Zero-day is a flaw in software, hardware or firmware that is unknown to the party or parties

responsible for patching or otherwise fixing the flaw. The term zero day may refer to the
vulnerability itself, or an attack that has zero days between the time the vulnerability is
discovered and the first attack. Once a zero-day vulnerability has been made public, it is known
as an n-day or one-day vulnerability.
Ordinarily, when someone detects that a software program contains a potential security issue,
that person or company will notify the software company (and sometimes the world at large)
so that action can be taken. Given time, the software company can fix the code and distribute a
patch or software update. Even if potential attackers hear about the vulnerability, it may take
them some time to exploit it; meanwhile, the fix will hopefully become available first.
Sometimes, however, a hacker may be the first to discover the vulnerability. Since the
vulnerability isn't known in advance, there is no way to guard against the exploit before it
happens. Companies exposed to such exploits can, however, institute procedures for early
detection.
Security researchers cooperate with vendors and usually agree to withhold all details of zero-
day vulnerabilities for a reasonable period before publishing those details. Google Project Zero,
for example, follows industry guidelines that give vendors up to 90 days to patch a vulnerability
before the finder of the vulnerability publicly discloses the flaw. For vulnerabilities deemed
"critical," Project Zero allows only seven days for the vendor to patch before publishing the
vulnerability; if the vulnerability is being actively exploited, Project Zero may reduce the
response time to less than seven days.
Zero-day exploit detection
Zero-day exploits tend to be very difficult to detect. Antimalware software and some intrusion
detection systems (IDSes) and intrusion prevention systems (IPSes) are often ineffective
because no attack signature yet exists. This is why the best way to detect a zero-day attack is
user behavior analytics. Most of the entities authorized to access networks exhibit certain
usage and behavior patterns that are considered to be normal. Activities falling outside of the
normal scope of operations could be an indicator of a zero-day attack.
For example, a web application server normally responds to requests in specific ways. If
outbound packets are detected exiting the port assigned to that web application, and those
packets do not match anything that would ordinarily be generated by the application, it is a
good indication that an attack is going on.
Zero-day exploit period
Some zero-day attacks have been attributed to advanced persistent threat (APT) actors, hacking
or cybercrime groups affiliated with or a part of national governments. Attackers, especially
APTs or organized cybercrime groups, are believed to reserve their zero-day exploits for high-
value targets.
N-day vulnerabilities continue to live on and are subject to exploits long after the vulnerabilities
have been patched or otherwise fixed by vendors. For example, the credit bureau Equifax was
breached in 2017 by attackers using an exploit against the Apache Struts web framework. The
attackers exploited a vulnerability in Apache Struts that was reported, and patched, earlier in
the year; Equifax failed to patch the vulnerability and was breached by attackers exploiting the
unpatched vulnerability.
Likewise, researchers continue to find zero-day vulnerabilities in the Server Message Block
protocol, implemented in the Windows OS for many years. Once the zero-day vulnerability is
made public, users should patch their systems, but attackers continue to exploit the
vulnerabilities for as long as unpatched systems remain exposed on the internet.
Defending against zero-day attacks
Zero-day exploits are difficult to defend against because they are so difficult to detect.
Vulnerability scanning software relies on malware signature checkers to compare suspicious
code with signatures of known malware; when the malware uses a zero-day exploit that has not
been previously encountered, such vulnerability scanners will fail to block the malware.
Since a zero-day vulnerability can't be known in advance, there is no way to guard against a
specific exploit before it happens. However, there are some things that companies can do to
reduce their level of risk exposure.

 Use virtual local area networks to segregate some areas of the network or use dedicated
physical or virtual network segments to isolate sensitive traffic flowing between servers.
 Implement IPsec, the IP security protocol, to apply encryption and authentication to
network traffic.
 Deploy an IDS or IPS. Although signature-based IDS and IPS security products may not
be able to identify the attack, they may be able to alert defenders to suspicious activity
that occurs as a side effect to the attack.
 Use network access control to prevent rogue machines from gaining access to crucial
parts of the enterprise environment.
 Lock down wireless access points and use a security scheme such as Wi-Fi Protected
Access 2 for maximum protection against wireless-based attacks.
 Keep all systems patched and up to date. Although patches will not stop a zero-day
attack, keeping network resources fully patched may make it more difficult for an attack
to succeed. When a zero-day patch does become available, apply it as soon as possible.
 Perform regular vulnerability scanning against enterprise networks and lock down any
vulnerabilities that are discovered.
While maintaining a high standard for information security may not prevent all zero-day
exploits, it can help defeat attacks that use zero-day exploits after the vulnerabilities have been
patched.