I seem to have spent a fair amount of my time recently talking to a variety of people about “zero days” and the one thing that has really struck me is that almost everyone has a different view on what a “zero day” actually is….so I figured the time had come to try and add a little clarity to the situation.
For those of you really short on time, let’s be clear – zero days do exist, and they can be highly damaging, but there are many other things both easier to fix and with a greater Return on Investment for most organizations. So, step 1 should be to fix things like patching and user education before devoting limited resources to the actually tiny minority of truly zero day attacks.
And for those of you with a little more time on your hands, let’s examine why that last paragraph recommends what it does. First things first, we should talk about vulnerabilities and exploits because whilst the 2 are clearly linked they are, of course, very different. In simple terms a vulnerability is a weakness or error in a piece of code. An exploit is a separate piece of code that takes advantage of that vulnerability to enable the bad guys to achieve their goals.
The term “zero day” is valid in both contexts. It’s typically used in reference to an exploit – but not always – and in my experience, that creates some of the confusion. As a side note, in the fast-moving world of IT security and malware, confusion among security teams can only ever be a bad thing for those of us working hard to stop the bad guys from profiting. I will try to be clear in which context I’m using it throughout this blog.
So, let’s take a look at some of the more common interpretations of “zero day” and examine which ones are valid:
1) “No signature exists in my current antivirus so it can’t detect this ‘zero day’ malware.”
There are more than 725,000 new malware files released each day, but the vast majority of this is simply recompiled versions of existing malware with a new file hash. A new hash does not equal zero day malware.
2) “I’ve never seen a piece of malware get delivered like that before”
Cyber criminals are always looking for a new way to deliver their payloads and they can be pretty creative, but the moniker zero day should be reserved for malware itself and not the method of distribution.
3) “There is a vulnerability in my system which I haven’t yet got around to patching.”
There are many reasons why patches are not always immediately applied (some of them are even acceptable!) but if a piece of malware ends up exploiting a known and unpatched vulnerability, that doesn’t retroactively turn this (possibly quite old) piece of malware into a zero day version.
4) “There is a whole new type of malware”
This must surely count as a ‘zero day’ right? I’m going to argue that it doesn’t. A new type of malware is likely to mean the cyber criminals have different goals. When crypto-malware (or ransomware as it’s commonly known) began to hit people in force, this indicated that the bad guys had come up with a new way to make money – extortion. But the vulnerabilities being exploited to execute their code and the mechanisms of delivering that code to their victims’ machines were the same as before….and on that basis I wouldn’t count it as ‘zero day’.
5) “I’m aware of a newly discovered vulnerability but there is no patch currently available to fix it” (or potentially such a recent patch that there has not been an opportunity to test it within my organization)
In reality this is a rare event, however I would argue that in the event there is no patch available and therefore no way to update systems to protect against the vulnerability that this can be considered to be a ‘zero-day’ vulnerability.
6) “An unknown vulnerability has been discovered and exploited by the bad guys”
In this example nobody except the cyber criminals is even aware a vulnerability exists – and therefore nobody is even trying to fix it. THIS is a true ‘zero day’ threat….fortunately though they are actually pretty rare.
So, what does all this mean from a security perspective?
That’s going to be the subject of my next blog, so watch this space…..
About the Author
Categories: Endpoint Security