as quickly as possible, as well as by putting Deep Learning-based endpoint protection in place, MSPs proactively can protect their customers’ environments against zero-day vulnerabilities with a high efficacy rate.