Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

The Zero Day Dilemma

The Zero Day Dilemma

The Zero Day Dilemma

The statement that corporate cyber security is broken has become a cliché, but it’s all too true. If consumers do not trust global brands to keep their data secure, something’s clearly not working. In fact, the digital world has become a very dangerous place. There are literally millions of viruses floating around out there, but the ones that pose the greatest threat are the zero-day attacks, which involve malware that has never been seen before. According to a 2020 report (PDF) from Ponemon Institute, 80 percent of successful breaches are zero day attacks.

The number of these attacks has been steadily growing, from 17 in 2017 to 80 in 2021. Google alone has suffered at least six zero day attacks already this year. And while this trend is alarming, what’s even more disturbing is the highly organized development process behind these attacks that has evolved over time. 

It frequently begins with freelance “bug bounty hunters,” who comb through the code of new software releases by major players looking for vulnerabilities. It’s a little like panning for gold. Vulnerabilities are hard to find, but if you have the right combination of skill and luck, you can definitely strike it rich. One malware vendor — yes, there are “vendors” in this ecosystem — has offered $2.5 million for Android vulnerabilities, and will pay comparable sums for other operating systems and enterprise scale applications. When these organizations get their hands on a vulnerability, they’ll be able to sell it for a lot more. Vulnerabilities that lend themselves to ransomware are especially valuable because most companies that become victims have no choice but to pay.

Why are zero day exploits so effective, and so highly prized by bad actors? The reason has to do with the way cyber security defenses work. Below is a diagram of the kill chain, initially adapted from military strategy by Lockheed Martin for the world of cyber crime.

Cyber Kill Chain Process

In the progression conveyed by this 7-step diagram, the cyber security industry has offered two types of responses. To the left side of the diagram there are preventive responses – attempts to block an intrusion in the first place. One such tactic is to train employees. Don’t click on that suspicious link! The weakness here is that even the most security -conscious employees are human and bound to occasionally make a mistake. 

Another common preventive tactic is to deploy anti-virus software, often marketed in conjunction with email spam blocking. The premise behind this approach is that malware attached to phishing emails can be identified. The problem here is that these solutions ultimately depend on blacklists or patterns based on known attacks in the past. Even with AI, when something entirely new arrives, they have no basis for identifying it. 

Moving further to the right, there are numerous solutions based on detecting anomalous behavior, either in respect to the network (including endpoints), applications or users (either human or computers). It’s important to remember that these systems do not prevent damage. They limit damage. 

It’s somewhat ironic that almost every list of cybersecurity best practices includes one at the very far right: disciplined back-up processes. Reliable backup is a legitimate defense against ransomware, but it’s expensive, time-consuming and provides zero ROI. Also, to be frank, backup is almost always at the bottom of the IT to-do list, it isn’t always tested, and it doesn’t always work.

To sum up, the problem of the zero day attack has not been solved because every approach depends on knowledge of events that have happened in the past, whether it’s known malware or known “normal” network/application behavior that serves as a benchmark for spotting malware-caused anomalies.

The ideal zero day solution would not depend on known bad urls or patterns from the past. It would be able to intercept and evaluate URL clicks at every endpoint, isolate suspicious payloads, and actually see how they behave in isolation before passing them through. Such a solution would operate at the far left of the kill chain like spam/virus blockers, but it would not fail in the face of a zero day attack.

It has long been the conventional wisdom that preventive solutions like this are impossible to build. Now, however, given the power of the cloud, this approach is viable.  Vastly superior preventive technology won’t let companies abandon their other security solutions any time soon, but for once it will put the security community ahead of the bad actors instead of having to play catch-up.  

Written By

Gordon Lawson is CEO of Conceal, a company that uses Zero Trust isolation technology to defend against sophisticated cyber threats, malware and ransomware at the edge. Previously, he served as president at RangeForce Inc. Gordon has nearly two decades of experience in the security sector with a focus on SaaS optimization and global enterprise business development from global companies including Reversing Labs, Cofense (formerly PhishMe) and Pictometry. As a naval officer, Gordon conducted operational deployments to the Arabian Gulf and Horn of Africa, as well as assignments with the Defense Intelligence Agency, US Marine Corps, and Special Operations Command. He is a graduate of the US Naval Academy and holds an MBA from George Washington University.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet