Zero-Day Attacks: How to Minimize the Risk and Mitigate the Damage

In the summer of 2020, the iPhones of dozens of Al Jazeera journalists, producers, and other staff members got hacked.  While we always emphasize the importance of responsible digital behavior to prevent cyberattacks – e.g. don’t open email attachments from suspicious senders, don’t enter your credit card information when using public WiFi, etc. – in this instance, no actions were taken or required on the part of the victims.  The attackers exploited a vulnerability in the iOS iMessage app on iPhones 11 that were running iOS 13.5.1.

This hack is an example of a zero-day attack, also known as a zero-day exploit.

What is a zero-day attack? Why are they so dangerous?  And what can you do to minimize the risk of such attacks?  Here is everything you need to know.

The danger of a zero-day attack

Zero-day attacks exploit a vulnerability in an existing operating system or software to gain access to a device or a network, and infect it with malware.  The developers of the product are not aware of this vulnerability, which is why, when it’s discovered by third parties, the developers have zero days to address it.

Hackers look for such vulnerabilities in software, web browsers, and operating systems.  A zero-day attack can be highly damaging because it catches vendors and their users off-guard.  Fixing the security issue turns into a race against time as vendors have to release a patch to the vulnerability before more users get impacted.

Not all zero-day vulnerabilities get exploited or are discovered due to a hack.  Often, they are brought to vendors’ attention by “friendly” third parties.  For example, back in October, Google’s Project Zero – a team of security analysts – discovered a vulnerability in the Windows operating system that impacted every version, from Windows 7 to Windows 10.  The team at Google then alerted Microsoft.

Zero-day attacks are relatively rare compared to other types of cyberattacks.  However, that doesn’t make them any less damaging.  The main challenge of battling such attacks is not even about creating a patch fast enough.  This usually gets done promptly.  The problem vendors face is getting every user to install the updates.  Once a vulnerability is discovered, hackers can continue to exploit it until every user installs the updates.  How often do you click “Remind me to tomorrow” when your operating system or anti-virus software gives you the reminder to install an updated version?

Protecting your system from zero-day exploits

Due to the nature of zero-day exploits, there is, unfortunately, not much you can do to protect your system.  However, it is crucial that you minimize your system’s exposure to such attacks and the scope of the damage they can cause.

First, regularly monitor your network for suspicious and malicious activities.  Sometimes it takes months to discover a vulnerability in an operating system or software, which means your system could already be infected.  By regularly checking your IT system for suspicious activities, you will minimize the scope of the breach or the damage inflicted by it.

Firewalls play an important role in providing control over inbound and outbound connections.  However, make sure your firewall rules are kept up to date.

DNS-layer security (e.g. Web Titan and Cisco Umbrella/Talos) can help block malicious requests and send them back to malicious destinations/DNS, which, in turn, helps prevent sensitive data from being exfiltrated.

Keep your software and browsers up to date.  In fact, instead of letting your employees manually install updates, make such updates automatic and non-optional.  This will ensure that if your devices have not yet been impacted by a zero-day attack, they will be safeguarded against it with a security patch the minute it’s released.

Protect your digital infrastructure with strong anti-malware software or endpoint detection and response solutions.  Whitelisting/blacklisting applications will allow you to establish strict control over critical endpoints by preventing any programs that are not pre-approved from running.

Make sure the endpoint detection and response solution you pick uses behavioral/heuristic detection that can block and quarantine potentially malicious programs based on their behavior, rather than merely scanning against a vulnerability or signature database.

Keep the software up to date.  If a different party suffers a zero-day attack due to the vulnerability in the same software, the updated version will most likely have patches to the vulnerability, protecting your organization.  If, however, a patch is expected to take a while to develop, your vendor should provide you with a “kill switch” – a scan for the presence of the malware or specific processes that indicate the presence of the malware (or any tools associated with the malware) that will shut down your system in case a threat is identified.

Finally, encrypt your data, set-up multi-factor authentication to access data, and regularly train your employees on safe digital habits.  In the event of a successful attack, these actions will help minimize the damage by limiting the attackers’ access to data.