By Joseph Mlodzianowski
Published 3:39 (2011/04/24)
Sub-Zero-Day
A Zero-Day attack or threat is defined as a technological threat that tries to exploit information systems’ natural operations, thereby compromising the integrity the targeted systems. These targeted “systems natural operations” that function contrary to normal functionality are otherwise classified as “vulnerabilities.” Moreover, said vulnerabilities are unknown to others including the original designer/author.
Zero-days or O Days [Oh Day]‘s obtained their name based on their age. These names are applied to malicious software or hardware used in an attack which occurs before the defenses detect them for the very first time; hence the O Day, or “zero” day reference. O day occurs before the first day, making it the “zero” day of the developer/systems or general awareness of said flaw.
Zero Days are used by attackers to make the technology or systems perform in a manner that the system was not intentionally developed. Most of the time these flaws are used to gain unauthorized access to technology, systems or data before the developer or software/hardware architect is aware of the problem.
Sub-Zero-Days are flaws discovered by researchers that have no intrinsic value by themselves. However, when combined with targeting and exploit code become immeasurably valuable. By themselves they constitute nothing more the a “bug” - like when you click on a function and you receive “execl PATH_CT, “program” error”.
Just a “Bug” you say. We all know that these bugs are being actively turned into O day’s, even as you read this article! So what does this mean to you and why should you care ?
First of all: there are thousands of researchers working around the clock to find the next “O Day”, and others working with them to turn that into an “Exploit” to use against a technology (system/hardware/data), which maybe deployed at your company, home or some vendor you do business with.
Second of all: those researchers cost money – resources that should otherwise be applied to hiring more personnel or replacing critical company infrastructure.
By gaining access early to these vulnerabilities or “O Days” the attacker now has the element of surprise. That is, before the deployment of virus detection, signature, firewall alerting or other security alerting technology that many companies rely on to protect themselves from such threats.
The competitive advantage for the attacker is the early access to systems that can yield industrial and/or technology secrets, such as proprietary company products, polices, national politics, military intelligence, and other invaluable information that can be used to make the attacker money.
After a Zero Day is made public the value of the exploit dwindles fast. The time from the actual sub-zero-day to zero-day to public disclosure can vary from a few minutes to a few months depending on the number of researchers who look for it, discover it, and publish the information. The technology and even the significance of the issue, as we saw with “DNS” Domain Name Services flaw a few years ago, can be jaw-droppingly critical.
Sub-Zero-Day research is performed by almost every industrial nation, its performed by private sector, terrorist nation states, and, more importantly, by cyber criminals.
Don’t think your safe, the target isn’t just companies, governments or industry. Many criminals are working to obtain your credit card information, bank account numbers and access. Not to mention your personal identifiable information (PII) making the above information worth even more.