Zero-day vulnerability – How to Detect and Prevent Unknown Attacks

zero day attack

What is a zero-day vulnerability?

A zero-day vulnerability is a term to describe a security flaw in the software/system that is unknown to the vendor or developer. Only when the hacker has taken advantage of the vulnerability and attacked the system does the developer get to know of the zero-day attack. But, when that happens, the security agencies have ‘zero days’ to fix it.

In other words, zero-day exploits occur when hackers have already exploited the flaw before developers could provide any security fixes/patches. The attackers penetrate, damage, or compromise a system’s security vulnerabilities while the protecting party is still unaware of the vulnerability. Zero-day attacks can also succeed in cases when software developers or vendors have already developed the solution but end-users failed to update their systems for the software vulnerability.

While talking about zero-day attacks, there are three terms used in conjunction:

Zero-day vulnerability:

It is the flaw in the software that is discovered by the threat agents before any security patches have been developed by the security researchers. So, the zero days attack is already a success before the developers could fix the flaw unknown to them.

Zero-day exploit:

The methods which enable hackers to exploit vulnerabilities and attack the system (usually by using a malicious computer worm or software) are called zero-day exploits.

Zero-day attack:

This happens when a threat actor actually damages or compromises the vulnerable systems using a zero-day exploit to fulfill malicious motives.

How do zero-day vulnerabilities lead to security threats?

Most newly developed or updated software has security vulnerabilities. The attackers always look for a zero-day bug to take advantage of them. These attackers could be cyber criminals, hacktivists, corporate espionage, or cyber warfare agents. Examples of zero-day include the attack on Iran’s uranium enrichment plants for upsetting the country’s nuclear program. In that particular exploit, a worm infected every PLC available on the assembly line machinery.

Before a system has been patched’, i.e an adequate solution has been developed to safeguard against the potential zero-day threat, the hackers keep trying to break into it and exploit it. Once they succeed, they write and implement a zero-day malware code. This is known as exploit code. These codes fetch vast sums of money when sold on the dark web as they contain valuable business and company’s sensitive data.

The exploit code makes the software users vulnerable to cyber crimes and identity threats. A socially engineered email is a common form of sending an exploit code. The email message tries to persuade the user to open a file or visit a malicious website on their web browsers. The action downloads the attacker’s malware which infiltrates the user’s system. Thus, stealing confidential data or other valuable business information from the operating system.

Developers always try to fix the flaws before threat actors gain access to them. But the ones that miss their eye make their products susceptible to zero-day threats. Also, sometimes a vulnerability may take weeks or months for the zero-day patch even after it has been identified. This exposes both corporate and individual users to threat intelligence.

How to detect zero-day vulnerability

By definition, the zero-day vulnerabilities are unknown to the developer and software vendor. So, there are no available patches or antivirus signatures to stop the zero-day exploit. This makes it extremely difficult to detect the flaws in operating systems. However, some methods help in identifying suspicious activities, and the primary target in order to protect organizations from malicious actors.

Statistics-based detection

This technique works through the statistical data collected on the previously detected zero-day exploits for a particular system/software. So, the more past data, the greater the chances of foiling a potential attack to compromise devices with unexpected commands.

The method employs machine learning techniques to analyze the statistical characteristics of the existing data. Then, it uses the same to create a baseline for safe system behavior for all incoming files.

However, the effectiveness of this method is limited. As there are high chances of producing false positives and false negatives, especially in the case of advanced security threats. The results rely heavily on the chosen baseline.

Besides, it is challenging for the anti-malware vendors to minimize the false negatives so as not to miss a zero-day attack or identity theft. At the same time, they also have to avoid false positives so as not to hamper the company’s usual business. Therefore, finding the right balance with the baseline is a must but difficult.

Signature-based detection

This technique detects existing digital malware signatures obtained on scanning a system for viruses. Most antivirus software vendors use the existing databases to identify the previous malware signatures to provide maximum protection against malicious code. The method has two noteworthy challenges-

  • First, by definition, zero-day exploits have no known signatures
  • Second, the vendors update their signature databases quite frequently

So, the vendors employ machine learning algorithms to generate signatures in real-time that might be similar to the unknown malware. Three forms of digital signatures can be generated using the signature-based technique.

  • Content-based: It studies the content i.e part of the code present in the previous zero-day exploits.
  • Semantic-based: It studies the signature behavior/action of the past malware attacks
  • Vulnerability-based: It studied the conditions that existed in case of a previous vulnerability/threat. It uses past data on known vulnerabilities to create a baseline for broken algorithms. Similar to the statistics-based technique, this method depends largely upon the data pool from open source components.

