Re: Zero day attack protection

[Kevin Ross <kevross33 () googlemail com>]

True zero day protection is very hard. There are some products that claim
to be able to do it (i.e Fireeye
http://www.fireeye.com/blog/corporate/2013/09/needle-in-a-haystack-detecting-zero-day-attacks.htmlalthough
they did identify zero days in the wild early in the year in
Java/Flash etc). I cannot comment on the effectiveness of these types of
solutions though as I haven't used them.

Well researched signatures looking for common features is a good way to do
it. i.e if an exploit kit has certain characteristics that can be focused
on regardless of the exploit/malware deliver or anomalies then that can be
used to identify cases even where unknown attacks are used. In real terms
signature based approaches are always to varying extents reactionary to
observed malicious behaviours and the same problem effects most if not all
security solutions from AV to IDS; the problem is you don't know what the
bad guy will do next. I think the future though will be combinations of
signature, big data/data mining and machine learning solutions. Personally
I do find signatures available for Snort are excellent in getting that
unknown as a lot of other vendors often are very specific to
vulnerabilities so the actual catching badness potential of Snort sigs is
very good.

Another example could be generic catch alls. i.e outside of Snort and so on
I have other tools; one of them I use is passiveDNS (
https://github.com/gamelinux/passivedns) which I highly recommend to
complement your monitoring. Where it comes into use is:

- being able to maintain a record of DNS logs which is searchable through a
web interface. This is highly useful because it means if you have an alert
you can specifically in your environment see what domains were resolved in
your network to look for (full packet capture using openfpc or something is
better though). This also means if you have intelligence on an attack you
can search for domains involved to see if you might have been hit and the
time frame that the traffic occured first. Also because it shows first seen
for a domain if it is malware it can help you determine the earliest point
you should start looking for that particular CnC.
http://www.alienvault.com/open-threat-exchange/blog/identifying-suspicious-domains-using-dns-records

- It can use blacklists to alert on (reactionary)

- You can use regex. This is where it gets interesting.For instance using
regex you can look roughly for common patterns in domain generation
algorithms http://www.net-security.org/article.php?id=1844&p=1. I have
regexes for zeus and generic ones looking at basic patterns (when you start
passiveDNS make sure you use -X 46CDNPRSx to make sure you get NXDOMAINS.
Then I feed that into a SIEM where I further pick out the pattern and make
sure the response it NXDOMAIN. This helped me find unknown Zeus infected
PCs in my network I had no idea were there as they were not calling out and
also other malware. As DGAs are more and more prevalent in malware CnC
using this method could help you detect zero day malware. You can also use
Snort to look for suspicious patterns in NXDOMAINS (look for NXDOMAIN and
then apply regex for patterns).

https://www.damballa.com/downloads/a_pubs/Damballa_Throw-Away_Traffic_to_Bots.pdf
https://www.damballa.com/downloads/r_pubs/Damballa_tdss_tdl4_case_study_public.pdf
https://www.damballa.com/downloads/r_pubs/Damballa_mv20_case_study.pdf
http://www.anubisnetworks.com/from-the-botnet-battlegrounds-the-tale-of-unknown-dga17/
https://www.cert.pl/news/4711/langswitch_lang/en
https://www.damballa.com/downloads/r_pubs/RN_DGAs-and-Cyber-Criminals-A-Case-Study.pdf
http://labs.umbrella.com/2013/10/24/mysterious-dga-lets-investigate-sgraph/

Hope that helps,
Kevin

------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!