In many cases, such attacks are going to be hard to stop because they hit flaws no one but the attacker knows about. So companies need to implement measures for quickly identifying such attacks and limiting fallout -- including taking steps such as network segmentation, traffic filtering and using access controls, he said.

Even so, most organizations "are not experiencing pain" from "less than zero-day attacks," Williams said. For the moment, the biggest problem continues to be publicly disclosed flaws for which no patches exist, he said. One example is the Windows Metafile exploit earlier this year. "Most companies don't know how to deal with situations where patches don't exist" for a disclosed vulnerability, Williams said. That inadequacy is far more significant when a nonpublic vulnerability is involved, he said.