Start Now

In this article

5 Ways to Defend Against Zero-Day Malware


April 6, 2021
Last Updated: September 30, 2024
Share on:

In computing, the term zero day refers to the unknown. If a vulnerability, exploit, or threat of any kind is not known to security researchers, it can be classified as a “zero day attack”. 

Threat actors actively look for existing zero day vulnerabilities they can exploit or to create these vulnerabilities. The goal? Launch malware or network attacks while victims are not aware, and are not prepared to protect themselves. 

Zero day malware exploits unknown vulnerabilities. Traditional antivirus solutions rely on known quantifiers such as signature-based methods to detect malware. To protect against the unknown, organizations can leverage next-generation antivirus (NGAV) solutions, which leverage machine learning to detect zero day malware.

What Is Zero Day Malware?

In IT security, the term zero day is used to describe vulnerabilities or threats that are not yet discovered or patched by the vendor or user. This term is used to define vulnerabilities after the fact; usually after a successful or attempted attack is discovered. 

Zero day can also be applied to malware, although it may not be used consistently. Some references to zero day malware define it as malware that is used to exploit zero day vulnerabilities. Other references define zero day malware as malware that is not yet known by the security community or security solutions. This means there are no signatures or hashes that can be used to identify malware.

Based on how the term zero day is used to define vulnerabilities, it is more consistent to use this term to refer to unknown malware. This is because many zero day vulnerabilities can be exploited by well established malware that is repurposed. In these cases, the malware was not created specifically to exploit the unknown vulnerability. This definition of zero day malware (i.e. unknown malware) is the one used in the rest of this article.

Stop advanced cyber
threats with one solution

Cynet’s All-In-One Security Platform

  • Full-Featured EDR and NGAV
  • Anti-Ransomware & Threat Hunting
  • 24/7 Managed Detection and Response

Achieved 100% detection in 2023

review stars

Rated 4.8/5

review stars

2024 Leader

Limitations of Traditional Antivirus Against Zero Day Malware

Traditional antivirus (AV) solutions use signature-based methods to detect malware and attacks. Signatures are strings of characters found in metadata, file names, or inside of files that identify an item as malware or related to malware. This method requires knowing that malware exists, having a sample of malware to pull signatures from, and for solutions to have a list of signatures against which new files are compared. 

Using these methods, legacy AV solutions can detect around 57% of attacks and malware. However, as attackers develop new methods for exploiting vulnerabilities this number is decreasing. New types of malware, such as fileless malware, operate outside of traditional file-based methods, instead relying on scripts, macros, and system processes. Since there is no specific file associated with the malware, no signature can be created.

Because legacy AV solutions rely on signature-based detection, organizations are restricted to only being able to respond reactively. Organizations are also limited to whatever signatures or definitions their solution can ingest. This is fine for traditional malware but is inadequate for modern variations. 

In contrast to legacy AV, next-generation antivirus (NGAV) technology combines machine learning and behavior detection technologies with signature-based methods. These technologies enable NGAV to identify zero day malware and other unknown threats based on suspicious patterns of events. Additionally, because NGAV incorporates machine learning, it is not restricted to reactive protections and can instead investigate activity as it occurs.

Tips From the Expert

In my experience, here are tips that can help you better defend against zero-day malware:

  1. Integrate threat intelligence feeds with NGAV and EDR solutions
    Combining real-time threat intelligence with NGAV and EDR can help preempt zero-day attacks. These feeds can provide indicators of compromise (IoCs) and tactics used in similar attacks, improving detection even before a patch is available.
  2. Utilize memory protection mechanisms
    Zero-day malware often exploits memory-based vulnerabilities. Advanced memory protection tools like Control Flow Guard (CFG) and kernel-based exploit protections can stop attacks that bypass traditional AV solutions by focusing on exploiting system memory.
  3. Deploy deception technologies to trick zero-day malware
    Use deception technologies such as fake files, honeypots, or decoy systems to lure malware into non-critical environments. This can buy valuable time for detection while reducing the chance of real systems being compromised.
  4. Monitor for anomalous data exfiltration patterns
    Zero-day malware often involves data theft as a primary goal. Use behavioral analytics to monitor for unusual outbound traffic, especially in encrypted channels or to non-trusted domains, which could indicate exfiltration attempts.
  5. Automate rapid patch validation processes
    Quickly deploying patches is critical, but so is ensuring they don’t break existing systems. Automate patch validation in a sandbox environment to minimize disruption and ensure zero-day vulnerabilities are closed as soon as a patch is released.

