zero-day attacks
Information Technology

Easy-to-understand explanation of zero-day attacks | From modus operandi to damage cases and countermeasures

A zero-day attack is a cyber-attack that targets a vulnerability in an OS or software that has insufficient programmatic security (vulnerability) before a patch is released to reinforce that vulnerability. is.

Vulnerabilities inevitably occur in OSs and software that consists of complex programs. When the developer receives a report of a vulnerability from a user, it promptly publishes a patch to fix it.

  • Inevitably there will be a time lag until the patch is released
  • Attackers may find vulnerabilities before developers

For these reasons, there are cases where it develops into a zero-day attack.

A zero-day attack can cause damage such as unauthorized access to take over a computer or internal system, or infection with malware to steal or destroy data.

In today’s IT age, any company is at risk of becoming a target of zero-day attacks.

In the latest ” 10 Major Threats to Information Security 2022 ” announced by the Information-technology Promotion Agency (IPA), the fact that it appeared for the first time and ranked in 7th place shows how many threats we should be prepared for now.

Here are five recommended ways to combat zero-day attacks:

5 Best Ways to Fight Zero-Day Attacks
  • thoroughly implement basic measures
  • Introduce a sandbox environment
  • Encrypt and isolate sensitive information
  • Have a third party confirm the presence or absence of vulnerabilities
  • Introduce EDR products

In this article, we will explain the basic knowledge and countermeasures that you need to know to be able to take appropriate countermeasures against zero-day attacks.

[Contents of this article]

  • What is a zero-day attack?
  • Impact of a zero-day attack
  • Typical examples of zero-day attacks targeting vulnerabilities
  • What to do if you are hit by a zero-day attack
  • How to combat zero-day attacks

By understanding these points, you will be able to correctly understand what a zero-day attack looks like and take necessary countermeasures for your company.

To avoid irreversible situations such as information leaks and system shutdowns, as long as you use IT tools, be sure to understand typical cyberattacks and take proper countermeasures.

1. What is a zero-day attack?

zero-day attacks

A zero-day attack is a type of cyberattack that exploits vulnerabilities (security holes) in operating systems and software.

Zero-day means 0 days.

It is called a zero-day attack because it is launched before the first day (day 0) when the patch, w countermeasure for the vulnerability, becomes available for download.

For example, if a vulnerability is found in the operating system of an internal system, a zero-day attack could steal all the information in the system.

*What is a vulnerability (security hole)?

  • A part where security is low due to program flaws in the OS or software
  • If vulnerabilities (security holes) are left unattended, they can be easily infected with viruses or accessed illegally, so it is necessary to apply correction programs (patches) as soon as possible.
  • In addition, the vulnerability itself is not uncommon, and although there are differences in severity, it is common, so basically it is important to apply it as soon as the developer releases a patch or update.

Zero-day attacks have a unique timing, but the details and routes of attacks are not much different from general cyberattacks. To protect an organization from zero-day attacks, it is important to understand the characteristics and examples of attacks and thoroughly implement basic countermeasures against cyberattacks.

1-1. Why are zero-day attacks troublesome?

Zero-day attacks are often said to be nasty. This is because it is difficult to completely prevent attacks and to quickly notice that an attack has occurred.

Characteristics of zero-day attacks
It is difficult to completely prevent attacks
  • Since the vulnerability is attacked before the fix is ​​released, there are cases where the attack cannot be prevented even if the update is applied frequently.
  • Security software is based on past attack cases, so it may not be able to respond to new types of malware that carry out zero-day attacks.
It is difficult to quickly notice that you have been attacked
  • Security software has a function to detect cyber-attacks, but attacks such as zero-day attacks where the developer’s countermeasures are not in time may not be detected.

To counter zero-day attacks, which are difficult to completely prevent by frequent updates and the introduction of security software, it is necessary to combine fundamental measures such as encrypting important data to be stored. Details of countermeasures will be explained in ” 5. Countermeasures against zero-day attacks “.

1-2. [Latest Trends] Zero-day attacks ranked 7th among the top 10 information security threats

Even in the latest results of IPA’s “Top 10 Information Security Threats,” which are determined based on actual incidents that have a major impact on society, zero-day attacks were ranked 7th for the first time.

[Latest] 10 major information security threats in organizations
First place ransomware
2nd place targeted attack
3rd place The exploitation of supply chain weaknesses
4th Attacks targeting telework, etc.
5th place Information leak by an insider
6th place Attacks at the timing of vulnerability information disclosure
7th place zero-day attack
8th place email scam
9th place IT infrastructure failure
10th Information leakage due to negligence

Any company that uses the Internet and IT tools in its business is subject to zero-day attacks. To avoid unexpected damage, be sure to understand the attack method, etc. properly.

