A zero day is an attack that exploits a previously unknown security vulnerability. The creation and distribution of zero days by cybercriminals is on the rise with 45 new ones already discovered in Q1 2018. According to a recent report from RAND Corporation called Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits, “Zero-Day exploits and their underlying vulnerabilities have a 6.9 year life expectancy, on average.” After reading this, I began to wonder if companies are dramatically underestimating their exposure to this type of threat and the implications of such a long life.
What Are the Implications of the Long Life of a Zero Day?
The long life span of a vulnerability means that even organizations with industry-leading vulnerability management and patching processes in place are still vulnerable. This is true even if you go through the pain of immediately testing and rolling out all patches of critical and important severity (as ranked using Microsoft’s rating system). And, if you have ever managed patch management tools and projects, you know how difficult this is, considering change control policies, rollback requirements, off-line and remote systems, rollout issues and more. Moreover, this involves much more than just patching Windows operating systems. All third-party applications in use within an organization, firmware and all operating systems (macOS, Linux, UNIX, Android, etc.) may need to be patched as well.
After all is said and done, the “bad guys” can still gain access to an organization’s environment. Is this ability reserved for only a handful of nation-state actors? Not so! According to the RAND research, “…any serious attacker can always get an affordable zero-day for almost any target.” Although the costs may reach millions for very unique targets and environments, the so called “unicorn exploits”, most zero-day exploits (i.e., a functioning exploit and not just a vulnerability) can be purchased for anywhere between $30,000 and $100,000 on gray and black markets. “Defenders will always be vulnerable to zero-day vulnerabilities…”.
What’s the Best Zero-Day Defense Strategy?
Unfortunately, the chances are high that your organization may already have undetected malware leveraging zero-days vulnerabilities, since traditional antivirus and even next-generation antivirus solutions have a hard time detecting threats that are very different from what they have seen before. A 6.9 year life span gives a zero day lots of time to cause significant damage.
It is unrealistic to prevent all zero days from gaining access to your systems, but you can stop the damage using preventing controls that do not depend on the detection of threats. This is what Gartner recommends to prevent highly evasive attacks.