Defining Zero-Day Exploits, Vulnerabilities, and Attacks
When a flaw in computer code has the potential to be exploited by hackers, that creates a zero-day vulnerability. If developers and IT departments have no advance warning of the bug, they are said to have “zero days” to repair the damage and block the threat.
In many cases, the zero-day vulnerability was present when the code was developed. Hackers may discover the flawed code and resulting vulnerability, even when the issue is undetected by developers, IT teams, and business users.
Hackers then take advantage of the vulnerability in a zero-day exploit—developing hard-to-detect malware or viruses—and further leverage the exploit to launch a zero-day attack.
Zero-day attacks can pose a serious threat to an organization’s cybersecurity and data integrity. When the infected software is launched or a system is booted, the preexisting malware can infect the application, operating system (OS), firmware, and/or system memory, compromising the data and functionality of an individual device or an entire network.
How Zero-Day Attacks Work
Hackers sometimes weaponize and sell exploit kits on the dark web. Other hackers pay for these exploit kits so they can launch their own zero-day attacks, including lucrative ransomware, cryptojacking, or other advanced threats, multiplying the number of potential attacks.
In a zero-day attack, hackers may take advantage of an active exploit kit or malware that was designed around a known flaw in the code of an application, OS, or other software resource. If the malware is a new variant, or if it has no unique signature or behavior pattern, it may escape detection by security software solutions.
Targets of Zero-Day Exploits
Software as a Service (SaaS) vendors and managed service providers (MSPs) are popular targets for zero-day exploits because those entities share software updates directly with many organizations. One zero-day exploit on a SaaS or MSP has the potential to scale quickly.
One variant of a zero-day exploit is called a software supply chain attack because it infiltrates a software application, OS, or update prior to its distribution. In a supply chain attack, the malware is deployed within legitimate code, so the malicious signature and behavior are masked.
These threats are defined as “fileless” malware because they do not require a download or installation to the target system. Instead, the malicious code can hijack legitimate system tools and operate in memory without ever being stored on the hard drive.
Detecting Zero-Day Exploits
A zero-day attack might generate unexpected traffic or suspicious activity, so IT or security experts can sometimes detect zero-day attacks by scanning internet traffic, examining code, and deploying malware detection technologies. Even though zero-day exploits are new and unknown, they may share some common characteristics with known malware.
Clues might be found in the behavior of the suspicious code and the nature of its interactions with the target system. With the application of machine learning, an unusual pattern of behavior can often be detected and flagged for inspection.
Some zero-day threats elude detection, however, and are instead discovered by a user who notices that the software program is behaving in a suspicious way. In other cases, an observant or lucky developer may recognize a zero-day vulnerability before the code is released, so an actual attack can be prevented.
Preventing Zero-Day Attacks
Zero-day attacks pose a serious challenge to IT teams. Reducing the likelihood of an attack requires a multilevel cybersecurity strategy to proactively address known threats and prepare for the unknown through best practices and by securing endpoint devices.
Proactive Measures
Vigilant attention to code inspection, patching, and maintenance can help to reduce an organization’s vulnerability to zero-day attacks.
Antivirus software and frequent scanning can also help detect known malware and prevent many security breaches. When flaws are discovered and fixed, developers and users in the US log them in a list of Common Vulnerabilities and Exposures (CVEs) that is maintained and disseminated by the US Department of Homeland Security with support from many tech companies. Likewise, the European Union Agency for Cybersecurity (ENISA) is working on a regional database for coordinated vulnerability disclosure (CVD) to include data and reports from EU member countries.
IT teams should stay updated on the latest CVEs and verify that their security solutions take all known threats into account.
Further, zero-day attacks can take the form of fileless malware that bypasses software-only security solutions and insinuates itself directly into system memory. In addition to software-based protections, organizations can add another level of defense by deploying endpoint devices with built-in, hardware-enabled security capabilities.
Beyond technical solutions, preventing cyberattacks also includes an employee training component, as individual system users are often targeted by hackers. Some hackers disseminate malicious code—including zero-day malware—through social engineering or phishing schemes. To combat this threat, individual users must be trained to avoid interacting with suspicious applications and files that may be delivered via email, text, or browsers.
