While 2024 is coming to a halt, businesses are concerned with enormous security issues: defective software and an escalation of cyberattacks that threaten their IT systems. In cybersecurity, both one-day and zero-day vulnerabilities have emerged as critical enterprise concerns.

In that respect, zero-day attacks often steal the limelight in discussions of cybersecurity threats. Still, known vulnerabilities—or "one-day" flaws—usually become bigger problems for many organizations, particularly within industrial sectors.

While zero-day vulnerabilities are unknown to software developers or hardware manufacturers, one-day flaws are publicly known issues that may or may not have security patches available. There are thousands of known vulnerabilities today, and many large commercial and government organizations find significant exposure within their large network footprints.

How zero-day vulnerabilities affect an organization

A zero-day vulnerability is unknown to the vendor; therefore, no patch or fix is available. The "zero-day" is a critical time frame, referring to the days the vendor has to fix the bug before a hacker attacks it. Detecting zero-day vulnerabilities may be a highly rewarding process.

Vendors often reward hackers financially for finding zero-day flaws because this is a surefire way of informing them about a vulnerability, which they can fix before any actual harm is caused.

On the other hand, malicious hackers often sell zero-day vulnerabilities to cybercrime groups or state-sponsored threat actors. Once these vulnerabilities are purchased, they become highly prized. A single threat actor usually deploys them only once or twice against a few high-value targets to reduce the risk of detection.

One of the most notorious zero-day vulnerabilities to date is CVE-2021-44228, also known as "Log4Shell" or "Log4J." The vulnerability was discovered in Apache Log4j, a widely used logging library.

Threat actors in cyberspace exploited this security flaw to run code remotely by manipulating log messages or their parameters, which allowed systems access and malicious activities. The Log4j vulnerability is said to have affected about 93% of enterprise cloud deployments.

In 2023, Progress Software identified a zero-day vulnerability in its MOVEit Transfer product that could be used for privilege escalation, possibly allowing unauthorized access to IT environments.

Even though the vulnerability was discovered and patched within one week, the threat actors exploited it, compromising a substantial amount of personally identifiable information, financial data, sensitive files, and other critical data.

How is a one-day vulnerability different? 

One-day vulnerabilities refer to security flaws for which either a mitigation or patch has been developed but not yet applied. The term "one day" refers to the time since the vulnerability was publicly disclosed and when patches were used on the vulnerable system.

These are also known as "n-day" vulnerabilities, although in practice, the timeframe is usually measured in the number of days the vulnerability has gone unpatched. The average mean time to patch (MTTP) is 60 to 150 days.

Unfortunately, due to the early publication of PoC exploit codes, one-day vulnerabilities tend to be exploited much faster than most people have time to patch their systems. This trend has only worsened over recent months, with researchers and cybersecurity vendors racing to demonstrate their technical capabilities at the expense of the resulting harm.

Advanced threat actors will reverse-engineer a patch to identify the problem it was intended to fix and develop their exploits from the findings. Less technical ones take advantage of publicly published PoC code for their gain, which allows them to exploit those vulnerabilities they otherwise would not be able to without some outside help.

These are recent examples of one-day vulnerabilities: CVE-2024-1708 is an authentication bypass vulnerability, and CVE-2024-1709 is a path traversal vulnerability in ConnectWise ScreenConnect servers.

Various cybersecurity vendors and researchers made PoC exploit codes and technical details public within one day of discovering the vulnerabilities.

This, combined with the ease of finding vulnerable ScreenConnect installations using Internet-based Web scanners, resulted in widespread exploitation, with ransomware and other malware deployed to unpatched servers.

How can you protect your business from zero-day vulnerabilities?

Discovering zero-day vulnerabilities within an environment has always been difficult. For the most part, the end-user finds out about those vulnerabilities but doesn't find out until threat actors exploit them or vendors disclose such vulnerabilities. Patching is important for mitigating known flaws, but it isn't going to fix zero-day vulnerabilities.

How would you prevent an actor from being able to exploit them when you cannot detect or patch them?

1.   Proactively search for unusual activities

One should proactively search through logs, network data, and other information sources within an environment to identify deviations or suspicious behaviors.

