By Gilad David Maayan

Organizations have many types of security gaps that create opportunities for cyber attacks. Businesses are responsible for protecting their organizations from these attacks in order to comply with regulations and keep their systems, data, and customers safe. Zero-day vulnerabilities are among the most common and most difficult to defend against.

When hackers exploit vulnerabilities before software developers find a fix, such exploits are called zero-day attacks. Zero-day vulnerabilities can take almost any form, as they can manifest as all many kinds of software vulnerabilities. For example, they can take the form of ineffective data encryption, code injection, buffer overflow, broken authentication, URL redirection, or ineffective password challenges.

This huge variety makes it difficult to proactively find zero-day vulnerabilities. This means that these vulnerabilities are difficult to detect and effectively prevent.

5 devastating zero day exploits

  1. Stuxnet (2014)

This malicious computer worm targets computers used for manufacturing purposes. Attacks have been observed in several countries, including Iran, India and Indonesia. The main target of this worm was Iran's uranium enrichment plants, with the goal of disrupting Iran's nuclear program. 

This attack exploited a zero-day vulnerability in industrial computers called programmable logic controllers (PLCs), running on Microsoft Windows. The worm infected PLCs through vulnerabilities in Siemens Step7 software, causing PLCs to execute unexpected commands in machines on the assembly line, disrupting centrifuges used to separate nuclear material.

  1. Marriott International (2018)

Marriott's Starwood subsidiary's sensitive data on more than 500 million customers was compromised in a zero-day attack. In 2014, a malicious person hacked into Starwood's customer reservation database and obtained the customer's name, address, phone number, email address, passport number, date of birth, gender, arrival and departure information, reservation date and communication information. It is copying data like settings.

Hackers also gained access to encrypted payment card numbers and expiration dates. The New York Times later published an article detailing Chinese intelligence involvement in the attack.

  1. Microsoft RCE (2020)

In March 2020, Microsoft notified users of a zero-day attack exploiting two different vulnerabilities. This flaw affects all supported versions of Windows, and a patch was not available for several weeks. The attack targeted Remote Code Execution (RCE) vulnerabilities in the Adobe Type Manager (ATM) library built into Windows to manage PostScript Type 1 fonts.

This vulnerability in the Adobe library could allow an attacker to remotely execute a script via a malicious document. An attacker sends the document via spam, or tricks the user into downloading the document. When a user previews or opens a document in Windows File Explorer, the script runs and infects the device.

  1. Zerologon (2021)

Microsoft provided security updates on August 11, 2021, which contained a patch for a vulnerability in the Netlogon protocol (CVE-2020-1472) discovered by Secura researchers. Initially, the CVE did not receive enough attention because researchers did not disclose technical details. Later, when details were uncovered, it received the highest severity score of 10 in the Common Vulnerability Scoring System (CVSS).

This vulnerability could allow an unauthenticated attacker with network access to a domain controller to initiate a vulnerable Netlogon session. An attacker could then gain domain administrator privileges, which allows effective control over an entire network. This is a very serious vulnerability because the only condition for effective exploitation is a connection to a domain controller.

  1. LinkedIn (2021)

LinkedIn reported that it had suffered a zero-day attack affecting 700 million users, over 90% of its user base. In this attack, a hacker group abused the site's API to scrape data. The group has since disclosed a data set of approximately 500 million users and threatened to sell the entire data set associated with 700 million accounts.

The stolen data, which included email addresses, phone numbers, location history, gender and social media details, were used by malicious actors to create highly credible social engineering attacks.

How to protect against the next attack

By nature, zero day attacks are difficult to defend against. But there are many ways to prepare and reduce the effective threat to your organization. Here are three best practices that will help reduce or remove the threat posed by many, if not all, zero day attacks.

1: Have an incident response plan ready

Having an incident response plan in place is an important part of protecting against zero day attacks. An incident response plan is a documented set of procedures and processes that outline how an organization should respond to a cyber security incident or breach. It should include steps for identifying and responding to an attack, as well as procedures for communicating with relevant stakeholders and restoring normal operations.

An incident response plan should be tailored to the specific needs and risks of an organization, and should be regularly reviewed and updated to ensure that it is relevant and effective. It should include:

  1. An assessment of potential threats and vulnerabilities
  2. Identification of key stakeholders and roles and responsibilities
  3. Procedures for identifying and responding to an attack
  4. Communication protocols for internal and external stakeholders
  5. Processes for restoring normal operations
  6. Procedures for reporting and documenting the incident

Having an incident response plan in place allows an organization to respond quickly and effectively to a zero day attack, minimizing the potential impact and damage. It is important to regularly review and test the incident response plan to ensure that it is effective and that all relevant parties are familiar with their roles and responsibilities.

2: Zero trust and XDR

Zero trust is a security concept that assumes that all networks and devices are potentially vulnerable to attack, and therefore requires strict authentication and access controls for all users, devices, and systems. In a zero trust environment, all network traffic is treated as untrusted, and access is granted on a need-to-know basis. This approach can help to prevent zero day attacks by limiting access to vulnerable systems and restricting the ability of attackers to move laterally within a network.

XDR is a security approach that involves the integration of multiple security technologies and tools to provide a more comprehensive view of an organization's security posture. XDR can help to detect and respond to zero day attacks by providing real-time visibility into network activity, alerting security teams to unusual or suspicious activity, and providing the ability to take immediate action to contain and mitigate the attack.

3: Next-generation antivirus (NGAV)

NGAV is a type of antivirus software that uses advanced technologies, such as machine learning and artificial intelligence, to identify and prevent cyber attacks. One of the key benefits of NGAV is its ability to detect and prevent zero day attacks. NGAV can do this by analyzing the behavior of software and identifying anomalies that may indicate the presence of malware or other malicious activity.

In addition to detecting and preventing zero day attacks, NGAV can also provide other security benefits, such as:

  1. Real-time protection against known and emerging threats
  2. Advanced threat detection and analysis capabilities
  3. Integration with other security tools and technologies
  4. Customizable security policies and controls

Conclusion

In conclusion, zero day attacks can have devastating consequences for individuals and organizations. These attacks exploit previously unknown vulnerabilities in systems and software, making them difficult to prevent and detect. The five zero day attacks discussed in this article - Stuxnet, Marriott International, Microsoft RCE, Zerologon, and LinkedIn - highlight the potential impact of these attacks on critical infrastructure, financial losses, and reputation.

To prevent the next zero day attack, it is important to adopt a multi-layered approach to security. This includes: 

  1. Having an incident response plan in place.
  2. Implementing zero trust and XDR.
  3. Using NGAV software.
  4. Keeping systems and software up to date with the latest security patches and updates in order to protect against zero day attacks and other cyber threats. 

By taking these precautions, organizations can better protect themselves against the next zero day attack.

About the author:

Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Samsung NEXT, NetApp and Imperva, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.