Illusive Blog May 2, 2016

What Do Cyber Attackers Rely On Besides Zero-Day Exploits?

By The Illusive Networks team

cybersecurity breaches

Over the past few years, zero-day attacks, which target software flaws, have generally been thought of as being on the rise. In fact, studies have found that from 2014-2015, the number of zero-day vulnerabilities discovered have increased by 125%.  

However, Rob Joyce, the Head of the NSA’s Tailored Access Operations, recently remarked that contrary to popular opinion, the NSA and other APT attackers don’t rely on zero-day exploits extensively because they no longer have to.


As sophisticated attackers shift their focus from zero-day exploits to other means of launching cybersecurity breaches, CIOs and CISOs should strongly consider implementing more effective prevention and detection solutions.

What’s Behind the Declining Reliance on Zero-Day Exploits?

Joyce explains why zero-day exploits are being used less: “With any large network, I will tell you that persistence and focus will get you in, will achieve that exploitation without the zero-days,” he says. “There are so many more vectors that are easier, less risky and quite often more productive than going down that route.” 

Zero-day exploits also tend to be expendable attacks. Once a zero-day starts circulating outside of labs and research facilities, a large percentage of organizations will patch the vulnerability. This may not render the zero-day entirely useless for an attacker (two months after Heartbleed dropped, 50% of vulnerable systems remained unpatched), but it will reduce its efficacy.

The bottom line is that there are more efficient means for cyber attackers to gain access to a network that don’t necessarily carry the same risks as zero-day attacks.

A New Use for Zero-Days in Cybersecurity Breaches

While zero-day attacks are becoming less prevalent in the traditional sense, they still have a role. Today, we are witnessing a growing trend where ethically questionable security companies find zero-days and sell them to intelligence agencies.

For instance, a zero-day vulnerability was found in Adobe’s Flash Player by the Italian IT company Hacking Team, which profits from finding and selling software exploits. 

Another example involves the iPhone of one of the perpetrators of the San Bernardino shootings. A major privacy battle erupted when the FBI demanded that Apple deliberately sabotage the security of the shooter’s iPhone. 

In a substantial leak of Hacking Team’s files, it was shown that zero-day exploits and malicious software were sold to American law enforcement agencies, including the FBI and the DEA. Other clients include organizations in Kazakhstan, Saudi Arabia, Sudan, and Nigeria.

The battle was resolved when the FBI paid professional cyber attackers to crack the phone’s identification number without activating the security feature that would automatically erase its data. The grey hats in question are said to have identified a previously unknown vulnerability in order to breach the phone.

Many have criticized the US government for stockpiling zero-day code to attack its enemies; however, recent insight into zero-day code usage illuminates current policies. 

cybersecurity breaches

When law enforcement acquires a zero-day exploit, policies are in place to balance cybersecurity, information assurance, intelligence counterintelligence, law enforcement, military operations and critical infrastructure protection.

In essence, there’s a great debate between whether zero-day exploits should be used offensively or for cybersecurity breach prevention.

The Current State of Cybersecurity Breaches

When zero-days appear in the wild – as opposed to being purchased by intelligence or law enforcement agencies, they’re mainly used by low-skill attackers who pursue soft targets that fail to patch their systems.

As attackers become increasingly sophisticated, even the lower-skilled hackers realize that successful exploits will require attack vectors that haven’t been identified by the cybersecurity community.

You can’t rely on attackers using the same methods for any length of time, especially when they create upwards of 1 million new pieces of malware every day and persistence becoming the key means of launching a cybersecurity breach.

Rather, IT professionals should focus on finding security tools that can detect and defend against any attacker, regardless of the method being used.

illusive networks® 3.0 with Attacker View goes beyond standard security measures, and allows security professionals to map their networks and expose previously unknown vulnerabilities.

You’ll be able to see unexpected endpoint and server connections, over-privileged users accounts, and proliferated admin accounts, thus allowing you to adjust your defenses against both rare and commonplace attacks.


Recommended reading for you: