[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <43F17C8C.9090405@science.org>
Date: Tue Feb 14 06:45:25 2006
From: jasonc at science.org (Jason Coombs)
Subject: On the "0-day" term
Steven M. Christey wrote:
> One would hope that there is some critical mass (i.e. number of
> compromised systems) beyond which any in-the-wild 0-day would become
> publicly known.
We can't presume that all 0-day exploits will end up being widely
observed and thus become well-known. This is not a valid presumption
even if it ends up being true in practice, today.
The real challenge is for incident response forensics staff to equip
themselves ahead of time with the necessary tools (and sources of
forensic logs, including, for example, full packet capture logs of all
network traffic within a rolling window time period that is as lengthy
as possible) to be able to identify a 0-day exploit used as the source
of entry for a one-off intrusion event.
Being able to detect, reliably, any changes made to configuration
settings or on-disk and in-memory binaries altered by the intruder is
good, too, but the capability to ascertain precisely what vulnerability
got exploited to gain entry in the first place is critical to keeping
the same well-prepared intruder out the second time around.
Some of the technical barriers to achieving full forensic awareness
within the time period during which a relevant 0-day event occurred
include the use of SSL and other encryption which bypasses simple packet
capture logging (unless one's SSL engine also logs all session keys
generated) and the processing power and storage space required to
capture, store, and analyze such a large quantity of real-time and
historical data. Not to mention the questionable probability that the
log windows will be wide enough to contain useful information when an
intrusion is finally noticed.
Dramatic improvements in this area of computer and network forensics
would fundamentally alter modern information security. I do not see how
any organization can believe itself to be adequately secured when the
simple ability to prove security measures are working, and quickly
determine the precise method of failure when they break down,
essentially does not exist today.
Sincerely,
Jason Coombs
jasonc@...ence.org
Powered by blists - more mailing lists