Request a demo
Contact Us

Part 1

What Is Meant By A Zero-Day Attack?

The recent spate of zero-day attacks, such as Meltdown and Spectre in early 2018, has put the issue of zero-day threats at the forefront for SecOps teams and security engineers. Despite the increased urgency in understanding the threat itself, there’s still some confusion about what is meant by a “zero-day attack.”

In plain language: 

A zero-day attack is the constant threat of an unknown security flaw in a computer software or application. A zero-day attack opens up a window of vulnerability, whereby software can be exploited by malicious actors before anyone realizes it’s there or until a patch can be released. This results in a security event, during which attackers could release sensitive corporate data on public file-sharing sites (think the Sony breach in 2014) and/or the multi-year attack campaign of the Java exploits (think Oracle in 2015).

To summarize a typical zero-day scenario: a hacker discovers a zero-day vulnerability, creates a zero-day exploit to leverage that vulnerability, before launching an attack to bring us to ‘Day Zero’.

A zero-day attack is the constant threat of an unknown security flaw in a computer software or application.

Part 2

Why Zero-Day Attacks Are Dangerous

For obvious reasons, the consequences of zero-day attacks can be severely damaging to businesses: they frequently result in material harm, costing companies millions of dollars, and exposing customers to additional cybersecurity threats.

At Capsule8, we’ve identified 4 major risks that zero-day attacks pose to our customers:


The threat landscape is evolving, as global IT infrastructure scales rapidly across hybrid production environments. According to the “2017 Application Security Report” by Cybersecurity Ventures, there are 111 billion new lines of software code created every year. As the attack surface expands, it’s no longer feasible for security teams and organizations to keep up with the sheer volume and frequency of threat vectors. Static Application Security Testing (SAST) alone is no longer a sufficient deterrent against the often daily attacks that systems are being exposed to. A hybrid approach that focuses on dynamic testing and protecting applications in real time needs to be prioritized. A DevOps approach to security, is also critical. Studies have shown teams that build and test their code daily fix vulnerabilities faster than average teams that only build and test 7-8 times a year.

2. Asymmetric Complexity

An asymmetric relationship exists between the attacker and defender. For starters, the defender (i.e. the security practitioner) must try to defend against all potential vulnerabilities, while the attacker only has to find and attack a single vulnerability. What’s worse, it’s getting easier to find and launch an attack. For example, ‘fuzz testing’ for a vulnerability involves simple trial-and-error, requiring minimal specialized knowledge of the target system; some exploits are also readily available on the black market. In some cases, attacks are being launched based on proofs-of-concepts shared publicly by hacker groups. Meanwhile, the deep security expertise required to defend against these threats is expensive, scarce, and at risk of being overwhelmed by security alerts. Security organizations based on the traditional security operation center (SOC) have proven to be less effective without the proper detection and automation tools at their disposal.

3. Long Tail to Remediation

The window of vulnerability from the time the security team discovers the zero-day attack, routes the alert, runs their risk analysis, and installs the patch can be extremely costly, in terms of budget, time, and risk. What’s more, remediation could turn out to be just as disruptive as the original attack, as certain updates and patches could render some systems unbootable. In some cases, it can take months or even years to remediate the known security issues (think Oracle and the multi-year Java attack campaign in 2015). The 2018 Drupal vulnerability was a more recent case, in which a ‘highly critical’ bug was discovered in the popular open-source content management system (CMS), affecting over one million websites. Despite the fact that a zero-day exploit could be developed “within hours or days,” developers often needed weeks or months to reserve time for core security updates.

4. Cloud-Native and Hybrid Cloud Risks

Traditional enterprise security focused on securing endpoints, segmenting the network, and protecting the perimeter. These concepts may no longer apply to cloud-native and hybrid cloud production environments. According to ESG Research, 42 percent of organizations reported an attack in their hybrid and containerized environments last year, with 28 percent pointing to a zero-day exploit as the origin. As companies move towards deploying more cloud-native workloads to meet customer demand, the challenge of finding new ways to secure these applications becomes critical.

Part 3

Recent Zero-Day Attacks and Lessons Learned

Let’s see how the threat of zero-day attacks manifest themselves in the real world, as well as the lessons these events teach us about effective mitigation:

1. Shellshock (2014)
Shellshock was a security bug causing Bash to execute commands from environment variables unintentionally. The vulnerability allowed the attacker to remotely issue commands on the server through HTTP requests. Shellshock was then able to exploit anything running Bash that was accessible across the Internet, which included attack surfaces like hardware devices, set-top boxes, laptops, and even telephones.

