It seems like I’ve spent a lot of time talking about the zero days with different people lately, and the only thing that really struck me is that almost everyone has a different opinion about what the zero days really are… So I thought it was time to try and make the situation a little clearer.
For those of you who don’t really have the time, let’s face it: there are zero days and they can be very damaging, but there are many other things that are easier to fix and have a better return on investment for most organizations. Therefore, step 1 should consist of repairing items such as patches and user training before deploying limited resources to a very small minority of zero-day attacks.
And for those of you who have a little more time, let’s see why this last paragraph recommends what it does. First of all, we have to talk about vulnerabilities and exploits, because although two of them are clearly related, they are of course very different from each other. Simply put, a vulnerability is a weakness or an error in a piece of code. An exploit is a separate piece of code that uses this vulnerability to let the bad guys achieve their goals.
The term zero day applies in both contexts. It is usually used in the context of exploitation – but not always – and in my experience it creates some confusion. It should be noted that in the rapidly changing world of computer security and malware, the confusion of security teams can only be detrimental to those of us who work hard to prevent the bad guys from making a profit. I will try to clarify the context in which I use them in this blog.
So let’s take a look at some of the most common interpretations of zero-day and see which ones are valid:
1) My current antivirus program has no signature, so it cannot detect this zero-day type of malware.
More than 725,000 new malware files are released every day, but the vast majority are simply a recompilation of existing malware with a new filehash. The new hash is not the equivalent of zero-day malware.
2) I have never seen such malware delivered tobefore.
Cybercriminals are always looking for a new way to spread their load, and they can be very creative, but the nickname Zero Day should be reserved for the malware itself, not the method of distribution.
3) There is a vulnerability in my system that I haven’t fixed yet.
There are many reasons why patches are not always applied immediately (some are even acceptable!), but if a piece of malware ultimately exploits a known and unpatented vulnerability, this does not make this (perhaps quite old) malware a zero-day version.
4) There is a whole new type of malware
Isn’t that supposed to count as day zero? I’ll argue that’s not the case. This new type of malware probably means that cyber criminals have other targets. When crypto-malware (or, as you know, ransom programs) started attacking people in action, it indicated that the bad guys had come up with a new way to make money: blackmail. But the vulnerabilities used to execute their code, and the mechanisms used to deliver that code to their victims’ machines, were the same as before… and given that, I wouldn’t consider this a day zero.
5) I am aware of a recently discovered vulnerability, but there is currently no patch to fix it (or perhaps a patch so new that it has not been possible to test it in my organization).