Less Than Zero Threat, Part 1

By | October 23, 2006

The security industry and trade press have directed a lot of attention toward the “Zero-day attack,” promoting it as THE threat to guard against. According to the marketing hype, the Zero-Day attack is the one that you should most fear, so you must put in place measures (i.e., buy stuff) to defend your organization from it.

The Zero-Day threat is born the moment a vulnerability is publicly announced or acknowledged. But what about the period of time that the threat existed before being announced. At StillSecure we call this class “Less-Than-Zero” threat. In this two-part series I´ll examine this Less-Than-Zero threat, compare it to the Zero-Day threat, and discuss ways to protect yourself from Less-Than-Zero attacks and vulnerabilities for which patches, signatures, etc. do not yet exist.

Zero-Day vs. Less-Than-Zero

Once a vulnerability is publicly announced, the zero-day clock starts ticking. The announcement is typically followed by some period of time before a patch is made available. This is the Zero-Day period. According to accepted wisdom, organizations face the greatest danger when an attack or exploit targeting the vulnerability is verified in the “wild.”

Some believe this is a flawed argument. As evidence, they point to “underground” vulnerabilities and exploits that are equally as dangerous and much more difficult to detect and protect against because they are “unknown.” At StillSecure we call this class Less-Than-Zero Threat. The chart below shows the relationship between the Less-Than-Zero threat and the Zero-Day threat and the level of risk they pose to the organization. It also takes into account such factors as responsible disclosure, patch deployment, etc.

Typically Less-Than-Zero threats have a different genesis than Zero-Day threats. Most Zero-Day threats are discovered through the standard bug testing process, and the vulnerability is known prior to an exploit for it being seen in the wild. Less-Than-Zero attacks, on the other hand, are first detected through evidence of attacks that have exploited them.

Where many Zero-Day vulnerabilities are discovered by White Hats, most Less-Than-Zero attacks are true Black Hat attacks. It is, however, possible that an underground threat evolves into a zero day attack. This is a natural evolution of Less-Than-Zero vulnerabilities and threats. Often a Less-Than-Zero attack becomes widely known, and a patch issued. It becomes a Zero-Day type of attack at that point.

Hopefully you see my point: just because the Less-Than-Zero threat doesn´t get a lot of media attention, it presents a real danger, and true security-conscious organizations will take steps to protect themselves from it.

In Part 2 of this series we´ll look at each stage of a threat and determine what defenses are applicable and what can be done to shorten and reduce the time of highest risk.

Leave a Reply