Disambiguate “Zero-Day” Before Considering Countermeasures

“Zero-day” is the all-powerful boogieman of the information security industry. Too many of us invoke it when discussing scary threats against which we feel powerless. We need to define and disambiguate this term before attempting to determine whether we’ve accounted for the associated threats when designing security programs.

Avoid Zero-Day Confusion

I’ve seen “zero-day” used to describe two related, but independent concepts. First, we worry about zero-day vulnerabilities—along with the associated zero-day exploits—for which we have no patch. Also, we’re concerned about zero-day malware, which we have no way of detecting.

These scenarios can represent different threats that often require distinct countermeasures. Let’s try to avoid confusion and FUD by being clear about the type of issues we’re are describing. To do this, in short:

Use “zero-day” as an adjective. Don’t use it as a noun.

This way you’ll be more likely to clarify what type of threat you have in mind.

The term zero-day (sometimes written as “0day”) appears to originate from the software pirating scene, as @4Dgifts pointed out to me on Twitter. It referred to cracked software (warez) distributed on or before its official release date; this is outlined on Wikipedia. By the way, if you like leetspeak, writing “0day” is fine when addressing technologists; stick to “zero-day” if your audience includes executives or business people.

Zero-Day Vulnerabilities and Exploits

Let’s start with zero-day vulnerabilities. I came across the following reasonable definition of this term in FireEye’s Zero-Day Danger report, which is consistent with how many other security vendors use this term:

“Zero-day vulnerabilities are software flaws that leave users exposed to cyber attacks before a patch or workaround is available.”

Along these lines, a zero-day exploit is one that targets a zero-day vulnerability.

An alternative definition of a zero-day exploit, which was captured by Pete Lindstrom, is “an exploit against a vulnerability that is not widely known.” (Thanks for pointing me to that source, Ryan Naraine.)

Zero-Day Malicious Software

I’ve encountered numerous articles that ask “What is zero-day malware?” and then confuse the matter by proceeding to discuss zero-day exploits instead. Even FireEye’s report on zero-day vulnerabilities, mentioned above, blurred the topic by briefly slipping into the discussion of zero-day malware when it mentioned that “code morphing and obfuscation techniques generate new malware variants faster than traditional security firms can generate new signatures.”

To avoid ambiguity or confusion, I prefer to use the term zero-day malware like this:

Zero-day malware is malicious software for which there is no currently-known detection pattern.

The word “pattern” includes the various ways in which one might recognize a malicious program, be it a traditional signature, a machine learning model, or behavioral footprints. I think this definition is consistent with the type of malware that Carl Gottlieb had in mind during our discussion on Twitter malware variants that don’t match a known identifier, such as a hash.

Zero-Day Attacks

Another “zero-day” term that security professionals sometimes use in this context is zero-day attack. Such an assault is reasonably defined Leyla Bilge and Tudor Dumitras in their Before We Knew It paper:

“A zero-day attack is a cyber attack exploiting a vulnerability that has not been disclosed publicly.”

However, what if the attack didn’t involve zero-day vulnerabilities, but instead employed zero-day malware? We’d probably also call such an incident a zero-day attack. Ambiguity alert!

Unless you need to be general, consider staying away from “zero-day attack” and clarify which of zero-day concept you’re discussing.

Avoid the Ambiguity, Save the World

Why worry about “zero-day” terminology? There is an increasingly-acute need for infosec designs that account for attacks that incorporate unknown, previously-unseen components. However, the way organizations handle zero-day exploits will likely differ from how they deal with zero-day malware.

By using the “zero-day” as an adjective and clarifying which word it’s describing, you can help companies devise the right security architecture. In contrast, asking “What is zero-day?” is too ambiguous to be useful.

As I mentioned when discussing fileless malware, I am especially careful with terms that risk turning into industry buzzwords. My endpoint security product at Minerva focuses on blocking unknown malware that’s designed to evade existing defenses, and I want to avoid misrepresenting our capabilities when using the term zero-day. Perhaps this write-up will help my company and other security vendors better explain how we add value to the security ecosystem.

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He builds creative anti-malware solutions as VP of Products at Minerva. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more