Hi EH-Net peepz,

Is there a way we can be up to date with zer0-day attacks by getting email notifications? is there a site that have email subscription?

another thing- please share me your experiences about zer0-day attacks and what is the best defense against it.

Thanks in advance!

To be blunt. No, there isn't a way. This is why... 0day is what it is. NO KNOWLEDGE. It's only after something is publicly disclosed is it called 0day. Personally I hate the term 0day and prefer "unknown attack(s)." 0day is the typical name given to something in the wild which someone saw/got a glimpse of.

My personal view on what is considered "0day" is to have a good Extrusion Detection System in place. See the issue with NI[DP]'s, HI[DP]'s is/are, most signature based ones fail and only catch low level attackers. Remember, they're looking for low-hanging fruit most of the times and set off so many alarms, they deserve to be caught and beaten with a cluestick. The "skillful" attackers and those who seriously want to get in WILL get in and often will get in without tripping an alarm.

Does this mean you won't/can't see them? Not really. With an EDS, (Extr. Detect. Sys) you can build a strong baseline to see what's LEAVING your network as opposed to the Internet meteorites coming into your network. Wanna play a game? Throw a machine online with full logging on a firewall. Log ANYTHING and EVERYTHING connecting to that box. I guarantee you that you will see hundreds if not THOUSANDS of constant attacks. Is it someone out to get you? Not likely, a lot of it will be residual. Do you want to waste your time and money looking into this. You CAN'T stop that from "knocking" on your door. On the flip side you CAN control what leaves your network.

Imagine the following for a minute. You have say an AD server doing something locally. All of the sudden you get an alert that the machine is sending OUT to say another country... You know you have a problem. For years that machine has done nothing but work locally but now its trying to send something OUTSIDE of your network. Your money/time is more focused now. You CAN stop this and the likelihood of something really being wrong is going to be more accurate.

Anyway, to monitor "quote" 0day is mainly pointless. For one, you're not supposed to know about true "0day." Secondly, in order to find "0day" you want to subscribe to bonafide blackhat sites. Keep an invisible profile, study code and make your own signatures. Otherwise, you're falling into marketing by companies with the "next best thing against 0day." Take this from someone who has plenty of "0day" which will never be published nor shared. Think you can stop it? Think again, you will never be able to see a comparison signature. Its never been disclosed.

Since I tend to post to ZDI and iDefense from time to time, I can tell you why this would fail unless you use Tipping Point's IDS. ZDI (Tipping Point) pays for 0day so they can implement a signature in their IDS/IPS appliances. That works well for them however, they don't post anything relevant for anyone else to create a signature from.

Have a look at their upcoming advisories: http://www.zerodayinitiative.com/advisories/upcoming/ There is nothing to make out that would assist in the creation of a signature/defense. Now take a look at their published advisories: http://www.zerodayinitiative.com/advisories/ZDI-10-129/ Still, there isn't enough that would assist in the creation of a "signature" to throw on an IDS/IPS and when they "do" disclose what's affected in an understandable form, they NEVER post code so there is no method to see a payload to create a signature from. At best you'd be able to create an alert: "Someone is using Adobe!" I can see someone attempting to create "generic" signatures off of ZDI and getting annoyed by the false positives. This is where IPS/IDS fails miserably at (false positives and false negatives). It is also why DLP is not that far behind on the "top technological alerts that get filtered straight to /dev/null" See this discussion on DLP (http://www.linkedin.com/answers/technology/information-technology/information-security/TCH_ITS_ISC/638733-11530327)

That in itself is problematic. ZDI tends to disclose advisories in bulk. There are times when its not uncommon to see +40 advisories from ZDI in one clip. Inside of those ZDI advisories, its a broad summary and usually, you'll see like multiple advisories on one product. For example, what would you do if you saw say 15 advisories on let's say Microsoft Exchange. You have little idea of what to look for (triggers) in order to create a usable signature. Do you create an all inclusive signature to watch for EVERYTHING coming in or out of Exchange? In an enterprise level, that would be a nightmare.

The alternative (Extrusion Detection) offers a way for you to get a realistic baseline usage of patterns and work from there. E.g., have a browse around the postings even here for how people are looking to get metasploit reverse shells working. A commonality is that most newer users of metasploit tend to stick with the default parameters (e.g., LPORT 4444) which means I have a better shot of looking and alterting for ANY traffic leaving me trying to get TO port 4444. That's a lot easier than say trying to stop the meteorites from smashing my planet. Space is a vast place filled with garbage

Stop it Its not about being leet or anything, to me its about versatility and understanding. I wouldn't go as far as saying "forget IDS/IPS" which is why I wrote: The "skillful" attackers and those who seriously want to get in WILL get in and often will get in without tripping an alarm.

Does this mean you won't/can't see them? Not really.

In a situation like this where money will eventually come into play (there is a cost associated with building, maintaining {H,N}I{P,D} systems), I'd rather spend my security dollar much more wisely. This allows me to go back when the time is right for more money. Experienced managers are aware of "Internet" meteorites and the connections TO a network as this is common however, being able to stop exfiltration is well worth more.