In part 1, we introduced the idea of a Less-Than-Zero threat and defined it relative to a Zero-Day threat. Now, I´ll go a little deeper on each and discuss ways to protect your organization from them.
The Less-Than-Zero threat
The first stage in the evolution of a threat is the “underground” stage. This is the Less-Than-Zero-Day attack. In this stage, the vulnerability and a corresponding exploit are lose in the wild. The Less-Than-Zero-Day vulnerability is only discovered when evidence of an unattributable attack is identified. Therefore you typically don’t see a Less-Than-Zero-Day vulnerability without an existing exploit.
The Less-Than-Zero attack is usually discovered using forensic tools that recreate an attack or incident after the fact. There are no patches, IDS signatures, or other types of tools to prevent these attacks. The only possible type of defense is a heuristic or behavior-based defense, if you believe in this class of technology (that is a subject for another day). Your best defense is conforming to best practices within the layered security model. Whether layered security technologies are combined in single all-in-one integrated device or separate silos is up for debate.
Vigilant analysis to identify the attack vector is one of the best things to minimize the time period for this type of attack. Other factors are whether the weakness is being used for attacks against a narrow range of targets or a mass-market type of attack. Obviously the quicker the attack becomes “known” the quicker it moves into the conventional Zero-Day stage. Therefore, mass-market Less-Than-Zero threats quickly become Zero-Day threats.
Once the vulnerability and/or its exploit are known, the questions are: (1) Who knows about it? and (2) How is the vendor of the targeted system alerted to it? The concept of responsible disclosure is has been hotly debated. One camp believes that telling the vendor before releasing information to the general public gives the vendor time to get the fix out. The other camp believes that vendors don’t react quickly enough. The bad guys already know about the vulnerability/exploit anyway, so what good does it do to withhold general disclosure? Announcing the threat is the quickest way to enable organizations to protect themselves as best they can until a patch is available.
The Zero-Day Threat
A couple of things about Zero-Day attacks. Once publicly known, a whole new crop of Black Hats can try to use them. We do not subscribe to the vast hacker conspiracy theory that has all Black Hats sharing information. No doubt some sharing occurs, but there are exponentially more bad guys to worry about after the threat is made public. That´s the top of the curve in the graph from part 1 of this series. Let´s be clear: the Less-Than-Zero risk is a significant one. You should not let the Zero-Day threat defense come at the expense of Less-Than-Zero defenses.
Another point about Zero-Day attacks: If their genesis is from a Less-Than-Zero attack, then its exploit is already out there—so we´re already in the period of peak 4 threat. This makes the “publicly-known exploit” argument discussed above a bit of a red herring.
One more thing: Until the patch comes out there are things you can do to mitigate risk. You need to identify machines that are vulnerable to the attack. You can have a signature or some other behavior-based approach such as IDS/IPS that can detect and block it. You can disable the services or port that serve as the attack vector and enforce this via NAC and vulnerability scanning. 3rd party patches or other types of workarounds are also possible.
The final chapter of story deals with patching. ´Patching´ typically mean the official patch put out by the vendor of the vulnerable software. Just because a patch is available does not mean the threat goes away. With the constant vulnerability/patch process, the time from when a patch is available until it is actually applied can range from hours to weeks, depending on size of company and patching process. As a result the period of risk is extended.
Zero-Day, Less-Than-Zero, patching, exploits…the world is a dangerous place. While our attention has been focused by some security vendors and the press on the Zero-Day attack, the Less-Then-Zero threat is also significant enough to warrant your attention and resources. The reason you don´t hear a lot about this type of attack is because the majority of vendors don´t have a silver bullet to sell you for solving the problem. There is still no substitute for good, old-fashioned, best practices in security.