What Does it Mean to Be Zero-Day?
A zero-day vulnerability is an as-yet-unknown computer software vulnerability, that attacks in stealth mode before security teams are aware of its presence. Zero-day is an amorphous concept; it refers to the period of time between the introduction of the software defect and the availability of a fix. This creates a unique security posture situation rife with risk.
Each zero-day has its own unique story, and not every zero-day has a crushing impact. The magnitude of a zero-day exploit depends on many factors, including the organization’s industry, size and more. Organizations storing valuable business or financial data, such as intellectual property (IP) or banking information, are more obvious choices for attackers.
Many of the defects that fall under the umbrella of application security can be considered zero-day vulnerabilities, but they are often unique to an application and, as such, will never be tracked in a common vulnerabilities database.
A good example of this is a common web application defect—cross-site scripting (XSS). This defect stems from a fundamental weakness in HTML technology and requires high developer awareness to identify and remediate. XSS is a client-side attack; meaning that for the attack to succeed, a victim must load the attacker’s payload (click a link or visit a webpage) using their browser. The payload will then perform the attacker’s actions on the site vulnerable to XSS in the victim’s name.
The inherent threat in these types of attacks is that a motivated malicious actor will orchestrate a full campaign to identify XSS, build an attack framework and a weaponized exploit and distribute the payloads widely to target as many victims as possible. This threat is not relevant to every business and, as such, the industry has marked XSS as having a varying level of impact.
Organizations in the finance industry, such as online banking and payment systems, are lucrative targets for such attack vectors given the high level of impact. This is clearly reflected in the compliance standards organizations in this vertical are subject to, such as Payment Card Industry (PCI) compliance, which demands certain technical and operational standards be met to secure and protect credit card data provided by cardholders and transmitted through card processing transactions. An organization that would be impacted less severely from the same vulnerability—say, a crowdsourcing service—could have a different strategy to mitigate it, such as using a bug bounty program that pays anywhere from $50 to $5,000.
Measuring the Severity of Zero-Day Impact
The following zero-day impact chart illustrates the severity of impact on a given organization based on industry type and the timeline of the vulnerability.
Create an SBOM Database
Make sure your organization maintains a query-based software bill of materials (SBOM) database for all assets. This type of database will allow you to simply search for a defect by title and have a record of its use in all assets of your application environment. This is your fastest path to mitigation.
Create a Zero-Day Policy
If your organization has yet to create a zero-day strategy and set out a playbook or a recommended course of action, we recommend that you make this a priority. This playbook must span the entire organization and must take into account stakeholder agreement on risk calculation and relevant costs, an agreed-upon approach to managing critical defects and the SLA of the remediation process.
Challenge and Assess Your Zero-Day Response
True to life and application security, you must constantly challenge, test and adjust your tools and methods. Deploying solutions—whether a firewall, antivirus or a scanner—is important, but you have not solved AppSec entirely. Organizations are living organisms; constantly evolving as business priorities and production environments rapidly grow and change. An organization must remain flexible and agile by incorporating existing tools and combining them with new solutions, services and context to form a lean, mean security machine that leaves no stone unturned and no room for doubt. Constantly test and assess your tools and methods to give you a better chance of uncovering the next zero-day defect.