Lesson Learned: CloudFlare’s analysis of the Shellshock exploitation showed that attackers were much quicker to begin attacking than defenders could even hope to patch. Outside of telling everyone to patch this vulnerability, it would’ve been more effective to have real-time zero-day attack detection that could be deployed faster than mitigations based on patching alone.

2. WannaCry (2017)
WannaCry was a ransomware attack in May 2017, targeting more than 200,000 Windows computers across 150 countries. The attack successfully encrypted files on the PC’s hard drive, making them impossible for users to access. A ransom (payable in bitcoin) was then demanded from users in order to decrypt them. This zero-day attack originated from a known zero-day exploit called EternalBlue. Prior to the outbreak, a patch to protect against the EternalBlue exploit was released by Microsoft, but despite warnings, the attack succeeded because users were slow to update their software, resulting in an estimated $4 to $8 billion worth of damages.

Lessons Learned: Again, WannaCry highlights the limitations of the patch-only approach. It shows us that even when remediation by patching is successful and a patch is released quickly, it doesn’t mean that the security team will: a) understand the severity of the threat and b) risk interrupting or destabilizing the system in order to install the necessary updates.

3. Meltdown and Spectre (2018)
Meltdown and Spectre are two complex processor (CPU) flaws recently disclosed in early 2018 that impacted billions of computers. These flaws allowed malicious code to read and access sensitive data (e.g. private files, passwords, or cryptographic keys) from a system’s memory.

Lessons Learned: These vulnerabilities have existed for decades (since the mid-1990s), and were only recently disclosed. Although vendors including Intel, AMD, Microsoft and Apple have proactively released mitigations in response to these critical threats, making it more difficult for potential attacks as more devices are patched, the question we should be asking is: how many other vulnerabilities or flaws like this have been sitting around for 15 to 20 years?

Want to reference this later? Download this page as a PDF!

Part 4

Is Remediation Through Patching Really The Best Defense Against Zero-Day Attacks?

Every new incidence of a “successful” zero-day attack should serve as a reminder that the security tools and approaches being utilized today are both inadequate and quite possibly, obsolete. Zero-day attacks are a dynamic problem based on undiscovered flaws with unknown signatures.

Patching a security vulnerability is like playing catch up - a company has to develop a security patch and make sure that all users download the update. This could take months or even years during which time hackers can continue to exploit that vulnerability. Putting up a static defense using software patches, after much of the damage has already been done, will always be too little, too late.

The three major problems with the patch-only approach are as follows:

1. It leads to negative performance impacts on the business

This is the major pain point for most companies. Going back to the 2018 Meltdown and Spectre examples, vendors like Microsoft introduced mitigations for these vulnerabilities, which included BIOS updates, processor microcode updates, OS updates, and web browser updates. However, they had to halt updates to some AMD-based systems due to the update rendering them unbootable. Initial updates to Ubuntu Linux kernels also experienced similar issues. Imagine installing a software patch that does as much damage to your business as the actual attack.

2. It creates alert fatigue for security teams

One complaint we’ve heard repeatedly is that traditional SOCs are clearly not equipped to handle the barrage of alerts they receive every day. The sheer volume of false positives and low signal-to-noise ratios have made basic-level discovery of potential issues an increasingly manual and time-consuming process.

3. It is reactive and doesn’t prevent future attacks

Consider this hypothetical scenario: a zero-day attack has been detected and the vulnerability is swiftly identified by your SecOps team. A software patch is then installed without any hiccups. It’s clear that a minor miracle has just occurred. Now what? Well, since the next zero-day attack will look nothing like the previous ones, this minor miracle will need to happen over and over again - at an accelerating rate. Which is to say that patch-only strategies are difficult to scale and do not effectively prevent against future attacks. And without real-time detection in place that is continuously updated, and can be customized for your workloads to identify zero-day attacks, you likely won’t catch them on time to prevent costly impacts to the business.

That being said, most enterprises today operating in complex hybrid cloud environments don’t have the luxury of choosing between prevention (‘catch’) over remediation (‘patch’). At Capsule8, we believe that the choice isn’t binary. Based on customer experience, we’ve found that prevention through real-time zero-day attack detection can augment remediation efforts, leading to a more efficient deployment of security resources.

Part 5

How Zero-Day Attack Detection Compares To Traditional Endpoint Detection and Response (EDR) Solutions

Finally, it’s important to distinguish between zero-day attack detection and the traditional endpoint detection and response (EDR). In an industry that’s rapidly shifting to cloud-native and Linux-based microservices, understanding the distinction between the two will help you better realize your companies security requirements.

