Zero-Day is sexy, and hunting for it is even sexier. If you are heading to any major, or even minor, security conference this year the headlines are always the new exploit or new vulnerability talks. When a new Zero-Day vulnerability is discovered in a major software vendor even the mainstream media is all over it. This builds the perception that Zero-Day vulnerabilities are a critical area of focus when laying out your defensive technologies and play a major role in compromising networks. It also pushes a perception that security researchers and defenders should spend significant time searching for new Zero-Days that could be discovered by attackers and used to infiltrate protected networks. While searching for, discovering and reporting new vulnerabilities seems to have some effect on the overall security of software, the real question is, does it provide a reasonable return on investment for any organization tasked with defending its, or other peoples networks? This discussion is core to our Agile Security Manifesto principle #4 - "Attack research is useful but doesn't solve security problems. Research should focus on innovative solutions to solve today’s security challenges."
Two recent studies, one published by iSEC Partners and the other by Microsoft, address head-on the real world impact of Zero-Day threats in today’s world. For those who haven’t read these reports, the basic summary from the iSEC report is that 13 vulnerabilities that have patches available made up the vast majority of attacks and compromises in 2010. And, since 2006 only 75 vulnerabilities have been widely used to compromise end users and enterprises. The Microsoft report even goes as far as stating “99 percent of exploits use common techniques such as social engineering and the targeting of unpatched, known vulnerabilities,” leaving only a 1% usage of Zero-Day vulnerabilities on the table. When we compare these statements to our own internal data the Sourcefire VRT has reached similar conclusions. This leads to the question of defensive investment, if 99% of the vulnerabilities that are used fall into the non Zero-day category shouldn’t that investment be used to stop those threats?
This begs the question as to what is the better business investment, hunting for the bugs that might be used in the 1% or investing in defensive technologies that more effectively deal with the common 99% case? Looking at both the Microsoft report and the iSEC Partners report several commonalities jump out when reviewing the prevalence of unpatched vulnerabilities used to attack end users. Both reports highlight a high usage of Java vulnerabilities, including CVE-2010-0840, CVE-2009-3867, and CVE2008-5353 that all target the commonly installed Java JRE. Additionally, numerous attacks targeting Adobe Flash player, and Adobe PDF Reader where observed. If you’ve never done any work investigating these file types, the simple summary is they are complex, compressed, and require substantial resources to effectively inspect for malicious content. When used in the wild they are obfuscated using encoders and other techniques that actively attempt to avoid defensive technologies.
With the attackers focusing on utilizing known unpatched vulnerabilities, and focusing their research dollars on making them more effective and harder to detect, shouldn’t defenders be focusing their dollars on improving defensive technologies so they more effectively handle these types of armaments? Defenders should be focusing on finding better ways to deal with complex file types, locating better ways to dissect them for inspecting, and finding faster ways to quickly determine if something is malicious. While bug hunting for the next zero-day may protect your network against one new threat, it doesn’t produce any actionable information about how defenders should effectively deal with the next set of application specific obfuscations and file type complexities. At the end of finding that one new bug, your investment is complete, and it only produced one small piece of actionable data, that the bug exists. It didn’t produce a better way to defend against the next one.
With the threat landscape as it is, the Sourcefire VRT believes that if you’re going to invest, it should be in finding the better way to defend against the next one. A dollar for dollar investment in reverse engineering a file format trying to understand out it works, will pay out far higher dividends than spending those same dollars looking for one bug. Locating better ways to break files down, identify areas for obfuscation and evasion, and building agile defense technologies that allow defenders to quickly build detections for next threat has a much higher ROI than finding one individual bug. Stomping out one bug might help you right now, but building a better defensive understanding and framework for dealing with complex bugs pays out every time a new bug you didn’t find shows up.
0 comments:
Post a Comment