1-3. Common zero-day attack methods

A common zero-day attack method is

(1) Send an email with malware attached

(2) Tampering with the website to trick the viewer into downloading a file containing malware

There are two types of

Typical methods of zero-day attacks
(1) E-mail with malware attached
  • There are two types of attacks: scatter attacks and targeted attacks.
  • In the distribution type, emails disguised as business-related emails containing malware are sent to an unspecified number of companies and persons in charge.
  • In the targeted type, emails containing malware disguised as emails from business partners, customers, or acquaintances are sent only to the targeted targets.
(2) Website defacement
  • Website defacement by exploiting website vulnerabilities
  • Downloading malware just by accessing it, or setting up a link to download malware

In zero-day attacks, the malware installed in these emails and websites is of the type that targets vulnerabilities before the patch is released.

Given the standard attack methods,

  • Do not open e-mail attachments carelessly, even if they are from acquaintances such as business partners.
  • Do not open websites that are not related to work

Such self-defense measures can be effective.

2. Two types of damage caused by zero-day attacks

zero-day attacks

The most common types of damage caused by a zero-day attack are (1) unauthorized access and (2) malware infection.

Specific examples of zero-day attacks
(1) Unauthorized access 【Concrete example】

  • Unauthorized access and hijacking of internal systems and distribution of malware to all devices connected to the system
  • Unauthorized access to VPN equipment and stealing authentication information
[Case example]
A specific shared folder was attacked by a zero-day attack, and as a result of unauthorized access, the personal information of 200 people was leaked. In this case, a vulnerability was targeted that the developer was not yet aware of.
(2) Malware infection 【Concrete example】

  • Infect with malware and steal customer information
[Case example]
A large-scale incident occurred in which a manufacturer was hacked into its internal system by a zero-day attack, resulting in the leakage of thousands of personal information. In this case, the attacker used a zero-day attack to infiltrate the internal system and then spread malware throughout the company through the system to steal a large amount of information.

In this way, if zero-day attacks cannot be completely prevented, there is a risk of various damages occurring, such as the system becoming unusable, being hijacked, and information being leaked.

3. Three programs that are likely to be targeted by zero-day attacks and countermeasures

Typical examples of programs targeted for vulnerabilities in zero-day attacks so far include:

Specific examples of programs targeted for vulnerabilities in zero-day attacks
  • OS
  • Web browser
  • server software

Large-scale zero-day attacks tend to occur in open-source programs and programs with many users and products.

Given this trend,

  • Actively adopting open source programs
  • Digitization is progressing rapidly
  • We are promoting a work style that is not bound by location, making use of the Internet such as telework.

It can be said that such companies tend to be more likely to be targets of zero-day attacks.

Now, let’s take a closer look at each program targeted for the vulnerability.


By zero-day attacking OS vulnerabilities, you can create a backdoor and hijack devices. For example, it would be possible to:

  • Hijacking a computer to extract information or spread malware
  • abuse your webcam
  • Check your router credentials

[How to counter such threats? ]

  • Thorough basic security measures such as installing security software and prompt OS updates
  • Regularly check information about vulnerabilities and cyberattacks
  • Understand what software is used in which devices you own, and understand the scope of impact of zero-day attacks
  • Monitor network activity daily

3-2.Web browser

The web browsers you open when browsing the Internet have been targeted by zero-day attacks many times in the past.

Examples of zero-day attacks targeting vulnerabilities in web browsers include attempts to hijack PCs of online exchanges by combining them with targeted email attacks.
At this time, the exchange side responded promptly, so I got it without incident.

Even web browsers developed and provided by major companies are no exception, and if a vulnerability is exploited, the connected computer will also be at risk, so caution is required.

[How to counter such threats? ]

  • Keep track of web browser usage across your organization
  • Gather information about vulnerabilities in your web browser
  • Thorough basic security measures such as installing security software and prompt OS updates
  • Monitor network connection logs daily

3-3. Server software

Zero-day attacks targeting server software, software that provides various functions and data, such as sending and receiving messages and databases, are also common.

There were signs of a zero-day attack on the server software provided by the manufacturer, which is capable of sending and receiving e-mail. Although the actual damage was not serious, there was a risk of various damages such as setting up a backdoor to steal data and scanning communication contents.

[How to counter such threats? ]

  • Know what software your organization uses
  • Collect information about the vulnerabilities of the software you use
  • Temporarily stop using if you determine that the risk of zero-day attacks is high

4. What to do in the event of a zero-day attack

The initial response when it is discovered that a zero-day attack has been carried out is as follows.

What to do if you are hit by a zero-day attack

1. Disconnect from the network

2. Contact the department that manages security

3. Scan and remove with security software

Whether or not you can take an appropriate initial response will determine whether you can minimize the damage or allow it to expand, so be sure to understand what you should do in normal times.

4-1. Disconnect from network

The first thing to do after a zero-day attack is to disconnect the affected device, site, etc.

Specifically, take the following actions.

  • disconnect from the internet
  • disconnect from the company network
  • If it is a site, it will be closed immediately

In addition to preventing access by attackers, it is also important to prevent the infection from spreading to other devices and users.

4-2. Contact the department that manages security

If you can isolate it from the network and prevent further damage from spreading, contact your company’s security management department as soon as possible.

It is necessary to explain the history from the discovery of the attack to the present and the current response status (such as isolating the attacked terminal) to the management department, but the point is to get the first report as soon as possible.

