Zero-day attack in computer terms refers to a new or unknown discovered software vulnerability. It also means an official patch or update to fix the problem has not been implemented or your software vendor may fail to release a patch, until the hacker has exploited the vulnerability. In different words, a zero-day vulnerability is a computer-software vulnerability that is unknown to those who should be interested in mitigating it. Until the vulnerability is mitigated, hackers can exploit it to adversely affect computer programs, data, additional computers or a network in the system.
Zero-day attacks are considered a big threat to public or private organizations and are considered very dangerous as only the attacker is aware of their existence. Zero-day attack exploitation can go unnoticed for more than a year, and its “benefits” can be sold on the black-market cloud for a big compensation. In fact, this threat is considered zero-day before and until the day the security analyst or the vendor knows of the attack’s existence, and how many days it has been exploiting the computer system, or its existence in the system since the analyst or the vendor discovered the vulnerability. Thus, day zero is the day the security analyst or the vendor knows of the vulnerability and starts working on a fix for remediation.
Zero-day attacks are very difficult to detect but many techniques and tools exist nowadays to mitigate and help keeping it from propagating through the computer system.
Some of these methods include:
- Statistics-based detection which employs machine learning to collect data from previously detected exploits and create a baseline for safe system behavior. This method has restricted effectiveness and is subject to false positives and false negatives but can still work in a hybrid solution.
- Signature-based detection uses the existing databases of malware and their behavior as a reference when scanning for threats. After using machine learning to analyze and create signatures for existing malware, it can be possible to use signatures to detect previously unknown vulnerabilities or attacks.
- Behavior-based detection also detects malware based on its interactions with the target system. Instead of looking at incoming files code, the solution analyzes its interactions with existing software to predict if it is the result of malicious attack.
- Hybrid detection can combine the three techniques above to take advantage of their strengths while mitigating their weaknesses.
Zero-day attacks are almost impossible to prevent because their existence could stay hidden even after the vulnerability has been exploited in the computer system. However, regularly implementing the patch, always make sure every system is up-to-date. Putting in place a great patch management system can also provide some layer of protection against this threat.