Post Script RE: Definition of Zero Day Protection

["Drew Copley" <dcopley () eEye com>]

PS,

I should have also noted to relieve confusion... there are chokepoints
for actual vulnerabilities as well as their exploit code. These
chokepoints can also be gated. In this model... binary examination or
behavior examination... there will be chokepoints, there will be
possibilities for gating these checkpoints, and there will be enough
commonality across malware and vulnerability data to create an effective
gate.

Generally, castrating exploit code will be enough to stop zero day, but
you can never depend on this. You must also attempt to castrate actual
vulnerabilities. One specific example of this performing RFC compliancy
checking, such as what we do with secureiis. Many of our IIS security
vulnerabilities - as many web server security holes - have involved
doing something not RFC compliant. 

Further, there is no rational reason to send a one thousand character
string in many places with web servers. Why allow it? And so on. And so
on. Until you have a fairly broad based system which is actually very
usable.

With subtle configuration errors... such as what is found in many
Internet Explorer holes, it can be more difficult to address the
security hole at the vulnerability level. But, then you still have the
exploit level to rely on. And with these same attacks, you can generally
stop them all across the board on some level. 

Had people merely applied some registry fixes last September, for
instance, they would have been immune to most of the tens of IE attacks
which came in the subsequent ten months. I was literally immune to Scob
because I had already killed these dangerous activex components I never
use. And I was immune already to many other attacks which were floating
around well before Scob. For instance.

I have avoided going too far into specifics, for a number of reasons,
but I believe this covers the general direction enough for the
community. 




> -----Original Message-----
> From: Drew Copley 
> Sent: Monday, August 09, 2004 2:10 PM
> To: 'Teicher, Mark (Mark)'; Drew Simonis; focus-ids () securityfocus com
> Cc: Seanor, Joseph (Joe)
> Subject: RE: Definition of Zero Day Protection
>
> Apart from semantical differences over the term "host based", 
> there are a wide range of heuristic security applications 
> which provide some degree of protection from zero day.
>
> We have, for instance, long used a "class based" system, in 
> SecureIIS, which we have greatly expanded in Blink. We have 
> further added multiple api gating layers and are continuing 
> to greatly expand in this direction. 
>
> Systrace is an example, among many, of api protection 
> systems. There are many products in this class. Most of them 
> have limited but realistic effectiveness against unknown 
> vulnerabilities. How? They limited their potential 
> destructive influence.
>
> In fact, one of our researcher's [now former] did a 
> presentation at Black Hat on breaking some of these systems 
> (Seattle). He showed how a payload could take over a process 
> and spawn new threads, creating an effective sniffer and 
> trojan agent which by all appearances to most api protection 
> systems would be the invaded process -- iis.
>
> Regardless, these systems remain our best direction for 
> complete protection. The hardest trick is not in hardening 
> the system -- it is in allowing the system to be completely 
> hardened and regulated and to have it still be usable.
>
> Heuristic AV has long been in the running, though, and many 
> if not most implementations have detection properties for 
> zero day attacks. AV generally will not be designed to detect 
> all attacks. The malformed packet coming in, might not be 
> detected, the resulting shell code may be. But, the webpage, 
> email, or IM is very likely to be detected. 
>
> Heuristic AV has many problems, however. It is "work in 
> progress". I made such an agent -- it profiled binaries by 
> apis they used and certain signatures, such as those for 
> encrypted or packed binaries. Effectively, I was trying to do 
> what I did manually. And, to some success. The reasoning is 
> rather simple, if you look at your most common trojan and 
> malware agents and look for the commonality there. Granted, 
> many virii, unfortunately, do not have any such common api 
> traits... and it is always possible not to use typical apis 
> or apis at all to cause damage.
>
> BTW, I mentioned "class based systems". What is that? 
> Ultimately, it fits in with the "commonality" I was just 
> mentioning. There are certain commonalities we can find in 
> shell code, in virii, in trojans. I like to call them 
> "chokepoints", and I like to "gate" these chokepoints. 
>
> For instance, spyware. A vast majority of spyware uses the 
> BHO registry key. Many use the run registry key on top of 
> that. One can harden these keys and typically detect and 
> therefore eliminate every spyware which attempts to use 
> either of these keys -- they are rare enough outside of the 
> malware world that one might do this.
>
> There are many such chokepoints or commonalities to be found 
> which can be used as a guide. The trick is to reduce false 
> positives and keep the system usable. 
>
> **FYI, I will be unable to answer replies, no offense 
> intended to anyone that might do this. I believe this post 
> was comprehensive.
>
>
>
>
> > -----Original Message-----
> > From: Teicher, Mark (Mark) [mailto:teicher () avaya com] 
> > Sent: Monday, August 09, 2004 12:15 PM
> > To: Drew Simonis; focus-ids () securityfocus com
> > Cc: Seanor, Joseph (Joe)
> > Subject: RE: Definition of Zero Day Protection
> >
> > Drew,
> >
> > What host based products would fit this category based on the 
> > definition
> > ??  Do they really work ??
> >
> > -----Original Message-----
> > From: Drew Simonis [mailto:simonis () myself com] 
> > Sent: Monday, August 09, 2004 01:07 PM
> > To: Teicher, Mark (Mark); focus-ids () securityfocus com
> > Cc: Seanor, Joseph (Joe)
> > Subject: Re: Definition of Zero Day Protection
> >
> >
> > ----- Original Message -----
> > From: "Teicher, Mark (Mark)" 
> > Date: Sun, 8 Aug 2004 19:47:48 -0600
> > Subject: Definition of Zero Day Protection 
> >
> > > What is Zero Day Protection
> >
> > It is, as you stated, another marketing blurb, but it isn't 
> just that.
> > Usually, this bit of jargon is applied to a 
> > detection/prevention system
> > that uses things like heuristic detection techniques, behavior based
> > detection, protocol anomoly or some other advanced methods.  
> > These allow
> > the activity to be blocked or alerted on, as opposed to the specific
> > event.  
> >
> > So, for example, a worm can be characterized by certain 
> > activity.  Say,
> > opening connections to lots of remote hosts in a short 
> period of time.
> > This behavior can be blocked (e.g. the process can be killed) even
> > without knowing that it was WormX.  
> >
> >
> > hth,
> > -Ds
> >
> >
> >
> > --------------------------------------------------------------
> > ------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world 
> > attacks from CORE
> > IMPACT.
> > Go to 
> > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_04
> > 0708 to learn more.
> > --------------------------------------------------------------
> > ------------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------