Why AMTD Is the Key to Stopping Zero-Day Attacks

To stop zero days, we need to fight fire with fire. Preventing novel attacks, which no one has ever seen, means making your attack surface just as much of an unknown quantity as the threats themselves.

(Credit: Dragon Claws / Alamy Stock Photo)

Zero days are attacks that defenders have had no time to prepare for (hence the name "zero days"). Typically the result of some previously unknown vulnerability, zero days involve undiscovered attack vectors and, by definition, are unpatched by defenders or vendors. When threat actors find these vulnerabilities, they develop and deploy exploits to target them before they can be patched.

Attacks leveraging vulnerabilities are steadily increasing — according to the Verizon 2024 Data Breach Investigations Report, attacks involving the exploitation of vulnerabilities as the critical path to initiate a breach (when compared to previous years) almost tripled (180 percent) from last year.

Because they are an unknown variable until it’s too late, it is effectively impossible to account for the risk specific zero days create in your environment. A bad one, like Log4j or MOVEit, can upend your security program. But it is possible to mitigate the overall threat of zero days. You can do this by removing one of the core levers that every zero-day attack relies on—predictability.

It’s hard to know where a zero-day vulnerability might exist or the pathways any exploit will take into your environment. But it is possible to take away the predictable attack surfaces and security controls that every threat, including tomorrow's most dangerous zero days, rely on. Here's how.

Know That You Are a Target for Zero Days

Zero days used to be a relatively uncommon threat. Expensive to develop and effectively a single-use attack, they were something you worried about if you were a direct target for state-backed threat actors or linked to a highly targeted industry like defense.

Today's zero-day threat environment is a lot more democratic. There are more zero days than ever, and the chances you will encounter one, either directly or via your supply chain, are high. Google researchers reported 97 zero-days observed and exploited in the wild in 2023, compared to 62 in 2022. That represents a 50 percent increase — and that’s just the zero days that security researchers know about.

Recently, we've seen a new wave of zero-day exploits targeting applications from Google Chrome to MoveIT file transfer software to devices using iOS, impacting thousands of businesses, including household names like the BBC and Kaspersky. State-backed adversaries are behind much of this threat, but more zero days are being researched and exploited for profit too. It was rarely the case that zero-day attacks were financially driven, but in 2023, 10 percent were.

We predict that zero-day numbers will keep increasing as the problem of legacy software grows, geopolitical tensions rise, and threat actors invest more resources into crafting attacks.

Zero days are also going to keep causing more damage. With the growth rate of unknown assets (last year, 70% of companies were compromised by an asset they didn't know about) and the snowballing rates of misconfiguration that come with cloud migration, there are more pathways than ever for threat actors targeting unknown vulnerabilities.

Turn the Tables on Zero Days with Preventative Technology

Zero-day exploits are unpredictable for defenders, but they still rely on the attackers’ ability to find a predictable attack surface.

This is because, for zero-day exploits to enable attacks, they need to target an environment where the locations of libraries, functions, variables, and other data segments are similar to systems found elsewhere.

No matter how novel the exploit they use is, all threats need to see an application environment that is laid out predictably. Otherwise, scripts will not work. Threats rely on static environments where assets like hashed passwords are located in particular memory spaces and processes happening in a certain way. Zero days also share a lot in common; two-thirds are likely to use memory corruption.

To prevent zero days, take away the predictability they rely on by arranging your assets into a different layout than their developer expected to encounter. Against an unfamiliar and novel attack surface, even the most dangerous zero-days will not win. The answer to unpredictable attacks is unpredictable defense. 

Making defense dynamic can be automated at the application level using Automated Moving Target Defense (AMTD) technology. A proven security solution, AMTD helps defenders prevent zero-day attacks without relying on spotting threat behavior. AMTD turns visibility into a problem for attackers.

Here’s how: AMTD technology uses polymorphism to create a randomized, dynamic runtime memory environment. Deployable on endpoints and servers, this polymorphism ability creates a prevention-focused solution that constantly moves system resources while leaving decoy traps in their place. What occurs next is that threats see these decoy resources where real ones should be and end up trapped. For users, it’s business as usual because as they don't notice any difference—system performance is unaffected while security teams gain a new layer of preventative telemetry.

Today, more and more companies are turning to AMTD technologies to defeat zero days. In fact,  industry analysts like Gartner suggest that AMTD technology is paving the way for a new era of cyber defense possibilities. That’s because instead of trying to detect zero-day compromise, these technologies prevent exploits from deploying in the first place. Against zero-day attacks, this is the only defensive approach organizations can rely on.

Oren T. Dvoskin is the Product Marketing Director at Morphisec.

Related articles:

About the Author(s)

Oren T. Dvoskin, Product Marketing Director, Morphisec

Oren T. Dvoskin is Product Marketing Director at Morphisec, delivering endpoint protection powered by Automated Moving Target Defense. Before joining Morphisec, Oren was VP of OT & Industrial Cybersecurity marketing at OPSWAT, overseeing the company’s portfolio of OT and ICS security solutions. Previously, Oren held marketing and business leadership positions in cybersecurity, healthcare, and medical devices, with a prior extensive career in software R&D. Dvoskin holds an MBA from the Technion – Israel Institute of Technology, an undergraduate degree in computer science, and graduated from the Israeli Defense Forces MAMRAM programming course.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights