What is a Zero Day Attack?
“Better the devil you know than the devil you don’t.” someone important, probably
A zero-day is the devil you don’t know. Whether you’re talking about a previously unknown software vulnerability, or the code used to exploit it, zero-days can make a security practitioner’s life a living hell. There’s no way to prevent them, that’s kind of the point, but you can reduce the impact of a zero-day attack on your company by detecting it before too much, if any, damage is done.
At its core, a zero-day vulnerability is a flaw in software or hardware that is unknown to the programmers who wrote it and can be exploited by bad actors before anyone realizes it’s there.
Zero days aren’t new but they are significantly more prevalent now. There is an entire ecosystem based on selling the various zero-day vulnerabilities and exploits. The black market for this type of information is massive and frequented by individual hackers, corporations, and entire nation states looking for information to either protect them or give them an edge. Additionally, as everything becomes more interconnected through IoT, like your car, refrigerator, or even a fish tank, the attack surface continues to grow. More accessibility for you means more accessibility for the bad guys as well.
There have been a number of zero-day attacks and vulnerabilities in the past few years that have consumed media cycles and introduced the general public to just what is at stake as we all share more information online, including:
- Heartbleed – An OpenSSL exploit that was disclosed in 2014 and the first major security bug to have its own logo and website. It was the first exploit to have its own “brand,” and could literally break the internet better than any Kardashian.
- Shellshock – On the heels of Heartbleed, 2014 also gave us Shellshock, vulnerability in the command shell Bash and a “perfect 10” CVSS score. It affected Unix and Linux systems used by countless websites, servers, along with many other systems, putting them all at risk.
- Stagefright – This group of bugs could lead to remote code execution and privilege escalation on a vulnerable Android user’s device, all through an MMS. Stagefright was disclosed on stage at Black Hat in 2015.
- Meltdown and Spectre – The two most recent zero day vulnerabilities to be disclosed to incite panic among security teams, Meltdown and Spectre were disclosed in January 2018, and kicked off the New Year with a bug. The hardware vulnerabilities affected nearly all of the computer chips currently in use today and the mess caused by insufficient remediation and patches nearly outweighed the damage of the exploit itself.
One thing these zero-day vulnerabilities all have in common, besides being named after scary things, is that their disclosure has created a huge shift in how enterprises think about and protect everything from their customer data to their own production environments. That’s a big part of why continuous security (or DevSecOps, if we must) is so critical.
When it comes to production environments in particular, zero-days exploits are the number one cause of attacks on hybrid cloud environments. A study we sponsored with ESG Research revealed that 42% of organizations reported an attack on their hybrid cloud environment in the last year, with 28% pointing to a zero-day exploit as the origin. There’s no way you’re going to find (or patch) all of the vulnerabilities and for most organizations, Linux kernel security updates are among the most disruptive security updates. There is a large amount of planning and time required to execute them successfully which either delay or stop folks from making the updates altogether.
If you’re worried about zero-day attacks and are looking to add detection as part of your security strategy, request a demo here to see how Capsule8 can help you protect your cloud-native environment and legacy Linux infrastructure.