The True Cost of Zero-Day Exploits: A Call for Proactive Cybersecurity
By
"An ounce of prevention is worth a pound of cure.”
Benjamin Franklin,
Today’s cybersecurity focuses on reactive, signature-based prevention. There’s a reason for that. Truly proactive cybersecurity is challenging as cybercriminals are constantly evolving their TTPs to stay ahead of the latest defensive strategies. Novel threats and zero-day exploits are just a reality that we’ve come to accept, but what is the true cost of focusing on reacting to known/confirmed threats rather than more proactive approaches?
Zero-day Exploits Strike Fear - But Not Much Action
In every SOC, in every country, the term "zero-day exploit" strikes fear into the hearts of security professionals, with visions of your company’s name on the evening news and operational shutdowns, leaked data and everything that entails. The impact of zero-day exploits extends beyond the immediate breach, encompassing financial losses, reputational damage, and potential legal ramifications.
In this post, we’ll try to shed light on the true cost and impact of zero-day exploits while exploring the value proactive cybersecurity measures, like our Augur Predictive Intelligence, can provide in reducing the risk and impact of these threats.
Counting the Cost - The Economic Toll of Zero-day Exploits and Novel Threats
A recent post in TechTarget referenced research by threat intel heavyweight Mandiant, stating: "Mandiant tracked 55 zero-day vulnerabilities that we judge were exploited in 2022. Although this count is lower than the record-breaking 81 zero-days exploited in 2021, it still represents almost double the number from 2020." The count for 2023 isn’t in yet. And according to a post on the Infosecurity Security website, Google’s Threat Analysis Group found 69 zero-days disclosed in 2023, and up until September, 44 have been used in the wild.
Cost Per Attack Is Rising Steadily
According to the Ponemon Sullivan Privacy Report newsletter, the cost of successful zero-day attacks in 2022 averages $8.94 million once the costs of IT staff resources, end-user productivity, and data theft are factored in. In 2023, the estimated cost of an average cyberattack rose to $13 million.
Zero-day Exploits Are Not One and Done
The Security Intelligence blog provides us with real insight into the impact of a single zero-day: MOVEit (which Augur predicted and defended against). “In May 2023, for example, a Russian ransomware ring was accused of launching a zero-day attack through a flaw in a managed file transfer software called MOVEit Transfer. As is typical for a zero-day vulnerability, it is not a single company that is targeted or impacted, but rather, the attack can affect any organization using the software. In this particular case, the ransomware spread, thanks to an SQL injection issue, and has potentially hit hundreds of organizations, including federal government agencies, universities, banks, and major health networks. In fact, both the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI expect to see a large-scale exploitation of this service,” according to Security Boulevard.
As you can see, there’s a period between when a zero-day starts to be exploited and when patches become available that we call the Patient Zero gap, when all organizations are vulnerable. And even once patches are released, uptake can be slow and uneven. So, for every zero-day exploit, it is safe to say hundreds of organizations will be impacted.
Let’s Do the Math
For 2023, here is a very conservative estimate (given that exploits like MOVEit affect thousands of organizations) of the economic impact of zero-day exploits
69 exploits X 100 companies per exploit X $13 million average cost = $89 billion
Other Impacts
Back to the fear of being on the news. Business leaders are acutely aware of the reputational damage inflicted by cyberattacks. In a survey conducted by Deloitte, 87% of executives identified reputation as their most significant strategic risk. A zero-day exploit not only jeopardizes customer trust but also erodes the hard-earned reputation of an organization, leading to long-term consequences that extend well beyond the immediate aftermath of an attack. So there’s that.
Forewarned is Forearmed — Augur Is Unique Proactive Protection
Continuing to focus solely on reactive cyber defence simply doesn’t make sense. It ignores everything we know about how threats propagate and addresses only the subset of known threats, leaving us permanently vulnerable to zero-day exploits and novel threats.
Augur’s AI-powered predictive threat intelligence, which identifies the setup of cybercriminal infrastructure and lets you know what IPs you should block, is unique in its ability to protect against zero-day exploits and novel threats proactively.
Our smart behavioral prediction models identify and group threat actors based on patterns of activity. The platform can then predict the source of novel attacks up to 50 days out. We predict over 1 million IPs a year, and, at the time of prediction, these predictions are often +-90% unique compared to other leading threat data sources.
Recently, Augur predicted major elements of the MOVEit, Solar Winds, Log4JShell, Colonial Pipeline and ProxyNotShell hacks months ahead of first reports.
Augur is your early warning system.
It’s your insurance policy against zero-day exploits and novel threats.
And it’s your best investment for staying off the news.
Augur data packages start at $50,000 (threat data only) — A small cost to mitigate your zero-day risk. Augur can’t reduce your risk to zero, but like a seatbelt in a car significantly reduces your risk of death or injury, predictive intelligence proactively reduces your risk of becoming patient zero for the next big exploit.
Get Zero-day Protection Today!
You can learn more about how Augur predicts the future here and how it solves real-world security problems here. If you want to talk to someone about how Augur’s predictive intelligence can improve your overall security posture, email us at augur@seclytics.com.
Stay in The Loop
To stay up to date on all the latest SecLytics news and events, check out our blog or, even better, follow us on LinkedIn!