|
|
|
Features
< Back
Security : Patches : Zero Day : Vulnerabilities
Less-Than-Zero vs. Zero-Day
An approach to vulnerabilities, exploits, patches, and security
By
Alan Shimel
|
|
Alan Shimel
Co-Founder and Chief Strategy Officer
StillSecure
|
The security industry and trade press have directed a lot of attention toward the "Zero-day attack," promoting it as THE threat to guard against. According to the marketing hype, the Zero-Day attack is the one that you should most fear, so you must put in place measures (i.e., buy stuff) to defend your organization from it.
The Zero-Day threat is born the moment a vulnerability is publicly announced or acknowledged. But what about the period of time that the threat existed before being announced. At StillSecure we call this class "Less-Than-Zero" threat. In this two-part series I'll examine this Less-Than-Zero threat, compare it to the Zero-Day threat, and discuss ways to protect yourself from Less-Than-Zero attacks and vulnerabilities for which patches, signatures, etc. do not yet exist.
Zero-Day vs. Less-Than-Zero
Once a vulnerability is publicly announced, the zero-day clock starts ticking. The announcement is typically followed by some period of time before a patch is made available. This is the Zero-Day period. According to accepted wisdom, organizations face the greatest danger when an attack or exploit targeting the vulnerability is verified in the ?wild.?
Some believe this is a flawed argument. As evidence, they point to ?underground? vulnerabilities and exploits that are equally as dangerous and much more difficult to detect and protect against because they are ?unknown.? At StillSecure we call this class Less-Than-Zero Threat. The chart below shows the relationship between the Less-Than-Zero threat and the Zero-Day threat and the level of risk they pose to the organization. It also takes into account such factors as responsible disclosure, patch deployment, etc.
The Less-Than-Zero threat is the period of time before
A vulnerability is publicly announced. While the Zero-Day
threat poses a severe level of risk, the Less-Than-Zero
threat can pose a serious danger as well.
Typically Less-Than-Zero threats have a different genesis than Zero-Day threats. Most Zero-Day threats are discovered through the standard bug testing process, and the vulnerability is known prior to an exploit for it being seen in the wild. Less-Than-Zero attacks, on the other hand, are first detected through evidence of attacks that have exploited them.
Where many Zero-Day vulnerabilities are discovered by White Hats, most Less-Than-Zero attacks are true Black Hat attacks. It is, however, possible that an underground threat evolves into a zero day attack. This is a natural evolution of Less-Than-Zero vulnerabilities and threats. Often a Less-Than-Zero attack becomes widely known, and a patch issued. It becomes a Zero-Day type of attack at that point.
Hopefully you see my point: just because the Less-Than-Zero threat doesn't get a lot of media attention, it presents a real danger, and true security-conscious organizations will take steps to protect themselves from it.
The Less-Than-Zero threat
The first stage in the evolution of a threat is the "underground" stage. This is the Less-Than-Zero-Day attack. In this stage, the vulnerability and a corresponding exploit are lose in the wild. The Less-Than-Zero-Day vulnerability is only discovered when evidence of an unattributable attack is identified. Therefore you typically don?t see a Less-Than-Zero-Day vulnerability without an existing exploit.
The Less-Than-Zero attack is usually discovered using forensic tools that recreate an attack or incident after the fact. There are no patches, IDS signatures, or other types of tools to prevent these attacks. The only possible type of defense is a heuristic or behavior-based defense, if you believe in this class of technology (that is a subject for another day). Your best defense is conforming to best practices within the layered security model. Whether layered security technologies are combined in single all-in-one integrated device or separate silos is up for debate.
Vigilant analysis to identify the attack vector is one of the best things to minimize the time period for this type of attack. Other factors are whether the weakness is being used for attacks against a narrow range of targets or a mass-market type of attack. Obviously the quicker the attack becomes ?known? the quicker it moves into the conventional Zero-Day stage. Therefore, mass-market Less-Than-Zero threats quickly become Zero-Day threats.
Once the vulnerability and/or its exploit are known, the questions are: (1) Who knows about it? and (2) How is the vendor of the targeted system alerted to it? The concept of responsible disclosure is has been hotly debated. One camp believes that telling the vendor before releasing information to the general public gives the vendor time to get the fix out. The other camp believes that vendors don?t react quickly enough. The bad guys already know about the vulnerability/exploit anyway, so what good does it do to withhold general disclosure? Announcing the threat is the quickest way to enable organizations to protect themselves as best they can until a patch is available.
The Zero-Day Threat
A couple of things about Zero-Day attacks. Once publicly known, a whole new crop of Black Hats can try to use them. We do not subscribe to the vast hacker conspiracy theory that has all Black Hats sharing information. No doubt some sharing occurs, but there are exponentially more bad guys to worry about after the threat is made public. That's the top of the curve in the graph from part 1 of this series. Let's be clear: the Less-Than-Zero risk is a significant one. You should not let the Zero-Day threat defense come at the expense of Less-Than-Zero defenses.
Another point about Zero-Day attacks: If their genesis is from a Less-Than-Zero attack, then its exploit is already out there?so we're already in the period of peak threat. This makes the "publicly-known exploit" argument discussed above a bit of a red herring.
One more thing: Until the patch comes out there are things you can do to mitigate risk. You need to identify machines that are vulnerable to the attack. You can have a signature or some other behavior-based approach such as IDS/IPS that can detect and block it. You can disable the services or port that serve as the attack vector and enforce this via NAC and vulnerability scanning. 3rd party patches or other types of workarounds are also possible.
Patching
The final chapter of the story deals with patching. 'Patching' typically mean the official patch put out by the vendor of the vulnerable software. Just because a patch is available does not mean the threat goes away. With the constant vulnerability/patch process, the time from when a patch is available until it is actually applied can range from hours to weeks, depending on size of company and patching process. As a result the period of risk is extended.
Conclusion
Zero-Day, Less-Than-Zero, patching, exploits...the world is a dangerous place. While our attention has been focused on the Zero-Day attack, the Less-Then-Zero threat is also significant enough to warrant your attention and resources. There is still no substitute for good, old-fashioned, best practices in security.
Alan Shimel
Co-Founder and Chief Strategy Officer
StillSecure
As Co-Founder and Chief Strategy Officer at StillSecure, Alan Shimel is responsible for helping to shape and develop the company?s business and technology strategy and direction. In this role he serves as a primary interface and evangelist with partners, customers, peers, as well as the press and analyst communities.
|
|
|
|
|
