Research from Symantec has been published in ACM on October 16. The research, which was also referenced in articles in SC Magazine and Dark Reading, looks at the amount and duration of zero-day attacks. Specifically:
A zero-day attack is characterized by a vulnerability that is exploited in the wild before it is disclosed, i.e., t0 > te. Similarly, a zero-day vulnerability is a vulnerability employed in azero-day attack. Our goals in this paper are to measure the prevalence and duration of zero-day attacks and to compare the impact of zero-day vulnerabilities before and after t0.
The research within the paper has some important considerations to business and the need for effective patching and defense-in-depth within the enterprise. Specifically, the paper found the following conclusion:
Zero-day attacks have been discussed for decades, but nostudy has yet measured the duration and prevalence of these attacks in the real world, before the disclosure of the corresponding vulnerabilities. We take a ﬁrst step in this direction by analyzing ﬁeld data collected on 11 million Windows hosts over a period of 4 years. The key idea in our studyis to identify executable ﬁles that are linked to exploits of known vulnerabilities. By searching for these ﬁles in a dataset with historical records of ﬁles downloaded on end-hosts around the world, we systematically identify zero-day attacks and we analyze their evolution in time.We identify 18 vulnerabilities exploited in the wild before their disclosure, of which 11 were not previously known to have been employed in zero-day attacks. Zero-day attacks last on average 312 days, and up to 30 months, and they typically aﬀect few hosts. However, there are some exceptions for high proﬁle attacks such as Conﬁcker and Stuxnet, which we respectively detected on hundreds of thousands and millions of the hosts in our study, before the vulnerability disclosure. After the disclosure of zero-day vulnerabilities, the volume of attacks exploiting them increases by up to 5 orders of magnitude. These ﬁndings have important implications for future security technologies and for public policy.
Based on these findings, it will be interesting to see if the various technology vendors, programmers, and business will take this to heart and work harder in getting less vulnerable software and systems to market. Follow on research from this paper could be to evaluate the cost impact associated with zero-day attacks or vulnerabilities that were left unpatched. The reality is that security is about risk acceptance and in some cases the cost may be deemed an acceptable risk by some businesses.