“One of the reasons you’re seeing more right now is because we’re looking for more,” says Microsoft Doerr. “We’re good at shining the spotlight. Now you can learn from what’s going on with all of your customers, and it helps you be smart and fast. Is it a bad idea to see something new instead of 10,000? Affects the customer.”
But reality is more painful than theory. Earlier this year, several hacking groups launched attacks on Microsoft Exchange email servers. What started out as a serious zero-day attack was temporarily intensified in the period after the fix became available and before it was actually applied to the user. The gap is a sweet spot that hackers love to hit.
However, as a general rule, Doerr is on target.
Exploitation is becoming more difficult and more valuable
Zero-days may be being observed more than ever, but there is one fact that all experts agree on. It is becoming harder and more expensive for them to pull it off.
Better defenses and more complex systems mean that hackers need to do more work to break into targets than they did ten years ago. Attacks are expensive and require more resources. However, the reward is that so many companies operate in the cloud that the vulnerability could expose millions of customers to attack.
“Ten years ago, when everything was on-premises, there were so many attacks that only one company had seen,” Doerr says. “And few companies were prepared to understand what was going on.”
In the event of a better defense, hackers often need to combine multiple exploits instead of just one. These “exploit chains” need more zero-days. The success of finding these chains is also the reason for the jump in numbers.
Today, Daoud said that attackers “will have to take more investment and risk using these chains to reach their goals.”
One of the key clues comes from the rising cost of the most valuable exploits. Limited data available, such as the public zero-day price of Zerodium, shows that the cost of the best hacks has increased by 1,150% over the past three years.
But even if zero-day strikes are more difficult, demand will increase and supply will outpace. The sky may not have fallen, but it is not a completely sunny day.
2021 breaks the record for zero-day hacking attacks
SourceLink 2021 breaks record of zero-day hacking attack