Zero-day threats have been rapidly increasing, and that’s dangerous for organizations and government agencies alike. In 2022, SonicWall observed 35 zero-day threats being actively exploited. Threat actors have been ramping up their search for zero-day vulnerabilities due to the higher reward potential a zero-day exploit has.
To mitigate risk, businesses of all sizes need to be aware of zero-day exploits and prepared for a scenario in which their organization is targeted.
Defining A Zero Day Threat
News outlets tend to sensationalize any unpatched vulnerability by calling it a “zero-day threat,” but truthfully, until it’s actively being exploited by a threat actor, it’s only research. A true zero-day threat is an unpatched, undiscovered vulnerability that is being leveraged in the wild to exploit a business right now. That’s not just an opinion, either — the National Institute of Standards and Technology (NIST) defines a zero-day as follows: An attack that exploits a previously unknown hardware, firmware or software vulnerability. Any vulnerability can be serious, but if the vulnerability isn’t yet actively exploited, it gives your security team more time to implement a thoughtful solution to the problem.
The Drive Behind Zero Days
Threat actors exploit zero-day vulnerabilities to infiltrate widely adopted technology and software. The more users a given app, operating system or other software has, the more valuable it is to cybercriminals. That’s why 75% of zero-day exploits target Microsoft, Apple and Google products. Software with a higher adoption rate offers greater opportunities for bad actors to steal credentials and personal information, deploy ransomware, and more — which means more financial gain if they’re successful. A good zero-day exploit can fetch millions of dollars on the open market.
The Blurred Lines of the Zero-day Market
Zero-day exploits are a hot commodity. It’s not just criminals who want to purchase zero days — there are white-market brokers, gray-market brokers and black-market brokers all competing to purchase and sell zero-day threats.
The white market typically pays the least. This market is made up of security researchers offering bug bounties for any vulnerability a person can find. The white market is typically made up of the original developers of a software.
The gray market is made of companies that bid large amounts to purchase zero-day threats. Some companies offer millions of dollars for the highest-risk vulnerabilities with active exploits. Once purchased, those organizations then resell the data to companies that need to protect themselves from vulnerability. The gray market has overlapped from both the black and white market. Gray market buyers can also be clients from the private sector, brokers who are looking to resell exploits or even governments who are looking to utilize the exploits for intelligence gathering or something else.
The black market is made up of threat actors and cybercriminal gangs. They have the capital to bid against the gray-market companies pay top-dollar for the most sought-after exploits on the market. Cybercriminal view purchasing zero-days the same way a business owner views investing money back into their business.
This is one of the reasons people think businesses should be banned from paying ransoms to cybercriminals who have taken their data and assets hostage: it perpetuates cybercrime.
On the perimeter of this zero-day market are nation states. Nation-states can be good guys or bad guys in this market. Some nation-states may be purchasing zero days to use maliciously, such as the Lazarus ransomware gang largely thought to be run by the North Korean government. Other governments purchase zero days to hold for intelligence gathering or to keep off the cybercriminal market.
The zero-day market has a diverse group of buyers and sellers. Whether they are acting maliciously or working to help protect people’s data, they all contribute to the market of zero-day threats.
Dark Web Markets
While much of the white market for vulnerabilities is transparent and exists out in the open, gray-market and black-market transactions are typically going to take place on the dark web. The dark web can only be accessed using specific browsers and software, and we don’t condone visiting it. Threat actors use the dark web, and these markets in particular, like a sort of hacker flea market. With a special web browser and a bit of know-how, threat actors can purchase zero-day exploits almost instantly.
Zero-Day Risk Levels
As scary as zero-day threats are, they actually make up a relatively small percentage of all vulnerabilities. As previously mentioned, in 2022 SonicWall observed just 35 zero-day vulnerabilities being exploited out of a pool of over 25,000 observed vulnerabilities. While zero-day exploits can be much more dangerous than other vulnerabilities, businesses shouldn’t focus all their efforts on preventing a zero-day exploit when most of the vulnerabilities leveraged by threat actors already have patches or other remedies available.
There are a multitude of options for businesses looking to protect their networks, users and assets against not only zeroday threats, but all vulnerabilities. SonicWall’s Real-Time Deep Memory Inspection ™ (RTDMI) harnesses the power of artificial intelligence to identify both known and zero-day exploits. The combination of SonicWall’s Capture ATP multi-engine sandbox with RTDMI can even detect threats that don’t yet show signs of being malicious. Aside from hardware and software solutions, businesses can also protect themselves with actionable threat intelligence and thoughtful procedures.
Know Your Systems: Business leaders need to understand their risk posture and attack surfaces in depth. If you have a solid grasp on your own risk posture, you can narrow down which threats present a greater danger to your specific industry or geographic location. Actionable threat intelligence is key to fully understanding industry-specific risks and what to be watching for on your perimeter.
Prioritize Patching: If your cybersecurity team finds a vulnerability in your systems that isn’t currently being exploited, take a thoughtful approach to implementing a patch. If you rush out an emergency patch, you may create even more vulnerabilities down the line. Prioritizing thoughtful patching when it’s an option is an important part of ensuring your attack surfaces remain as small as possible.
Vulnerability Procedures: It’s a business imperative to have precise procedures in place in the event that your team does find a vulnerability in your systems.
Utilize Free Resources: The Cybersecurity & Infrastructure Security Agency (CISA) has multiple free resources that can act in tandem with your other security measures to benefit your organization. CISA has an email list for Known Exploited Vulnerabilities (KEV) that is free to sign up for. The KEV list is a continuously updated list of exploits that are being seen in the wild. It’s completely free, actionable threat intelligence.
Education is key when it comes to protecting your devices, data and users. Many cybersecurity companies (SonicWall’s 2023 Cyber Threat Report) provide annual reports on the latest threat intelligence and trends in cybersecurity, and these reports can help organizations know what the greatest threats to their particular industry and geographical region are.
Threat actors, nation-states and researchers will continue to search for zero days, and the zero-day economy isn’t going away any time soon. Despite that, with actionable threat intelligence, thoughtful procedures and technology solutions, businesses can gain some peace of mind. While there’s no such thing as guaranteed protection from any cyber threat, businesses who put time and effort into building out a robust cybersecurity program will be much better off than businesses ignoring the threats that are lurking in their own networks.
(The author is Debasish Mukherjee: Vice President, Regional Sales APJ at SonicWall Inc., and the views expressed in this article are his own)