When it comes to “zero-days,” there is much room for confusion in terms of definition and priority. At FireEye, we follow the industry-standard term of “zero-day attacks.” This term is defined as software or hardware vulnerabilities that have been exploited by an attacker where there is no prior knowledge of the flaw in the general information security community, and, therefore, no vendor fix or software patch available for it.
Here is the Wikipedia definition:
“A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, one that developers have not had time to address and patch. There are zero days between the time the vulnerability is discovered (and made public), and the first attack.”
Many security researchers identify vulnerabilities – some as a byproduct of attack detection and others as a core focus. With the exception of vulnerabilities identified by black hat hackers for use in attacks, nearly all vulnerabilities are responsibly, and confidentially, sent to the party responsible for the creation of the software so that fixes can be made. These can range from critical holes like those we found exploited in globally popular software like Internet Explorer to the never-exploited ones in rarely used applications.
FireEye has demonstrated unparalleled capabilities finding zero-day exploits that are “in the wild,” meaning the vulnerability is being used by criminals and threat actors for malicious purposes. In 2013, FireEye discovered 11 zero-day exploits that were actively in use by advanced threat actors and has already discovered an additional two in 2014. Zero-day exploits already in use by APT actors represent the most critical cyber threat to the CISOs of organizations. Even if APT actors do not target an organization, other criminal exploit authors will often reverse the zero-day exploit and create their own version before patches can be released.
At FireEye, we examine data from over 2 million virtual machines located in every corner of the globe, resulting in near instantaneous threat intelligence and threat metrics being captured in our Dynamic Threat Intelligence™ (DTI) cloud. This intelligence allows us to evaluate the entire attack life cycle, or “kill chain,” of an attack and view the behaviors of the attacker. FireEye examines all of the tools, tactics and procedures (TTPs) used by attackers to create an initial compromise, establish a foothold, escalate privileges, conduct internal reconnaissance, move laterally, maintain persistence, and finally complete their mission.
Figure 1. The attack lifecycle
Our focus is to create a holistic view towards security at every step in the attack lifecycle, of which identification of zero-day exploits in use by malicious actors plays one component. We also contribute back to the security research community by sharing detailed, comprehensive views on attack lifecycles, for example in Operation Ephemeral Hydra. At FireEye, our defense strategy encompasses all malicious activities you may find on your network, or on your endpoints – including those that leverage zero-day vulnerabilities and those that do not.