A zero-day exploit is an attack that takes advantage of a mostly unknown security vulnerability.
What is a zero-day exploit?
A zero-day exploit (also called a zero-day threat) is an attack that takes advantage of a security vulnerability that does not have a fix in place. It is called a “zero-day” threat because the developer or organization has “zero days” to develop a solution once the flaw is discovered.
What is a vulnerability?
A vulnerability is an unintended software or hardware flaw from a programming error or an improper configuration because unintentional vulnerabilities are hard to detect and can go unnoticed for days, months, or even years.
How do zero-day exploits work?
When attackers identify a previously unknown vulnerability, they write code to target that specific vulnerability and package it into malware. The code, when executed, can compromise a system.
There are various ways for an attacker to exploit zero-day vulnerabilities. One common tactic is distributing malware through phishing emails containing attachments or links with exploits embedded in them. These malicious payloads are executed when users interact with the attachment or link.
A famous zero-day attack involved Sony Pictures Entertainment in 2014 when sensitive information, such as copies of unreleased movies, email communications between top employees, and business plans, was released to the public. The attackers used a zero-day exploit to obtain this information.
Zero-day exploits can adversely affect a business in several ways. In addition to losing valuable or confidential data, customers might lose trust in the business, and the business might have to divert valuable engineering resources to patch the flaw.
How to detect zero-day threats
By definition, zero-day threats are difficult to detect. Several strategies have been developed to help make detection easier:
- Statistics-based detection: Using machine learning, historical data is collected from previous exploits, and a standard level for safe behavior is set to detect zero-day threats in real-time. However, the approach does not adapt to pattern changes, and new attack profiles must be built to account for changes.
- Signature-based detection: This method has been used since the early days of security monitoring. Existing databases of malware signatures — unique values that indicate the presence of malicious code — are cross-referenced to local files and downloads when scanning for new potential threats. A drawback to this method is that signatures can only identify already known threats, so this method cannot detect most zero-day threats.
- Behavior-based detection: User interactions with existing software are analyzed to see if they result from malicious activity. Behavior-based detection sets out to learn future behavior and attempts to block any conduct that is not expected. It relies on predicting the flow of network traffic.
How to prevent zero-day attacks
While no single approach can prevent vulnerabilities from appearing in code, several tactics and tools can minimize risk. Browser isolation and firewalls are the most critical technologies for stopping vulnerability exploits.
Browser isolation
Browsing activity such as opening an email attachment or filling out a form requires interaction with code from untrusted sources, allowing attackers to exploit vulnerabilities. Browser isolation keeps browsing activity separate from end-user devices and corporate networks, so potentially malicious code does not run on the user’s device. Browser isolation can be done in three ways:
- Remote browser isolation: Webpages are loaded and code is executed on a cloud server, away from users’ devices and organizations’ internal networks.
- On-premise browser isolation: This works similarly to remote browser isolation but occurs on an internally managed server.
- Client-side browser isolation: Webpages are still loaded on a user’s device, but sandboxing, a security mechanism to keep programs running separately, ensures the content and code are separate from the rest of the device.
Firewall
A firewall is a security system that monitors incoming and outgoing traffic based on preset security policies. Firewalls sit between trusted and untrusted networks (often the Internet) to protect against threats, block malicious content from reaching a trusted network, and prevent sensitive information from leaving the network. They can be built into hardware, software, or a combination. By monitoring traffic, a firewall can block traffic targeting a security vulnerability, leading to a zero-day exploit.
How does Cloudflare protect against zero-day vulnerabilities?
Remote browser isolation: Remote browser isolation solution conducts a user’s browsing activity on a supervised cloud environment via sandboxing. Since browsing activity is isolated from users’ end devices, those devices are protected from vulnerabilities like zero-day threats.