.

Zer0-Day Attacks Notification?

<<

alwinux

User avatar

Newbie
Newbie

Posts: 11

Joined: Wed Apr 21, 2010 8:35 pm

Post Sun Jul 18, 2010 9:56 pm

Zer0-Day Attacks Notification?

Hi EH-Net peepz,

Is there a way we can be up to date with zer0-day attacks by getting email notifications? is there a site that have email subscription?

another thing- please share me your experiences about zer0-day attacks and what is the best defense against it.

Thanks in advance!
GCIH, ECSA, MCP/2003 Server, ITIL
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Sun Jul 18, 2010 10:26 pm

Re: Zer0-Day Attacks Notification?

You might be interested in several of these: http://seclists.org/

Defense-in-depth is the best approach. Running with minimum privileges, egress filtering, NI[DP]S/HI[DP]S, etc.
The day you stop learning is the day you start becoming obsolete.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Mon Jul 19, 2010 7:44 am

Re: Zer0-Day Attacks Notification?

alwinux wrote:Hi EH-Net peepz,

Is there a way we can be up to date with zer0-day attacks by getting email notifications? is there a site that have email subscription?


To be blunt. No, there isn't a way. This is why... 0day is what it is. NO KNOWLEDGE. It's only after something is publicly disclosed is it called 0day. Personally I hate the term 0day and prefer "unknown attack(s)." 0day is the typical name given to something in the wild which someone saw/got a glimpse of.

My personal view on what is considered "0day" is to have a good Extrusion Detection System in place. See the issue with NI[DP]'s, HI[DP]'s is/are, most signature based ones fail and only catch low level attackers. Remember, they're looking for low-hanging fruit most of the times and set off so many alarms, they deserve to be caught and beaten with a cluestick. The "skillful" attackers and those who seriously want to get in WILL get in and often will get in without tripping an alarm.

Does this mean you won't/can't see them? Not really. With an EDS, (Extr. Detect. Sys) you can build a strong baseline to see what's LEAVING your network as opposed to the Internet meteorites coming into your network. Wanna play a game? Throw a machine online with full logging on a firewall. Log ANYTHING and EVERYTHING connecting to that box. I guarantee you that you will see hundreds if not THOUSANDS of constant attacks. Is it someone out to get you? Not likely, a lot of it will be residual. Do you want to waste your time and money looking into this. You CAN'T stop that from "knocking" on your door. On the flip side you CAN control what leaves your network.

Imagine the following for a minute. You have say an AD server doing something locally. All of the sudden you get an alert that the machine is sending OUT to say another country... You know you have a problem. For years that machine has done nothing but work locally but now its trying to send something OUTSIDE of your network. Your money/time is more focused now. You CAN stop this and the likelihood of something really being wrong is going to be more accurate.

Anyway, to monitor "quote" 0day is mainly pointless. For one, you're not supposed to know about true "0day." Secondly, in order to find "0day" you want to subscribe to bonafide blackhat sites. Keep an invisible profile, study code and make your own signatures. Otherwise, you're falling into marketing by companies with the "next best thing against 0day." Take this from someone who has plenty of "0day" which will never be published nor shared. Think you can stop it? Think again, you will never be able to see a comparison signature. Its never been disclosed.
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Mon Jul 19, 2010 8:05 am

Re: Zer0-Day Attacks Notification?

One definition of a 0-day is where a vulnerability is known but no patch exists.  Again, there is no real way to protect against it except for being vigilant in monitoring logs as sil says.

To know about new 0-days that HAVE been reported, check out the Zero Day Initiative and subscribe to the RSS feeds. http://www.zerodayinitiative.com/
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Mon Jul 19, 2010 8:21 am

Re: Zer0-Day Attacks Notification?

yatz wrote:To know about new 0-days that HAVE been reported, check out the Zero Day Initiative and subscribe to the RSS feeds. http://www.zerodayinitiative.com/


Since I tend to post to ZDI and iDefense from time to time, I can tell you why this would fail unless you use Tipping Point's IDS. ZDI (Tipping Point) pays for 0day so they can implement a signature in their IDS/IPS appliances. That works well for them however, they don't post anything relevant for anyone else to create a signature from.

