IDS mailing list archives
RE: Definition of Zero Day Protection
From: "Drew Copley" <dcopley () eEye com>
Date: Mon, 9 Aug 2004 10:29:51 -0700
-----Original Message----- From: Teicher, Mark (Mark) [mailto:teicher () avaya com] Sent: Sunday, August 08, 2004 6:48 PM To: focus-ids () securityfocus com Cc: Seanor, Joseph (Joe) Subject: Definition of Zero Day Protection What is Zero Day Protection, I think I understand the definition of Zero Day Exploits. But what is Zero Day Protection? Another marketing blurb or it can vendors actually offer zero day protection?
Systrace is an example of a type of software that can offer zero day protection. http://english.peopledaily.com.cn/200408/07/eng20040807_152156.html (Not to toot our own horn, as we also offer some zero day protection in both Blink and SecureIIS and we are striving hard to offer more...) Software which is solely signature based can not do this. Heuristic security software is designed to do this. http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=heuristic+AV So, in this frame, even a new variant of a trojan is "zero day". However, of course, when we say "zero day" we mean unknown true vulnerabilities as opposed unknown instances of a virus or trojan. There is, however, little practical difference, ultimately. [Moving on so people might better *understand* zero day *attacks*, which is essential to understanding their protection... and not wishing to get involved in a preliminary discussion of heuristics...] Anyone that would use a zero day vulnerability (which is still an extremely rare attack) would likely use a new trojan/rootkit or a AV sanitized variant of an old trojan/rootkit. It might be noted most people outside of the "bugfinding" [sic] part of the security community tend not to understand zero day attacks. The best examples, and almost the only known examples are the webdav and scob attacks. It is extremely likely that some other attacks have taken place which no one knows about. Both the scob and webdav attacks were unusually poor in their pulling off, ultimately. Essentially, such an attack is akin to the attacker having a backdoor in your operating system. Evading detection of this attack without some kind of strong heuristic protection would be almost entirely impossible. Unlike a smooth jewelry or bank heist, because the "theft" is of data, you may never even know you were invaded. Because of the remoteness of the attacker made possible through the type of attack, the attacker is likely to have plenty of time to make away with their intrusion and data theft. Further, it is extremely simple to route through many systems and provide themselves with other layers of anonymity which would be impossible in a physical intrusion. Because of these factors and the increasing likelihood of zero day attacks, progress must be made in fighting these kinds of attacks today. Unfortunately, security is usually a reactive endeavour, rather then proactive. (And, proactive security is typically reactive security dressed up so you don't feel so bad.) These things are not security hype. Neither is protection from them. If a single bugfinder goes "rogue", you will see these kinds of attacks. Likely, as bugfinders tend to be somewhat rogue in the firstplace, there are a lot more going on then we already know about. And, there is an increasing number of qualified bugfinders. This trend will inevitably increase. So, no, it is not marketing hype, and yes, it should be a concern. It should be more of an immediate concern for military and financial institutions, as they tend to have more valuable data and are the first targets for most attackers. However, anyone with a credit card database or serious corporate secrets is a possible target.
Thank you for clarifying my confusion /m -------------------------------------------------------------- ------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_04 0708 to learn more. -------------------------------------------------------------- ------------
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: Definition of Zero Day Protection, (continued)
- Re: Definition of Zero Day Protection Stephen P. Berry (Aug 13)
- Re: Definition of Zero Day Protection Martin Roesch (Aug 11)
- RE: Definition of Zero Day Protection Carey, Steve T GARRISON (Aug 09)
- RE: Definition of Zero Day Protection Carey, Steve T GARRISON (Aug 09)
- Re: Definition of Zero Day Protection Drew Simonis (Aug 09)
- RE: Definition of Zero Day Protection Teicher, Mark (Mark) (Aug 09)
- RE: Definition of Zero Day Protection Michal Zalewski (Aug 10)
- Re: Definition of Zero Day Protection Ranjeet Shetye (Aug 10)
- RE: Definition of Zero Day Protection Teicher, Mark (Mark) (Aug 09)
- Re: Definition of Zero Day Protection Andy Cuff (Aug 11)
- RE: Definition of Zero Day Protection Drew Copley (Aug 09)
- Re: Definition of Zero Day Protection Devdas Bhagat (Aug 13)
- RE: Definition of Zero Day Protection Fulp, J.D. USA (Aug 09)
- RE: Definition of Zero Day Protection Joshua Berry (Aug 10)
- RE: Definition of Zero Day Protection Brian Smith (Aug 10)
- RE: Definition of Zero Day Protection Teicher, Mark (Mark) (Aug 10)
- RE: Definition of Zero Day Protection Brian Smith (Aug 10)
- RE: Definition of Zero Day Protection Drew Copley (Aug 10)
- A Network IPS Proposal (was Definition of Zero Day Protection) Shaiful (Aug 13)
- Re: A Network IPS Proposal (was Definition of Zero Day Protection) Johnny Calhoun (Aug 16)
- Re: A Network IPS Proposal (was Definition of Zero Day Protection) Stefano Zanero (Aug 17)
- A Network IPS Proposal (was Definition of Zero Day Protection) Shaiful (Aug 13)