Zero-Day Vulnerabilities: How Can You Prepare for the Unexpected?

Warnings from global cybersecurity agencies showed how vulnerabilities are often being exploited as zero-days. In the face of such an unpredictable attack, how can you be sure you’ve got a suitable level of protection and whether existing frameworks are enough? 

Understanding the Zero-Day Threat

It has been almost ten years since cybersecurity speaker and researcher ‘The Grugq’ stated, “Give a man a zero-day, and he’ll have access for a day; teach a man to phish, and he’ll have access for life.”

This line came at the midway point of a decade that had begun with the Stuxnet virus and used multiple zero-day vulnerabilities. This led to a fear of these unknown vulnerabilities, which attackers use for a one-off attack on infrastructure or software and for which preparation was apparently impossible.

A zero-day vulnerability is one in which no patch is available, and often, the software vendor does not know about the flaw. Once used, however, the flaw is known and can be patched, giving the attacker a single chance to exploit it.

The Evolution of Zero-Day Attacks

As the sophistication of attacks reduced in the later 2010s and ransomware, credential stuffing attacks, and phishing attempts were used more frequently, it may feel like the age of the zero-day is over.

However, it is no time to dismiss zero-days. Statistics show that 97 zero-day vulnerabilities were exploited in the wild in 2023, over 50 percent more than in 2022. It was a ripe time for national cybersecurity agencies to issue a warning about exploited zero-days.

In November, the UK’s National Cyber Security Centre (NCSC) – alongside agencies from Australia, Canada, New Zealand and the United States – shared a list of the top 15 routinely exploited vulnerabilities in 2023.

Why Zero-Day Vulnerabilities Still Matter

In 2023, the majority of those vulnerabilities were initially exploited as zero-days, a significant increase from 2022, when fewer than half of the top vulnerabilities were exploited early.

Stefan Tanase, a cyber intelligence expert at CSIS, says, “Zero-days are no longer just tools of espionage; they are fuelling large-scale cybercrime.” He cites the exploit of zero-days in Cleo file transfer solutions by the Clop ransomware gang to breach corporate networks and steal data as one of the most recent examples.

What Can Organisations Do to Protect Against Zero-Days?

So, we know what the problem is, how do we resolve it? The NCSC advisory strongly encouraged enterprise network defenders to maintain vigilance with their vulnerability management processes, including applying all security updates promptly and ensuring they have identified all assets in their estates.

Ollie Whitehouse, NCSC chief technology officer, said that to reduce the risk of compromise, organisations should “stay on the front foot” by applying patches promptly, insisting upon secure-by-design products, and being vigilant with vulnerability management.

Therefore, defending against an attack in which a zero-day is used requires a reliable governance framework that combines those protective factors. If you are confident in your risk management posture, can you be confident in surviving such an attack?

The Role of ISO 27001 in Combating Zero-Day Risks

ISO 27001 offers an opportunity to ensure your level of security and resilience. Annex A. 12.6, ‘ Management of Technical Vulnerabilities,’ states that information on technological vulnerabilities of information systems used should be obtained promptly to evaluate the organisation’s risk exposure to such vulnerabilities. The company should also take measures to mitigate that risk.

While ISO 27001 cannot predict the use of zero-day vulnerabilities or prevent an attack using them, Tanase says its comprehensive approach to risk management and security preparedness equips organisations to better withstand the challenges posed by these unknown threats.

How ISO 27001 Helps Build Cyber Resilience

ISO 27001 gives you the foundation in risk management and security processes that should prepare you for the most severe attacks. Andrew Rose, a former CISO and analyst and now chief security officer of SoSafe, has implemented 27001 in three organisations and says, “It doesn’t guarantee you’re secure, but it does guarantee you’ve got the right processes in place to make you secure.”

Calling it “a continual Improvement engine,” Rose says it works in a loop where you look for vulnerabilities, gather threat intelligence, put it onto a risk register, and use that risk register to create a security Improvement plan. Then, you take that to the executives and take action to fix things or accept the risks.

He says, “It puts in all the good governance that you need to be secure or get oversights, all the risk assessment, and the risk analysis. All those things are in place, so it’s an excellent model to build.”

Following the guidelines of ISO 27001 and working with an auditor such as ISMS to ensure that the gaps are addressed, and your processes are sound is the best way to ensure that you are best prepared.

Preparing Your Organisation for the Next Zero-Day Attack

Christian Toon, founder and principal security strategist at Alvearium Associates, said ISO 27001 is a framework for building your security management system, using it as guidance.

“You can align yourselves with the standard and do and choose the bits you want to do,” he said. “It’s about defining what’s right for your business within that standard.”

Is there an element of compliance with ISO 27001 that can help deal with zero days? Toon says it is a game of chance when it comes to defending against an exploited zero-day. However, one step has to involve having the organisation behind the compliance initiative.

He says if a company has never had any big cyber issues in the past and “the biggest issues you’ve probably had are a couple of account takeovers,” then preparing for a ‘big ticket’ item—like patching a zero-day—will make the company realise that it needs to do more.

Toon says this leads companies to invest more in compliance and resilience, and frameworks such as ISO 27001 are part of “organisations riding the risk.” He says, “They’re quite happy to see it as a bit of a low-level compliance thing,” and this results in investment.

Tanase said part of ISO 27001 requires organisations to perform regular risk assessments, including identifying vulnerabilities—even those unknown or emerging—and implementing controls to reduce exposure.

“The standard mandates robust incident response and business continuity plans,” he said. “These processes ensure that if a zero-day vulnerability is exploited, the organisation can respond swiftly, contain the attack, and minimise damage.”

The ISO 27001 framework consists of advice to ensure a company is proactive. The best step to take is to be ready to deal with an incident, be aware of what software is running and where, and have a firm handle on governance.