Earlier this year, Kaspersky researchers discovered a zero day exploit hidden in Desktop Windows Manager. The exploit, designated as CVE-2021-28310, is known as an escalation of privilege (EoP) exploit, which allows attackers to gain access or a higher-level user permission to systems and platforms than an administrator would permit. Though patches have since been released, it’s not yet known how extensive the damage from this zero day exploit is yet.
Zero day attacks are more common than you might imagine. According to one author, “On any given day over the past 3 years, two vulnerability purchase programs alone gave their privileged subscribers early access to at least 58 vulnerabilities, on average, in Microsoft, Apple, Oracle or Adobe products."
Research by NSS Labs determined that more than 100 zero-days were on the market this year; many were undisclosed to the public for an average of 151 days.
Zero days are an IT security professional’s worst nightmare: but, there are steps you can take to minimize the risk of a zero day and recover as quickly as possible.
What is a zero-day?
A zero day is an unknown incursion that exposes a vulnerability in a piece of hardware or software and can result in data loss or malware infection before anyone realizes something has gone wrong. It’s called a zero day in reference to the number of days that a software developer or IT professional has known about the problem.
“Borrowed into the world of cybersecurity, the name evokes a scenario where an attacker has gotten the jump on a software vendor, implementing attacks that exploit the flaw before the good guys of infosec are able to respond,” explains CSO Online. “Once a zero day attack technique is circulating out there in the criminal ecosystem—often sold by their discoverers for big bucks—the clock is ticking for vendors to create and distribute a patch that plugs the hole.”
Zero day actually encompasses three things: zero day vulnerability, zero day exploit, and zero day attack.
- Zero day vulnerability: a flaw that has been discovered and for which no security patch exists.
- Zero day exploit: a penetration technique, such as a piece of malware, that takes advantage of the vulnerability.
- Zero day attack: an action taken by a hacker to extract data or steal company secrets using the exploit.
There’s some debate within the developer community around the difference between an exploit and an attack; the zero day exploit can often be as dangerous as the actual attack. However, the exploit is technically the tool by which the attack takes place.
Preparing for a zero day attack
The bad news is that a zero day, by definition, cannot be patched. An attacker finds a previously unknown vulnerability and uses it to their advantage.
“If the vulnerability hasn't been widely publicized, potential victims may not be paying attention to the vulnerable system or software and so could miss signals of suspicious activity,” said CSO Online. “The advantage this gives to attackers means that they may try to keep knowledge of the vulnerability relatively secret and use zero day exploits only against high-value targets, since the secret won't last forever.”
Nevertheless, there are steps users can take to prepare a zero day attack, as well as to provide business continuity following an incursion.
First, users should make sure their software is up-to-date: operating systems, anti-virus, apps, and internet browsers should all be set to update automatically in order to maintain the latest security patches. Many data breaches are the result of a chain of attacks following one zero day vulnerability. For instance, if a user downloads a trojan attached to a phishing email, a strong and up-to-date firewall may be able to prevent the attack from infiltrating every part of the system.
Along with updates to software, regular training and awareness can help employees from being exploited by a zero day.
Build redundant security layers
Perhaps one of the most infamous zero day attacks was the Heartbleed bug in 2012. Heartbleed targeted a vulnerability in the OpenSSL cryptographic library, and as such could be used to hack credit card transactions, secured messages, and even SSL keys. The bug was introduced in 2011, and not fully identified and patched for another three years.
This incident, like many zero day vulnerabilities, demonstrated the importance of layered security. Security protocols such as two-factor authentication, SSO, PAM, and cloud data loss prevention must all be used in coordination with one another so that when there is a vulnerability, there’s a backup system in place to protect confidential user data.
Network, endpoint, and cloud DLP all form crucial defense layers against online threats and zero day vulnerabilities. Nightfall is the industry’s first cloud-native DLP platform focused on discovering, classifying and protecting data in the cloud by integrating directly on the API level. We leverage machine learning to scan data and its surrounding context. This allows Nightfall to scan both structured and unstructured data with high levels of accuracy. Nightfall has over 150+ detectors that can scan over 100+ file types in order to identify instances of improper data sharing. Nightfall can then redact, quarantine, and delete text, strings, messages, or files containing sensitive tokens.
Learn more about cloud DLP and setting up your organization for secure remote work in our complete 2021 Security Playbook for Remote-first Organizations. And, learn more about Nightfall by scheduling a demo at the link below.