“Part of the reason you’re seeing more now is because we’re finding more,” says Microsoft’s Doerr. “We’re better at shining a spotlight. Now you can learn from what’s happening at all your customers, which helps you get smarter faster. In the bad situation where you see something new, that will impact one customer instead of 10,000.”
The reality is a lot messier than the theory, however. Earlier this year, multiple hacking groups launched offensives against Microsoft Exchange email servers. What started as a critical zero-day attack briefly became even worse in the period after a fix became available but before it was actually applied to users. That gap is a sweet spot hackers love to hit.
As a rule, however, Doerr is spot on.
Exploits are getting harder—and more valuable
Even if zero-days are being seen more than ever, there is one fact that all the experts agree on: they are getting harder and more expensive to pull off.
Better defenses and more complicated systems mean hackers have to do more work to break into a target than they did a decade ago—attacks are costlier and require more resources. The payoff, however, is that with so many companies operating in the cloud, a vulnerability can open millions of customers up to attack.
“Ten years ago, when everything was on premises, a lot of the attacks only one company would see,” says Doerr, “and few companies were equipped to understand what was going on.”
Faced with improving defenses, hackers often must link together multiple exploits instead of using just one. These “exploit chains” require more zero-days. Success at spotting these chains is also part of the reason for the steep rise in numbers.
Today, says Dowd, attackers are “having to invest more and risk more by having these chains to achieve their goals.”
One important signal comes from the rising cost of the most valuable exploits. The limited data available, such as Zerodium’s public zero-day prices, shows as much as a 1,150% rise in the cost of the highest-end hacks over the last three years.
But even if zero-day attacks are harder, the demand has risen, and supply follows. The sky might not be falling—but neither is it a perfectly sunny day.