In the event of malware infection, unauthorized access, or information leakage, it will be necessary to report to the Security Measures Committee, so please discuss with the management department, how to proceed with the response.

You can check the report format and other information on the Information-technology Promotion Agency (IPA) website.

4-3. Scan and remove with security software

Once you have shared the information with the internal security management department, check the detailed infection status and damage status, and if it is infected with malware, etc., remove it. Malware detection and removal can be done with security software and tools.

In some cases, the security software cannot handle it and initialization is required. However, if you initialize it, you can recover the system and devices, and at the same time, traces of intrusion (logs, etc.) will disappear, so please consider it after consulting with the security management department.

In addition, it is important to regularly back up necessary data daily, considering that there are cases where it is initialized after a zero-day attack.

5. How to combat zero-day attacks

zero-day attacks

Here are five recommended ways to combat zero-day attacks:

5 main ways to combat zero-day attacks
  • thoroughly implement basic measures
  • Introduce a sandbox environment
  • Encrypt and isolate sensitive information
  • Have a third party confirm the presence or absence of vulnerabilities
  • Introduce EDR products

Let’s check what kind of measures are taken.

5-1. Thorough implementation of basic measures

The first thing to do is to thoroughly implement the following three basic measures :

  • Apply OS and software updates as soon as they are released
  • Install security software
  • Do not access unknown attachments, links, etc.

If these three are not thoroughly implemented, it will be impossible to prevent cyberattacks in general before zero-day attacks. Let’s remember that “it is important to firmly grasp the basics even in security measures”.

5-2. Install sandbox environment

A sandbox is an area in which the exchange of data with the outside world is strictly controlled. It’s an isolated area, so even if you open data infected with malware, it won’t affect anything outside the sandbox.

Even if you have to open and check data that you are not sure whether it is safe or not, you can safely check it by trying it in the sandbox.

Even if you are told to carefully consider unknown data, in a business environment where you may have no choice but to open it, preparing such a sandbox will provide both safety and convenience.

5-3. Encrypt and isolate important information

To prepare for zero-day attacks, which are difficult to prevent completely, it is essential to have a mechanism to limit the damage in the unlikely event that an attack cannot be completely prevented. Therefore, what you should do is encrypt and isolate important information.

If you have to store data in an area susceptible to zero-day attacks, keep it encrypted. In addition, it is important to store data that should not be exfiltrated in an isolated area, not in an area that is likely to be affected by a zero-day attack.

5-4. Have a third party confirm the presence or absence of vulnerabilities

It is also recommended to have a third party who is familiar with security, such as a professional contractor, check whether there are any vulnerabilities in the current security.

If countermeasures are taken only in-house, there is a danger that fatal vulnerabilities will remain unaddressed from the perspective of hackers who carry out cyber attacks.

If you don’t have a cybersecurity-savvy department in your company, consider a third-party vulnerability assessment.

5-5. Introduce EDR products

In the unlikely event that a zero-day attack cannot be completely prevented, it is safe to install an EDR product as a countermeasure. EDR is an abbreviation for Endpoint Detection and Response, which means a detection and reporting system at the end of the network.

By installing EDR on each device, in addition to detecting and reporting abnormal behavior, it is possible to isolate and stop the system.

Since you can quickly respond to suspicious movements, even if you are attacked by a zero-day attack, you will be able to suppress it immediately.

If you want to always use the cloud with the latest security, please consult NTT East
    • “I want to take security measures casually”

“I want to use cloud services, but I’m worried about whether they can handle zero-day attacks.”

If you think so, we recommend NTT East’s cloud introduction and operation for AWS / Microsoft Azure.

    • NTT East provides a secure connection line in addition to a highly secure cloud, so you can rest assured.
    • For example, we propose optimal solutions for the following needs.
  • I want to be able to access confidential and personal information in the cloud when needed without storing it on my computer.
  • We want to create an environment where employees can securely connect to the company network and work anytime, anywhere.
  • Server information security measures are serious. We want to always have the latest information security environment without any hassle.
    • NTT East has a large number of cloud professionals, including those who are AWS certified, and has a wealth of know-how based on over 150 cloud implementation achievements, so we can build the optimal cloud environment for customer needs. I can do it.
    • In addition, since we build and support solutions for cloud migration and network issues centrally through a single point of contact, we can achieve total security enhancement.
    • In addition, 24-hour, 365-day operation and maintenance support can be used for monitoring, notification, failure reception, primary response, and operation outsourcing. Therefore, it is possible to realize the latest cyber security measures without the labor of the person in charge.
    • Please let us know your concerns and requests regarding security in all areas of terminals, networks, and clouds. With the full support of many cloud professionals enrolled in NTT East, we will build an environment where you can concentrate on your work with peace of mind.
    • Please feel free to contact us.

6. Summary

A zero-day attack is a cyber-attack that exploits a vulnerability in a program before a patch to fix it is released. It is called a zero-day attack because it attacks the 0th day before the 1st day when the patch for the vulnerability becomes available for download.

If zero-day attacks cannot be completely prevented, there is a risk of various damages such as the system becoming unusable, being hijacked, and information being leaked.

Leave a Reply

Your email address will not be published. Required fields are marked *