A Zero-Day vulnerability is either unknown or known, but it is yet to be fixed. A vulnerability is a software, firmware or hardware weakness that cyber threat actors can exploit.

ISO 27005, an information security risk management standard, adds that vulnerabilities apply to “anything that has value to the organization, its business operations and their continuity, including information resources that support the organization's mission”. 

What makes a zero-day known or not?

Knowledge of a vulnerability refers to the manufacturer’s or the cybersecurity community’s awareness of its existence. This will be manifested most commonly by the attribution of a CVE number to the vulnerability of participating companies and organisations.

What’s a CVE number? 

The CVE database is maintained by the MITRE Corporation, a non-profit that acts on behalf of the US Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency (CISA). The list is the main source of data for the US National Vulnerability Database (NVD), maintained by the National Institute of Standards and Technology (NIST).

An identified CVE can be either inactive exploitation by ill-intentioned actors (in the wild) or not. This does not change its zero-day status but will affect its severity, reflected in its associated CVSS score. 

What’s a CVSS score? 

The NVD provides a description, potential mitigation and severity score for each CVE. The score, known as The Common Vulnerability Scoring System (CVSS), has a severity scale rating from 0 (none) to 10 (critical). 

The CVSS takes into account intrinsic characteristics of the vulnerability (in terms of its ease of exploitability and potential confidentiality, integrity and availability impact, known as the CIA triad), as well as temporal and environmental metrics. For instance, a vulnerability may be very impactful (it destroys data) but requires physical access to the computer system, which makes it less critical than if it was a remote attack. 

A Windows 10 vulnerability publicised in September 2021, for instance, uses a rendering system used by Microsoft Office applications to download malware. Although the attack requires user interaction, it was scored just short of critically severe because of its remote execution.

How does ISTARI manage zero-day flaws? 

BlueVoyant, an ISTARI portfolio company, offers managed security services and managed risk services (3PR) to help clients remain vigilant in a proactive posture to ensure the rapid identification of any follow-on activities from exploitations associated with zero-day vulnerabilities. 

Managed Security Services: BlueVoyant Security Analysts analyze logs and alert for evidence of any post-exploitation activity and track vulnerabilities for further information, opportunities for detection, and any other recommendations they can make to their clients. 

Managed Risk Services (3PR): The BlueVoyant Risk Analysts monitor clients’ and clients’ third-party environments for evidence of exposure to vulnerabilities and inform them if any are present through the standard finding investigation process.