While these processes require skilled practitioners, such efforts can uncover signs of zero-day vulnerability exploitation and other potential indicators of compromise, such as unusual network connections, unauthorized user accounts, or harmful files.

Proactive threat hunting analyzes TTPs employed by known adversaries and focuses on specific areas most likely to be targeted. This way, such hunts can align the hypothesis with the attacker's perspective.

Incident response teams accumulate a lot of background knowledge from experience over time, which they use to create attack patterns that drive their hunting process.

Proactive threat hunting heavily relies on the hunters' expertise to determine which scenarios and hypotheses to hunt for. The development of comprehensive playbooks for these scenarios supports the hunts' conduct, refinement, and re-conduct to maximize the possibility of finding unknown compromises.

This could be optimized by implementing periodic hunts to test various hypotheses. It is also important to continuously run the same hunts to validate the results of any hunt over time- the threat landscape and the organization's environment are constantly changing.

It is crucial to inform the vendor promptly once a potential vulnerability is discovered so the flaw can be addressed before more systems are affected.

2.   Activity Identification-Post Exploitation

Another approach is to detect the commonly observed post-zero-day exploitation activity, such as credential dumping, privilege escalation, and post-exploitation persistence. In this respect, the approach works regardless of the attack vector. Still, it is very defensive because it relies on the malicious actor accessing the system. More often than not, further investigation into these post-intrusion activities reveals exactly how the attackers gained entry into the system, whether through a zero-day exploit or any other attack vector.

Best practices for protecting against one-day vulnerabilities 

1.   Resilient Infrastructure

Resilient infrastructure and risk-mitigating patching supplied by the vendor reduce the risk of day-one exploitation. Owners of OSs and applications are spreading the implementation of DevOps practices that enable organizations to react quickly in case of maintenance needs. Using resilient infrastructure and vendor-supplied risk-mitigating patching reduces the risk of day-one exploitation. The spread of DevOps practices by OS and application owners, in turn, enables an organization to react quickly to maintenance needs, which is only feasible if an architecture has been hardened.

Fully restorable systems that follow recommended cybersecurity hygiene standards also support protection against one-day vulnerabilities. This inherent redundancy applies to cloud-based services and, as a generalization, holds even with cloud-native architectures. This robustness underlines recent incidents. Therefore, every organization needs to determine how to apply the best risk avoidance strategy.

2.   Patching Alone is Inadequate

One-day vulnerabilities pose a significant problem often exacerbated by technical complications and slow supply chains. Much can be done within the scope of the industry to mitigate this problem.

First, the current reactive strategy of merely patching identified vulnerabilities is unsustainable. Robust security integrated into the software, firmware, and hardware will help reduce the risk of N-day vulnerabilities and other issues and help prevent or mitigate compromises from successful exploitation.

Adopting a layered security approach that integrates intrusion detection and mitigation measures using known and unknown attack protection solutions without complete dependence on updates. Since most of these features are unavailable, it is now up to the manufacturers to devise or acquire this technology as soon as possible.

Taking Proactive Cybersecurity Measures

It is amazing how one-day and zero-day vulnerabilities make up for a significant attack vector into systems to bring devastating financial and reputational losses if they are not remediated on time and accurately. Therefore, companies should seek services from experienced security practitioners specializing in mitigating such vulnerabilities. Professionals in security will provide an immense amount of knowledge and experience to the organization to discover many threats far in advance of any possibility of their exploitation. In that respect, through learning and techniques, a practitioner will know how to spot aberrant activities, look into post-exploitation behaviors, and configure robust defensive measures. This proactive approach helps patch the known vulnerabilities and bolsters the organization's infrastructure from future attacks.

Additionally, offensive cyber security includes attack simulation to expose, if possible, the target system's technology's potential weaknesses or vulnerabilities. Through regular penetration testing and red teaming, a security professional can help discover some of the vulnerabilities that may escape their notice. This way, the company will attack and actively search for threats to be neutralized before they can damage them.

An important implication is that SMBs must determine where to put their dollars to protect themselves from cyberattacks. The combined wisdom of experience and expertise by security professionals will, put together, deliver a significant step in extending security practitioners' capacity to deal with one-day and zero-day exploitable vulnerabilities, thus bringing welcome peace of mind and a more dependable tool for fighting emerging threats daily.