1. Zero day detection is active within the entire production environment while endpoint detection focuses only on the user

Today’s endpoint detection and response (EDR) and endpoint protection platforms (EPPs) focus capabilities at the end user level. This is completely at odds with what many customers are demanding: the ability to reach deeply into the production environment – the heart of the organization itself – to immediately identify and respond to the zero-day threats targeting the very systems that enable a business to operate and thrive. Zero-day detection offers full visibility into production infrastructure - not just at the user level.

2. Zero-day detection resolves the hybrid cloudshortcomings of EDR

To put it bluntly, basic EDR alone simply does not adequately address the requirements of a hybrid production environment. As companies leverage cloud-based, containerized, virtualized and bare metal systems, EDR capabilities are unable to detect attacks with accuracy across these hybrid environments. Second, when deployed, EDR cannot scale past a few hundred nodes. And when these solutions are deployed in production, they result in a performance impact that effectively hinders the ability for production environments to operate such that you’re meeting your SLAs.

3. Zero day detection provides the advanced support for Linux that augments traditional EDR solutions

Existing EDR solutions don’t secure Linux-based production infrastructures. Linux is the driving force behind the hybrid cloud infrastructure that drives businesses globally. According to "The State of Cloud Native Security” report, 12 percent of organizations considered zero-day attacks the biggest risk to their production environment.

Unfortunately, there are few EDR solutions on the market today that are focused on protecting the entire Linux stack, leaving a highly vulnerable attack surface exposed to potential zero-day attacks.

Part 6

Creating A Zero-Day Attack Detection Strategy That Works

At its core, zero-day attack detection when done right, should have the following requirements: be lightweight, event-driven, and collect kernel-level data - and to do thiswithout disrupting the integrity of the production environment.

There are four cornerstones to an effective zero-day attack detection strategy:

1. A continuous security pipeline optimized for SecOps hierarchy of needs

An effective zero-day detection strategy should be tailored towards the priorities of your SecOps team. After listening to our customers, we’ve learned that there’s a distinct hierarchy of needs for the SOC. Building a zero-day solution designed to solve foundational needs means that you free up your security team to address higher-value problems.

Figure 2 - SOC Hierarchy of Needs

Figure 1: The Security Operations Hierarchy of Needs

2. In-depth and real-time visibility across all production environments

This involves establishing an accurate baseline for how the production environment is supposed to behave across multiple public cloud vendors, on-prem data centers and Linux-based containers, and setting up sensors running outside the kernel to detect any anomalies. A recent real world example was the bug bounty awarded to a contributor who discovered an exploitable instance ofImageTragick in Facebook. It clearly illustrates how behavioral security monitoring can detect attempted exploitation of shell command vulnerabilities. In the case of ImageTragick, the vulnerability was verified only when the researcher attempted to tunnel the output from their injected commands over DNS requests.

But here’s the real headline: zero-day behavioral-based detection of a major vulnerability affecting millions of sites (and in this case, outsourced through a bug bounty program) - cost Facebook a mere $40,000 to mitigate.

3. Automated alert response to reduce false positives

Zero-day detection strategies can help augment traditional approaches through advanced security monitoring and automating real-time responses, thereby reducing the number of false positives for better detection outcomes. It’s important that you have the ability to customize alerting by host and/or workload.

4. Minimal disruption to production at scale

A shortcoming of many traditional endpoint detection solutions on the market is that they can fall down in production after scaling to only a couple hundred servers. Meanwhile, zero-day detection can scale to support thousands of servers.

Part 7

Capsule8’s Unified Cloud-Native Solution Against  Zero-Day Attacks

We at Capsule8 have seen that it’s not ideal to perform generic detection of zero-day attacks at the network and endpoint levels, due to the evolving nature of the threat landscape. But we’ve already developed practical strategies for detecting them, which we’ve implemented on Linux systems.

Figure 2 - Capsule8 Kernel Exploitation Alert Details

Figure 2: Capsule8 Product Alert Details for Real-Time Kernel Exploitation

By practical, we mean:

Advanced: Capsule8’s advanced detection strategies, which are continually updated by our team of security researchers and data scientists, allow for fast and accurate discovery of the latest zero-day attacks.

Easy to Deploy and Manage: Capsule8’s agent is a single static Go binary that is portable and easy to install and to update through a wide variety of orchestration mechanisms.

Compatible: Our approach enables a single solution across several Linux deployments—dating back to the Linux 2.6 kernel—and will support your existing environment, including bare metal, public or hybrid cloud, containers, virtualized servers, etc.

Stable: Detection runs in userland, and collects  kernel-level data (as opposed to in-line data) without the need for a kernel module.

Efficient: Sensors run with minimal CPU overhead.

Resource-Effective: The advanced detection intelligence in the Capsule8 Platform delivers very few false positives and negatives. This results in easy-to-manage alertsthat you can act upon quickly.

Want to reference this later? Download this page as a PDF!