Behavior-based detection

The technique identifies how malware interacts with the target devices/software updates. Unlike the content-based and signature-based methods, it does not examine the codes or signatures. Instead, it studies the behavioral patterns of interaction between malware and target programs, such as – suspicious activity, an exponential spike in traffic, or scanning on the network.

Machine learning algorithms are used to establish baseline behaviors with good accuracy. When the algorithms are employed in a single target system for a long time, they generate a large data pool of past and current interactions. Thereby detecting and predicting the results of malicious activities quite effectively.

Hybrid Detection

The technique employs the above-mentioned two or three techniques collectively. This helps in achieving more accurate results. At the same time, the combination helps in leveraging the strengths of the techniques and overcoming the weaknesses of a zero-day exploit.

For example, the results of a behavior-based technique can be reinforced using the statistical method. Also, a signature-based approach can filter false positives to further achieve accuracy in detection.

The hybrid technique is the most effective of all the approaches that are used individually. But it requires a high level of expertise and involves more costs to develop fairly accurate machine learning solutions for the hybrid method.

Best Practices for Protection Against Zero-Day Attacks

Zero-day attacks are security breaches with zero warning signals. Hence, a zero-day exploit is difficult to detect. But specific preventive measures can ensure protection against zero-day vulnerabilities and zero-day exploits. Here are six ways to keep your guards up against these unknown threats:

Employ Windows Defender Exploit Guard

Microsoft Windows Defender Exploit Guard was introduced in 2010. Since then, it has been highly effective in protecting against zero-day attacks. It uses three means to safeguard any vulnerable system:

  1. Attack Surface Reduction (ASR): It detects the malware entering through Office files, scripts, and emails. And also blocks the obfuscated macro code, JavaScript, VBScript, and PowerShell scripts. Thereby preventing the arbitrary code or script from running executable email content or downloadable payload from the internet.
  2. Network protection: It severs all communication between outbound connections and the command-and-control server (C&C). In this way, it terminates any network connections to untrusted destinations and stops breaches of any sensitive information.
  3. Controlled folder access: It limits access to protected folders by constantly monitoring the changes made by applications to its files. Only authorized applications can access the guarded critical folders.

Implement patch management protocols

Every organization should have a clear policy and strategy for official patch management. The larger organizations should use automated patch management and software update solutions. This enables automatic identification of the systems which require patches.

Therefore, automatically souring the patches from the vendors, testing, and deploying them to production. This ensures that all legacy systems, including the antivirus software, stay updated with the installation of virtual patches. This helps to prevent zero-day exploit in large organizations, government agencies, and multi-national companies.

Use Next-Generation Antivirus (NGAV)

NGAV uses intelligent machine learning algorithms to establish baseline behaviors for a system. This helps in the identification of any suspicious behaviors from unknown malware. Though next-generation antivirus technology cannot detect all zero-day attacks. Nonetheless, it is way more effective to stop the zero-day initiative than using a traditional antivirus or security patch.

Input validation and sanitization

By now, you already know how zero-day attacks work. Vulnerability scanning and patching the systems takes some time. Meanwhile, input validation ensures that there is sufficient guard against zero-day attacks. It is operated by security experts and is capable of responding to threats in real-time. Two common ways of safeguarding the systems using input validations are:

  1. Web application firewall (WAF): A WAF reviews all incoming web traffic and outgoing requests. The security team can spot and filter any malicious movement of a zero-day exploit in a flash.
  2. Runtime application self-protection (RASP): RASP agents inside applications examine request payloads of the application code at runtime. In case of any malicious request attack systems, the application can defend itself.

Keep an incident response plan ready

Having a zero-day incident response (IR) plan is crucial for every organization. If all the preventive measures fail, the company should know how to respond to the security breach. Having an IR plan in place helps to avoid/mitigate the damage without any unnecessary chaos and confusion.

The six stages of the Incident Response Plan, as given by SANS Institute, include:

  1. Preparation of proper documentation with defined roles, responsibilities, and processes.
  2. Identification of the zero-day attack using tools and/or processes.
  3. Containment of the incident by taking immediate measures to prevent further damage.
  4. Eradication of the origin/ root cause of the vulnerability attack.
  5. Recovery of the production systems so they are back to normal.
  6. Lessons Learned by conducting a post-attack analysis of the tools and processes in public disclosure.


Zero-day attacks are increasing at an alarming rate. According to Mandiant’s research, zero-day exploits reached an all-time high of 80 in 2021, as compared to 32 in 2019. Guarding against zero-day vulnerabilities is difficult but not impossible.

The increasing rate of zero-day attacks requires multilayered cybersecurity detection and prevention approaches. Every organization needs to ramp up its security to mitigate these threats. With growing digitalization, there is an even greater need to stay cyber-safe.

Leave a comment

Your email address will not be published.