The team at Google Project Zero deserves a lot more recognition than they receive. Since 2014, they have been systematically studying 0-days (e.g. previously unknown vulnerabilities) to understand this unique cyber threat in depth. They research where 0-days are being found, how hackers are exploiting them, and what trends are developing. And, on an annual basis, they compile their findings into a comprehensive and prescriptive report. The latest report is out, covering attacks throughout 2021, and it has information everyone should be aware of - both good news and bad news.
Bad News – Attacks Have Increased Significantly
There were 58 0-days detected and disclosed in the wild in 2021, the most the Google team has ever recorded. This number is more than double the previous high of 28. Even more alarming, it’s a substantial increase over the 2020 total of 25 0-days. These numbers leave little doubt that 0-days remain a serious threat that could be getting (much) worse than ever before. The 2022 totals seem certain to set new records.
Good News – Detection and Disclosure are Getting Better
The alarming uptick in 0-days could actually be a positive sign according to the Google researchers. They attribute the 2021 totals to improvements in detection – we are catching more 0-days than we could before. They also credit a culture shift around disclosing 0-days. Instead of hiding these flaws away, as was often the case in the past, companies are being upfront about them, pushing the overall total upwards. This would suggest the 0-day problem is not necessarily getting worse but rather we are starting to see its true scope and scale. That’s progress.
Good News – 0-Days are in a Rut
Last year’s 0-days all share a notable feature: they leverage the same attack surfaces, bug patterns, and exploit techniques that we have seen in the past. Given the large annual total, we would expect to see a number of innovative, unique, and unknown tactics in play. That wasn’t the case – only two 0-days in 2021 were considered novel by the Google team. By and large, recent 0-days look a lot like the ones that came before them, which could suggest that hackers lack either the means or skills to push them in new directions.
Bad News – Old Exploits Remain Potent
Another, arguably more valid way to interpret the lack of innovation in 0-days is that it’s unnecessary. Existing methods still work, so hackers have little incentive to devise new ones. It has been the goal of developers and cyber defenders to “make 0-days harder” for years now, but that effort seems to have accomplished relatively little, allowing hackers to return to the same well instead of making them return to the drawing board. The huge number of familiar 0-days in 2021 suggests that while detection and disclosure are improving, actual defenses are not, which raises troubling (but important) questions about how we approach this issue.
Preparing for the Future of 0-Days
The Google report makes clear that we have made some progress on 0-days but still have much left to do. The question is how we get from record high 0-days to record lows?
Above all, it will take cooperation, communication, and collaboration among stakeholders inside and outside cybersecurity. 0-days are a complicated beast, both to prevent and remediate, that exceeds what any team, department, or company can address on its own. A culture of mutual defense and shared responsibility has an obvious advantage: it gives the defenders vastly more resources than the attackers could ever muster.
But it all depends on bringing together different ideas, experiences, and perspectives, which is where the vsociety comes in. This social community provides a space for voices from across cybersecurity and the larger tech landscape to unite around issues like 0-days and so much more. The conversation starts here.
Photo by Adi Goldstein
