Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training
Can't find what you are looking for?

Let us help.

Contact us
Community Resources

SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

Solutions for Emerging Risks

Discover tailored resources that translate emerging threats into actionable strategies

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations

Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk With an Expert
Talk With an Expert

Responding to Zero Day Threats

Download File
Responding to Zero Day Threats (PDF, 5.07MB)Published: 20 Jul, 2011
Created by
Adam Kliarsky

Used with increasing sophistication, 0day attacks have been essential in successful Advanced Persistent Threat (APT) style attacks making headlines recently. The problem is evident; incident handlers and response teams struggle to identify and respond to unknown threats. This is an issue that plagues organizations of all sizes that rely on signature-based detection mechanisms. Attempting to handle unknown threats without a systematic plan will fail. It is imperative that incident handlers and response teams have a methodology to be able to respond to unknown or unidentified threats to protect the critical assets and data that businesses rely on. While some vendors claim their product is the solution to identify unknown issues, relying on a single solution creates a single point of failure. With complex attacks and sensitive data, this single point of failure could be detrimental. This paper will discuss integrating specific techniques into the preparation, identification, and containment phases of incident response to address the current problem.

Additional resources

Hashing and Digital Evidence – Hunting

WhitepaperDigital Forensics and Incident Response
  • 8 Jul 2025

SANS 2025 CTI Survey Webcast & Forum: Navigating Uncertainty in Today’s Threat Landscape

WhitepaperDigital Forensics and Incident Response, Security Awareness, Cybersecurity and IT Essentials
  • 20 May 2025
  • Rebekah Brown, Andreas Sfakianakis

Beneath the Mask: Can Contribution Data Unveil Malicious Personas in Open-Source Projects?

WhitepaperArtificial Intelligence, Digital Forensics and Incident Response
  • 13 May 2025
  • SANS Institute

Catching the Hand in the Cookie Jar: Canary Session Cookies

WhitepaperDigital Forensics and Incident Response
  • 17 Apr 2025

A Pebble In the Ocean: Maximizing Log Fidelity In Container Environments

WhitepaperDigital Forensics and Incident Response, Security Awareness
  • 17 Apr 2025

SANS 2025 Threat Hunting Survey: Advancements in Threat Hunting Amid AI and Cloud Challenges

WhitepaperDigital Forensics and Incident Response
  • 13 Mar 2025
  • Josh Lemon

Related courses

  • Slide 1 of 16

    SEC402: Cybersecurity Writing: Hack the Reader

    Essentials
    SEC402Digital Forensics and Incident Response
    FOR528: Ransomware and Cyber Extortion
    • 12 CPEs / 12 Hours (Self-Paced)

    View course detailsRegister
  • Slide 2 of 16

    FOR589: Cybercrime Investigations

    Major UpdatesIntermediate
    FOR589Digital Forensics and Incident Response
    FOR589: Cybercrime Intelligence
    • 5 Days (Instructor-Led)
    • 30 CPEs / 30 Hours (Self-Paced)
    • Labs: 20 Hands-On Labs

    View course detailsRegister
  • Slide 3 of 16

    FOR585: Smartphone Forensic Analysis In-Depth

    Major UpdatesEssentials
    FOR585Digital Forensics and Incident Response
    FOR585: Smartphone Forensic Analysis In-Depth
    • GIAC Advanced Smartphone Forensics (GASF)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 22 Hands-On Labs

    View course detailsRegister
  • Slide 4 of 16

    FOR608: Enterprise-Class Incident Response & Threat Hunting

    Intermediate
    FOR608Digital Forensics and Incident Response
    FOR608: Enterprise-Class Incident Response & Threat Hunting
    • GIAC Enterprise Incident Responder (GEIR)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 20 Hands-On Labs

    View course detailsRegister
  • Slide 5 of 16

    FOR518: Mac and iOS Forensic Analysis and Incident Response

    Intermediate
    FOR518Digital Forensics and Incident Response
    FOR518: Mac and iOS Forensic Analysis and Incident Response
    • GIAC iOS and macOS Examiner (GIME)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 23 Hands-On Labs

    View course detailsRegister
  • Slide 6 of 16

    FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics

    Intermediate
    FOR508Digital Forensics and Incident Response
    FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
    • GIAC Certified Forensic Analyst (GCFA)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 35 Hands-On Labs

    View course detailsRegister
  • Slide 7 of 16

    FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques

    Advanced
    FOR610Digital Forensics and Incident Response
    FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques
    • GIAC Reverse Engineering Malware (GREM)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 48 Hands-On Labs

    View course detailsRegister
  • Slide 8 of 16

    FOR578: Cyber Threat Intelligence

    Intermediate
    FOR578Digital Forensics and Incident Response
    FOR578: Cyber Threat Intelligence
    • GIAC Cyber Threat Intelligence (GCTI)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 20 Hands-On Labs

    View course detailsRegister
  • Slide 9 of 16

    FOR509: Enterprise Cloud Forensics and Incident Response

    Intermediate
    FOR509Digital Forensics and Incident Response
    FOR509: Enterprise Cloud Forensics and Incident Response
    • GIAC Cloud Forensics Responder (GCFR)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 20 Hands-On Labs

    View course detailsRegister
  • Slide 10 of 16

    FOR528: Ransomware and Cyber Extortion

    Intermediate
    FOR528Digital Forensics and Incident Response
    FOR528: Ransomware and Cyber Extortion
    • 4 Days (Instructor-Led)
    • 24 CPEs / 24 Hours (Self-Paced)
    • Labs: 13 Hands-On Labs

    View course detailsRegister
  • Slide 11 of 16

    FOR577: LINUX Incident Response and Threat Hunting

    newIntermediate
    FOR577Digital Forensics and Incident Response
    FOR577: LINUX Incident Response and Threat Hunting
    • GIAC Linux Incident Responder (GLIR)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 23 Hands-On Labs

    View course detailsRegister
  • Slide 12 of 16

    FOR710: Reverse-Engineering Malware: Advanced Code Analysis

    Advanced
    FOR710Digital Forensics and Incident Response
    FOR710: Reverse-Engineering Malware: Advanced Code Analysis
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 12 Hands-On Labs

    View course detailsRegister
  • Slide 13 of 16

    FOR498: Digital Acquisition and Rapid Triage

    Essentials
    FOR498Digital Forensics and Incident Response
    FOR498: Digital Acquisition and Rapid Triage
    • GIAC Battlefield Forensics and Acquisition (GBFA)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 20 Hands-On Labs

    View course detailsRegister
  • Slide 14 of 16

    SEC403: Secrets to Successful Cybersecurity Presentation

    Essentials
    SEC403Digital Forensics and Incident Response
    FOR500: Windows Forensic Analysis
    • 6 CPEs / 6 Hours (Self-Paced)

    View course detailsRegister
  • Slide 15 of 16

    FOR500: Windows Forensic Analysis

    Essentials
    FOR500Digital Forensics and Incident Response
    FOR500: Windows Forensic Analysis
    • GIAC Certified Forensic Examiner (GCFE)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 22 Hands-On Labs

    View course detailsRegister
  • Slide 16 of 16

    FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response

    Advanced
    FOR572Digital Forensics and Incident Response
    FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
    • GIAC Network Forensic Analyst (GNFA)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 20 Hands-On Labs

    View course detailsRegister