RE: Definition of Zero Day Protection

["Joseph Hamm" <jhamm () lancope com>]

Brian,

I agree with your definition of zero day vulnerability.  However, there
seems to be two different definitions in the market when it comes to the
term "zero day exploit."

The original definition, the "hacker" definition, is any exploit that is
written for a previously unknown vulnerability.  That is why it is
called "zero day."  On that day, we all realize that "Hey, that
application was vulnerable!"  These types of exploits are pretty rare.
In most cases, a vulnerability is announced and then exploit code is
written for that vulnerability.  Once the vulnerability is announced, it
is no longer a zero day vulnerability.  Any exploit code written for a
vulnerability after it  has been announced is not a true "0 day" in the
"hacker" sense of the word.

Now, let's talk about the other definition of zero day exploit.  This is
the one that industry marketing has developed and since it is widely
known and commonly accepted, I can't really say that it is incorrect.
However, we must note the difference.  The market commonly defines zero
day exploits as new or undocumented attacks for which a signature or
definition has not been written.  

Now, we must realize that this not only includes the type that I have
previously discussed (the true zero day exploits), but also includes
exploits written for previously KNOWN vulnerabilities.  New variants for
worms and viruses also get lumped into this category.

So, like Brian said, when someone claims their product can protect you
against "zero day" exploits, ask them to define that for you.  You will
most likely get different definitions, but it is important for you to
understand the difference between true "0 day" and the accepted
marketing definition. 

Kind regards,

Joe Hamm, CISSP
Senior Security Engineer
Lancope, Inc.
jhamm () lancope com
404.644.7227  (cell)
770.225.6509   (fax)

Lancope - Security through Network Intelligence(tm)
StealthWatch(tm) by Lancope, a next-generation network security
solution, delivers behavior-based intrusion detection, policy
enforcement and insightful network analysis.  Visit www.lancope.com.


-----Original Message-----
From: Brian Smith [mailto:bsmith () tippingpoint com] 
Sent: Monday, August 09, 2004 4:45 PM
To: Carey, Steve T GARRISON; Teicher, Mark (Mark)
Cc: Seanor, Joseph (Joe); focus-ids () securityfocus com
Subject: RE: Definition of Zero Day Protection

It's important to distinguish between zero day exploits
and zero day vulnerabilities.  Zero day exploits exploit a known
vulnerability with a new exploit (like Code Red vs. Code Red II).
Zero day vulnerabilities are flaws in software that no one knows about
except the attacker.

Several products (TippingPoint, MacAfee, ISS, to name a few) can detect
and block zero day exploits by detecting network traffic that tries to
exploit the underlying vulnerability.  These all work by decoding the
application request and checking that the network traffic is attempting
to exploit the underlying vulnerability.

Zero day vulnerabilities are another animal entirely.  These are
detected
(if at all) by noticing statistical or behavioral anomalies.  For
example,
they might detect a sudden surge in UDP traffic destined for a
particular
port, or notice that two machines are starting to communicate on a
port that they've never used before.  There's no known way to surgically
block just the bad traffic in that case.  As Steve says, blocking
traffic
detected by behavioral/statistical anomalies will sometimes block new
applications.

Several products offer mitigation strategies to limit the new traffic's
ability to impact existing applications (e.g., they might rate limit
the UDP traffic to 1 Mbps so it doesn't swamp you network), but I don't
know of any product that can block zero day vulnerabilities with
blocking
legitimate traffic.  If a vendor thinks their product can block zero day
vulnerabilities without blocking legitimate traffic, please post the
details of how your product works.  I'm sure everyone here would
love to get some hard facts on this type of technology.

        Brian Smith

-----Original Message-----
From: Carey, Steve T GARRISON [mailto:steven-carey () us army mil]
Sent: Monday, August 09, 2004 12:27 PM
To: Teicher, Mark (Mark)
Cc: Seanor, Joseph (Joe); focus-ids () securityfocus com
Subject: RE: Definition of Zero Day Protection


Would say they are 'misguided', they believe it.  But from the different
IDS and IPS systems I have tested and used, the IPS CAN stop attacks,
however, if someone in your organization starts using a new software, it
may get stopped by the IPS.  Also, if the Zero Day Exploit is on the
encrypted side, like ssl, then no it wouldn't stop it.  

There is some new technology being worked concerning Kernel Protection
that comes close, but still is being worked.

The biggest problem with Zero Day Protection is encrypted programs.
Host based programs can work, but still believe that as of today it is
still going to take a human to ensure Zero Day Protection (provided they
have the necessary tools to do it with). 

Steve

-----Original Message-----
From: Teicher, Mark (Mark) [mailto:teicher () avaya com]
Sent: Monday, August 09, 2004 12:14 PM
To: Carey, Steve T GARRISON
Cc: Seanor, Joseph (Joe); focus-ids () securityfocus com
Subject: RE: Definition of Zero Day Protection


Marketing ploy??  You mean marketing people don't state the truth about
Zero Day Protection and how it works ??

/mark

-----Original Message-----
From: Carey, Steve T GARRISON [mailto:steven-carey () us army mil] 
Sent: Monday, August 09, 2004 11:08 AM
To: Teicher, Mark (Mark)
Cc: Seanor, Joseph (Joe); focus-ids () securityfocus com
Subject: RE: Definition of Zero Day Protection

My own personal opinion, based on 7 years of experience in intrusion
detection, is that it is a marketing ploy.  Only way to ensure Zero Day
Protection is to use a 'suite' of IDS tools and have an analyst looking
at those logs 24/7 to find the Zero Day Exploit.  

Vendors can state they prevent Zero Day Exploits but to do that you can
also stop legitimate traffic.  Maybe sometime in the future that can
happen, but not today.

Steve Carey

------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--


------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------