RE: Definition of Zero Day Protection

["Drew Copley" <dcopley () eEye com>]

> -----Original Message-----
> From: Teicher, Mark (Mark) [mailto:teicher () avaya com] 
> Sent: Sunday, August 08, 2004 6:48 PM
> To: focus-ids () securityfocus com
> Cc: Seanor, Joseph (Joe)
> Subject: Definition of Zero Day Protection
>
> What is Zero Day Protection, I think I understand the 
> definition of Zero
> Day Exploits.  But what is Zero Day Protection?  Another 
> marketing blurb
> or it can vendors actually offer zero day protection?   

Systrace is an example of a type of software that can offer zero day
protection.

http://english.peopledaily.com.cn/200408/07/eng20040807_152156.html

(Not to toot our own horn, as we also offer some zero day protection in
both Blink and SecureIIS and we are striving hard to offer more...)

Software which is solely signature based can not do this. Heuristic
security software is designed to do this. 

http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=heuristic+AV

So, in this frame, even a new variant of a trojan is "zero day".
However, of course, when we say "zero day" we mean unknown true
vulnerabilities as opposed unknown instances of a virus or trojan.

There is, however, little practical difference, ultimately.

[Moving on so people might better *understand* zero day *attacks*, which
is essential to understanding their protection... and not wishing to get
involved in a preliminary discussion of heuristics...]

Anyone that would use a zero day vulnerability (which is still an
extremely rare attack) would likely use a new trojan/rootkit or a AV
sanitized variant of an old trojan/rootkit.

It might be noted most people outside of the "bugfinding" [sic] part of
the security community tend not to understand zero day attacks. 

The best examples, and almost the only known examples are the webdav and
scob attacks. It is extremely likely that some other attacks have taken
place which no one knows about. Both the scob and webdav attacks were
unusually poor in their pulling off, ultimately. 

Essentially, such an attack is akin to the attacker having a backdoor in
your operating system. Evading detection of this attack without some
kind of strong heuristic protection would be almost entirely impossible.

Unlike a smooth jewelry or bank heist, because the "theft" is of data,
you may never even know you were invaded. Because of the remoteness of
the attacker made possible through the type of attack, the attacker is
likely to have plenty of time to make away with their intrusion and data
theft. Further, it is extremely simple to route through many systems and
provide themselves with other layers of anonymity which would be
impossible in a physical intrusion. 

Because of these factors and the increasing likelihood of zero day
attacks, progress must be made in fighting these kinds of attacks today.

Unfortunately, security is usually a reactive endeavour, rather then
proactive. (And, proactive security is typically reactive security
dressed up so you don't feel so bad.)

These things are not security hype. Neither is protection from them. 

If a single bugfinder goes "rogue", you will see these kinds of attacks.
Likely, as bugfinders tend to be somewhat rogue in the firstplace, there
are a lot more going on then we already know about. And, there is an
increasing number of qualified bugfinders. 

This trend will inevitably increase.

So, no, it is not marketing hype, and yes, it should be a concern. It
should be more of an immediate concern for military and financial
institutions, as they tend to have more valuable data and are the first
targets for most attackers. However, anyone with a credit card database
or serious corporate secrets is a possible target.



> Thank you for clarifying my confusion
>
> /m
>
> --------------------------------------------------------------
> ------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world 
> attacks from CORE
> IMPACT.
> Go to 
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_04
> 0708 to learn more.
> --------------------------------------------------------------
> ------------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------