Threat Detection and Patch Management
Most cybersecurity strategies and tools rely on prior knowledge of a specific flaw, exploit, or cyber threat. For example, it is always a good practice to keep software fully updated with consistent, proactive patch management. However, because zero-day vulnerabilities are still undiscovered, patches will not yet be available.
Signature-based detection is another feature of traditional antivirus solutions. Known malware variants have unique characteristics that can be discovered and blocked. Again, zero-day malware is not known, and therefore, its signature will not be recognizable.
This is where hardware-based security features can be best used to augment and strengthen software-only solutions. Security at the hardware level can help to detect and defend against zero-day malware that attacks system memory, firmware, the BIOS, or other supporting layers of the technology stack below the OS or application software.
The right hardware can also accelerate compute-intensive encryption that protects data and help to reduce the system’s attack surfaces. Hardware-based accelerators may also support artificial intelligence (AI) to improve pattern recognition and identify anomalous behavior.
When security software is optimized for these hardware features, it can be more effective at detecting anomalous behavior in an application or other code. Those anomalies can be powerful indicators of zero-day attacks and other advanced threats.
Examples of Zero-Day Attacks
In 2020, a large IT firm in the US was the target of a zero-day attack. Hackers added malicious code to the company’s software, and the company unknowingly distributed the tainted code to its customers as part of a routine update. Ironically, the compromised software was a network monitoring product.
The malware installed a “back door” to gain access to the company’s customers. The breach was not discovered for months, leading to zero-day vulnerabilities at as many as 18,000 organizations, including hundreds of large corporations and government agencies, according to a report by the Wall Street Journal.1
Also in 2020, hackers gained access to older PCs with outdated software with a zero-day attack aimed at a popular videoconferencing platform. The hackers were able to control users’ PCs remotely and steal an estimated 500,000 passwords, which were then offered for sale on the dark web.2
Guard Against Zero-Day Exploits with the Intel vPro® Platform
The Intel vPro® platform delivers hardware-enabled security features that help protect all layers of the computing stack from zero-day attacks and other advanced threats. These unique capabilities help to reduce the attack surface of the system by locking down critical resources so malicious code is prevented from compromising the OS, applications, memory, and data.
Intel® Hardware Shield
The Intel vPro® platform’s security capabilities are based on Intel® Hardware Shield, a set of features enabled in silicon. Intel® Hardware Shield helps reduce the risk of malware infection, including zero-day attacks, by locking down memory in the BIOS when software is running. Intel® Hardware Shield supports secure boot, so malware is less likely to compromise the OS. Many leading security software solutions are optimized for Intel® Hardware Shield to take advantage of accelerated, hardware-based encryption and help prevent cyberattacks.
- Intel® Threat Detection Technology (Intel® TDT) helps security software vendors to strengthen their endpoint security solutions by augmenting and enhancing the behavioral detectors in their own security solutions with hardware-based sensors that profile malware as it executes on the CPU. Intel® TDT interacts with hardware-based telemetry to help discover zero-day vulnerabilities and other advanced threats.
- Intel® TDT Anomalous Behavior Detection (ABD) is a component of Intel® TDT that helps uncover the hard-to-detect cyberattacks that infiltrate applications or valid system processes. These malware variants can become zero-day threats because they are hidden within legitimate processes and can elude behavior-based detection methods. ABD tracks software execution within the CPU and builds dynamic AI models of application behavior. It then compares unusual or anomalous behavior against the “known good” models to discover hidden threats.
- Intel® Control-Flow Enforcement Technology (Intel® CET) is a capability of the 11th Gen and 12th Gen Intel® Core™ mobile processors. Intel® CET helps to defend against attacks on system memory.
Multilayered Approaches to Zero-Day Protection
Zero-day exploits and attacks are elusive, but a multilayered approach can help to protect vulnerable devices, users, and networks.
As a first step, IT teams should maintain robust, proactive security solutions such as antivirus software and patch management. It is also important to educate users to abide by security policies, choose strong passwords, avoid interacting with suspicious code, and protect personal information that could be leveraged by hackers.
Software-based solutions may not always provide sufficient protection against zero-day attacks, however, and a comprehensive approach should also include a hardware-based security layer. Endpoint devices based on the Intel vPro® platform augment security software with hardware-enabled capabilities that help to reduce the system’s attack surface and defend the entire technology stack from zero-day threats.