Have a look at their upcoming advisories: http://www.zerodayinitiative.com/advisories/upcoming/ There is nothing to make out that would assist in the creation of a signature/defense. Now take a look at their published advisories: http://www.zerodayinitiative.com/advisories/ZDI-10-129/ Still, there isn't enough that would assist in the creation of a "signature" to throw on an IDS/IPS and when they "do" disclose what's affected in an understandable form, they NEVER post code so there is no method to see a payload to create a signature from. At best you'd be able to create an alert: "Someone is using Adobe!" I can see someone attempting to create "generic" signatures off of ZDI and getting annoyed by the false positives. This is where IPS/IDS fails miserably at (false positives and false negatives). It is also why DLP is not that far behind on the "top technological alerts that get filtered straight to /dev/null" See this discussion on DLP (http://www.linkedin.com/answers/technol ... 3-11530327)
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Mon Jul 19, 2010 9:43 am

Re: Zer0-Day Attacks Notification?

sil wrote:they don't post anything relevant for anyone else to create a signature from.

Perhaps not, but at least you'll know where a reported 0-day may be targeting.  Helpful in manual examination of logs.  You did a good job explaining why there's no helpful defense, but the being alerted part wasn't really answered.  ZDI is the one I know about that makes some attempt to document this type of early alerting.
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Mon Jul 19, 2010 9:51 am

Re: Zer0-Day Attacks Notification?

yatz wrote:
Perhaps not, but at least you'll know where a reported 0-day may be targeting. 



That in itself is problematic. ZDI tends to disclose advisories in bulk. There are times when its not uncommon to see +40 advisories from ZDI in one clip. Inside of those ZDI advisories, its a broad summary and usually, you'll see like multiple advisories on one product. For example, what would you do if you saw say 15 advisories on let's say Microsoft Exchange. You have little idea of what to look for (triggers) in order to create a usable signature. Do you create an all inclusive signature to watch for EVERYTHING coming in or out of Exchange? In an enterprise level, that would be a nightmare.

The alternative (Extrusion Detection) offers a way for you to get a realistic baseline usage of patterns and work from there. E.g., have a browse around the postings even here for how people are looking to get metasploit reverse shells working. A commonality is that most newer users of metasploit tend to stick with the default parameters (e.g., LPORT 4444) which means I have a better shot of looking and alterting for ANY traffic leaving me trying to get TO port 4444. That's a lot easier than say trying to stop the meteorites from smashing my planet. Space is a vast place filled with garbage ;)
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Mon Jul 19, 2010 9:15 pm

Re: Zer0-Day Attacks Notification?

sil wrote:My personal view on what is considered "0day" is to have a good Extrusion Detection System in place. See the issue with NI[DP]'s, HI[DP]'s is/are, most signature based ones fail and only catch low level attackers. Remember, they're looking for low-hanging fruit most of the times and set off so many alarms, they deserve to be caught and beaten with a cluestick. The "skillful" attackers and those who seriously want to get in WILL get in and often will get in without tripping an alarm.

Does this mean you won't/can't see them? Not really. With an EDS, (Extr. Detect. Sys) you can build a strong baseline to see what's LEAVING your network as opposed to the Internet meteorites coming into your network. Wanna play a game? Throw a machine online with full logging on a firewall. Log ANYTHING and EVERYTHING connecting to that box. I guarantee you that you will see hundreds if not THOUSANDS of constant attacks. Is it someone out to get you? Not likely, a lot of it will be residual. Do you want to waste your time and money looking into this. You CAN'T stop that from "knocking" on your door. On the flip side you CAN control what leaves your network.


Sil, I think you're making the mistake of assuming everyone is as skilled as you ;)

A zero-day may be sold to someone simply looking to increase his botnet numbers in order to send spam or perform DDoS attacks. These attacks may be amateur, common, and noisy. While I don't think you should rely on those systems by any means, I wouldn't necessarily write them off as being worthless either.

I agree 100% on the extrusion detection. That's what I was getting at with egress filtering, but that really doesn't capture the essence of what's involved.
The day you stop learning is the day you start becoming obsolete.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Tue Jul 20, 2010 7:07 am

Re: Zer0-Day Attacks Notification?

dynamik wrote:Sil, I think you're making the mistake of assuming everyone is as skilled as you ;)


:( Stop it ;) Its not about being leet or anything, to me its about versatility and understanding. I wouldn't go as far as saying "forget IDS/IPS" which is why I wrote: The "skillful" attackers and those who seriously want to get in WILL get in and often will get in without tripping an alarm.

Does this mean you won't/can't see them? Not really.


In a situation like this where money will eventually come into play (there is a cost associated with building, maintaining {H,N}I{P,D} systems), I'd rather spend my security dollar much more wisely. This allows me to go back when the time is right for more money. Experienced managers are aware of "Internet" meteorites and the connections TO a network as this is common however, being able to stop exfiltration is well worth more.

Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software