Eyal Gruner is the Co-Founder and CEO of Cynet. He is also Co-Founder and former CEO of BugSec, Israel’s leading cyber consultancy, and Versafe, acquired by F5 Networks. Gruner began his career at age 15 by hacking into his bank’s ATM to show the weakness of their security and has been recognized in Google’s security Hall of Fame.

How to Defend Against Zero-Day Malware

The unknown nature of zero day malware makes it unpredictable and challenging to both detect and defend against. To detect this type of threat, you need to implement proactive, in-depth security strategies. Below are a few practices and tools you can use to ensure that your systems are defended against zero day attacks.

How to Defend Against Zero-Day Malware

1. Regularly update your systems

Ensuring that your infrastructure, devices, and applications are up to date is essential to minimizing your risk. Even though zero day threats are by definition not yet patched, older patches may prevent these threats from being exploited. This is also true for zero day malware. Even if malware is unknown, protections against similar, known malware may prevent it from being used successfully.

2. Deploy endpoint protection platforms (EPPs)

Endpoint Protection Platforms are platforms that are designed to layer protections over your endpoints. These platforms often incorporate a range of security tools, including NGAV, web application firewalls (WAFs), and EDR. 

The purpose of endpoint security is to help you centralize your security measures, enabling you to more effectively detect and investigate suspicious events. For example, unexpected processes, transfers of data, or downloads. It enables you to implement both traditional and modern methods of protection and layers reactive and proactive measures for greater security.

3. Deploy endpoint detection and response (EDR)

EDR solutions are proactive monitoring and response solutions that you can use to protect your perimeter and endpoint devices. These solutions specialize in providing visibility into endpoint activity and can enable you to automate responses to suspicious events before an attack occurs. 

These solutions use machine learning and behavioral analysis methods to compare traffic and events to known acceptable and unacceptable behavior. This enables solutions to detect potential threats in real-time, including potential zero day malware. These threats can then be stopped at your perimeter, preventing malware from spreading beyond the affected device.

4. Consider segmenting your networks

Segmenting your network involves applying access controls to isolate your various services and components. It enables you to layer security measures and can significantly reduce the amount of damage a successful attack can cause.

Segmentation can be useful in mitigating the damage caused by zero day attacks since it prevents malware’s spread. When components are segregated, authorization and authentication measures prevent attackers from being able to easily move laterally through networks. 

Additionally, segmentation enables easy sandboxing (strict isolation) of suspicious activity or files. This enables teams to investigate potential zero day malware without affecting the rest of the system.

5. Enforce the principle of least privilege

Regardless of the threats you are trying to protect against, enforcing the principle of least privilege is best practice. This principle requires that you only give users, devices, and applications the most basic permissions they need to operate. By restricting permissions, you limit the actions that can occur and prevent abuse of access.

In cases of zero day malware, minimal privileges are particularly important since this type of malware often exploits root or administrative privileges. By ensuring that only minimum privileges are provided, you can limit the ability of zero day malware regardless of whether it’s detected. 

Learn more in our article about privilege escalation, which explains how threat actors exploit privileges to launch network attacks.

Zero Day Malware Protection with Cynet

The Cynet 360 Advanced Threat Detection and Response platform provides protection against threats including zero-day attacks, advanced persistent threats (APT), advanced malware, and trojans that can evade traditional signature-based security measures.

Block exploit-like behavior

Cynet monitors endpoints memory to discover behavioral patterns that are typical to exploit such as an unusual process handle request. These patterns are common to the vast majority of exploits, whether known or new and provides effective protection even from zero-day exploits.

Block exploit-derived malware

Cynet employs multi-layered malware protection that includes ML-based static analysis, sandboxing, process behavior monitoring. In addition, they provide fuzzy hashing and threat intelligence. This ensures that even if a successful zero day exploit establishes a connection with the attacker and downloads additional malware, Cynet will prevent this malware from running so no harm can be done.

Uncover hidden threats

Cynet uses an adversary-centric methodology to accurately detect threats throughout the attack chain. Cynet thinks like an adversary, detecting behaviors and indicators across endpoints, files, users, and networks. They provide a holistic account of the operation of an attack, irrespective of where the attack may try to penetrate.

Accurate and precise

Cynet uses a powerful correlation engine and provides its attack findings with near-zero false positives and free from excessive noise. This simplifies the response for security teams so they can react to important incidents.

You can carry out automatic or manual remediation, so your security teams have a highly effective yet straight-forward way to detect, disrupt, and respond to advanced threats before they have a chance to do damage.Learn more about Cynet’s Next-Generation Antivirus (NGAV) Solution.

How would you rate this article?

Let’s get started!

Ready to extend visibility, threat detection and response?

Get a Demo

Search results for: