In-Depth

New Technology Combats Zero-Day Attacks

Exploits expected to get worse, putting even more pressure on security managers

• By Mathew Schwartz
• 08/18/2004

New research from Gerhard Eschelbeck, chief technology officer of Redwood Shores, Calif.-based Qualys Inc., frames the overall problem via his extensive “Laws of Vulnerabilities” research. For example, the current half-life of a vulnerability—the time taken by users to patch half their systems after a vulnerability announcement is made—is 21 days for external systems and 62 days for internal ones.

The time it takes companies to patch, however, leaves them open to many exploits. In particular, says Eschelbeck, 80 percent of automated exploits, including worms, target the first two half-life periods of critical vulnerabilities. In other words, the exploits attack companies when not all systems are patched. “In most cases, worms are circulating faster than systems being patched inside the network, and organizations have to be more aggressive about protecting their internal systems,” he says.

Think the problem is bad now? “We expect the exploitation of vulnerabilities—before enterprises can remediate them—to rise steadily,” notes Paul Proctor, vice president at research firm META Group. Therefore, “it is imperative that businesses implement some means to protect themselves from unpatched and rapidly developing new vulnerabilities.”

To provide security managers with cover until known vulnerabilities can be patched, and to block as-yet-publicly-unknown vulnerabilities for which an exploit may already be circulating—so-called “zero day” attacks—organizations have a range of technology options, including software firewalls on every client and anti-spyware technology. Organizations can also use hardware able to detect intrusions—and more—to block zero-day attacks. “Multi-layered security solutions that incorporate capabilities like intrusion prevention, vulnerability mitigation, and firewall technologies can help enterprises better protect their digital assets,” notes Proctor. Some vendors in this blended space include Cisco, Internet Security Systems, Network Associates, TippingPoint, and Top Layer Networks.

The most recent company to enter the zero-day protection market is eEye Digital Security, based in Aliso Viejo, Calif. eEye is already known for many of the vulnerabilities it’s discovered via data from its customers’ implementations of Retina, the company's standalone vulnerability scanner.

“Blaster, Sasser, Slammer, and so on have basically shown that even though known vulnerabilities that have patches available weeks or months before worms come out, they are not being assessed fast enough,” says Firas Raouf, chief operating officer of eEye.

He says organizations can use vulnerability-scanning software in three ways to help block vulnerabilities. First, organizations can scan for known vulnerabilities for which patches are available. Second, organizations can look for misconfigurations, “such as having NetBIOS turned on, or FTP on a machine that doesn’t necessarily require having FTP.” Finally, organizations can assess policy compliance. Is antivirus software active on all PCs and with recent updates? Are any peer-to-peer applications running? Is there spyware infecting a PC? Are Web ports open?

eEye's take on combating zero-day vulnerabilities is a new product called Blink, which utilizes a centralized management console, as well as agents sitting on each protected asset, such as a server, workstation, or laptop. Blink captures packets as they enter the enterprise and analyzes them for known types of attacks. It isn’t looking for a specific attack, but rather mechanisms used for attacking networks and PCs. Blink drops any packets it suspects of being an attack.

This approach was driven by the fact that attackers often repeat themselves. “We went back five years in time, and we looked at every attack that ever came out against HTTP, for example, and looked at all the attacks it used,” says Raouf. Then eEye built a product to guard against the 25 most-common types of attacks. For example, eEye found “90 percent of worms and targeted attacks rely upon a very common method of exploitation—a buffer overflow. So we’re looking for buffer overflows, for directory traversal attacks, and on and on,” he says.

For each new vulnerability disclosure, security managers can assess whether Blink already protects them, and further fine-tune the software to better block the vulnerability. This cover—checking all packets as they enter the enterprise—gives security managers extra time to patch.

Some intrusion prevention products use a similar packet-inspection approach; others rely upon signatures to spot attacks. Raouf says Blink belongs in the former camp, and downplays the need for signatures with Blink. “We don’t ship with the signatures, but we do provide the interface that allows you to use signatures. The benefit there is to have more knowledge into the types of attacks you’re blocking.” He says signature information is easily available by running the free Snort tool, then copying and pasting the results into Blink, or using antivirus providers’ free virus information.

Despite advances in technology, Raouf also cautions that organizations must consider cultural changes to better tackle vulnerability remediation—a move he sees many organizations making. “I think it’s going to go one of two ways. Either security will just morph into IT operations and become part of that; or it will continue to be a standalone group reporting to the CISO [chief information security officer], but it will become less involved in the day-to-day process, and will be more of a policy-setting and auditing-oversight group.”

Related Articles:

Product Shootout: Intrusion Prevention
http://info.101com.com/default.asp?id=4814

Protecting Data From Events Firewalls Can't Catch
http://www.esj.com/security/article.asp?EditorialsID=593