Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Definition of Zero Day Protection

from [Brian Smith] Network Security [Permanent Link]
Subject: RE: Definition of Zero Day Protection
Date: Mon, 9 Aug 2004 15:45:29 -0500 
It's important to distinguish between zero day exploits
and zero day vulnerabilities.  Zero day exploits exploit a known
vulnerability with a new exploit (like Code Red vs. Code Red II).
Zero day vulnerabilities are flaws in software that no one knows about
except the attacker.

Several products (TippingPoint, MacAfee, ISS, to name a few) can detect
and block zero day exploits by detecting network traffic that tries to
exploit the underlying vulnerability.  These all work by decoding the
application request and checking that the network traffic is attempting
to exploit the underlying vulnerability.

Zero day vulnerabilities are another animal entirely.  These are detected
(if at all) by noticing statistical or behavioral anomalies.  For example,
they might detect a sudden surge in UDP traffic destined for a particular
port, or notice that two machines are starting to communicate on a
port that they've never used before.  There's no known way to surgically
block just the bad traffic in that case.  As Steve says, blocking traffic
detected by behavioral/statistical anomalies will sometimes block new
applications.

Several products offer mitigation strategies to limit the new traffic's
ability to impact existing applications (e.g., they might rate limit
the UDP traffic to 1 Mbps so it doesn't swamp you network), but I don't
know of any product that can block zero day vulnerabilities with blocking
legitimate traffic.  If a vendor thinks their product can block zero day 
vulnerabilities without blocking legitimate traffic, please post the
details of how your product works.  I'm sure everyone here would
love to get some hard facts on this type of technology.

        Brian Smith

-----Original Message-----
From: Carey, Steve T GARRISON [mailto:steven-carey@us.army.mil]
Sent: Monday, August 09, 2004 12:27 PM
To: Teicher, Mark (Mark)
Cc: Seanor, Joseph (Joe); focus-ids@securityfocus.com
Subject: RE: Definition of Zero Day Protection


Would say they are 'misguided', they believe it.  But from the different IDS 
and IPS systems I have tested and used, the IPS CAN stop attacks, however, if 
someone in your organization starts using a new software, it may get stopped by 
the IPS.  Also, if the Zero Day Exploit is on the encrypted side, like ssl, 
then no it wouldn't stop it.  

There is some new technology being worked concerning Kernel Protection that 
comes close, but still is being worked.

The biggest problem with Zero Day Protection is encrypted programs.  Host based 
programs can work, but still believe that as of today it is still going to take 
a human to ensure Zero Day Protection (provided they have the necessary tools 
to do it with). 

Steve

-----Original Message-----
From: Teicher, Mark (Mark) [mailto:teicher@avaya.com]
Sent: Monday, August 09, 2004 12:14 PM
To: Carey, Steve T GARRISON
Cc: Seanor, Joseph (Joe); focus-ids@securityfocus.com
Subject: RE: Definition of Zero Day Protection


Marketing ploy??  You mean marketing people don't state the truth about
Zero Day Protection and how it works ??

/mark

-----Original Message-----
From: Carey, Steve T GARRISON [mailto:steven-carey@us.army.mil] 
Sent: Monday, August 09, 2004 11:08 AM
To: Teicher, Mark (Mark)
Cc: Seanor, Joseph (Joe); focus-ids@securityfocus.com
Subject: RE: Definition of Zero Day Protection

My own personal opinion, based on 7 years of experience in intrusion
detection, is that it is a marketing ploy.  Only way to ensure Zero Day
Protection is to use a 'suite' of IDS tools and have an analyst looking
at those logs 24/7 to find the Zero Day Exploit.  

Vendors can state they prevent Zero Day Exploits but to do that you can
also stop legitimate traffic.  Maybe sometime in the future that can
happen, but not today.

Steve Carey

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to 
learn more.
--------------------------------------------------------------------------


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to 
learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Definition of Zero Day Protection, Joshua Berry
Next by Date:  RE: Definition of Zero Day Protection, Teicher, Mark (Mark)
Previous by Thread:  RE: Definition of Zero Day Protection, Joshua Berry
Next by Thread:  RE: Definition of Zero Day Protection, Teicher, Mark (Mark)
Indexes:  [Date] [Thread] [Top] [All Lists]