The Zero Day challenge
Just how lucrative is the internet crime market? Very; information is digital gold and hackers can get paid up to $200 per password.
Indeed, ‘Black hat’ hackers are becoming incredibly sophisticated at finding new vulnerabilities and exploiting them before the security community can react.
It can take less than a second to compromise a single machine and may take up to several days to come up with a patch.
Compromised machines aren’t just theoretical. They’re a reality. An entire underground economy has risen around compromised machines.
Access to ‘owned’ servers, services for launching phishing schemes, rental botnets for spam runs, and malware creation services are all advertised for a fee. These in turn support a marketplace for stolen identities, compromised bank accounts and credit card numbers.
Take, for example, the recent case of the Grum spam botnet that was eventually taken down in mid-July 2012.
This botnet housed over 136,000 internet addresses, could send up to 18 billion spam emails a day and by advertising rogue pharmacies and DHL delivery notifications, had collected up to 1.3 million orders with customer information on its control server .
To service this underground economy, the hacker isn’t usually after the data on the computer, but the computer itself and the ability to control it. It could be used as a platform for launching criminal attacks on other, higher-value computers.
It won’t happen to me....really?
Like many of us, you may also think, ‘this won’t happen to me’ or ‘why would they target me’?
Businesses and individuals who are complacent about their security constitute the bread and butter of the organised crime underworld.
Take for instance the recent security breach at the White House at the end of September 2012, where it was reported that hackers linked to China’s government has broken into a system used by White House military for nuclear commands.
In recent times, there have been a few notable zero day exploits, such as the serious new zero day vulnerability in the Internet Explorer (IE) in September 2012. A zero-day exploit is one that takes advantage of a security vulnerability on the same day that the vulnerability becomes generally known.
There are zero days between the time the vulnerability is discovered and the first attack.
Meeting the Zero Day Challenge
A conventional reactive security stance, based on packet filters and signatures, is powerless against a new generation of sophisticated zero day attacks.
What’s required are two pillars: Application proxy firewalls and a multi-faceted detection strategy, termed ‘intelligent layered security’.
Understanding how these defenses work separately and in concert is the key to understanding how true zero day protection can be achieved.
Application Proxy Firewalls are designed to recognise good traffic, allow it, and block everything else. This approach blocks whole classes of attacks.
To obtain this level of protection, an application proxy firewall doesn't simply look at the packet as it flies by. It disassembles the packet, rebuilds and re-sends it. It’s called a ‘proxy’ because it handles the connections on behalf of the source and destination machines.
At the endpoints, the session proceeds as though each machine is communicating directly with the other. In fact, each is communicating with the firewall.
More on the proxy firewall
The critical security difference between a packet-based and application proxy firewall is understood by considering at the seven- layer OSI model.
A packet inspection firewall can only take action based on the first three layers of the model. By comparison, an application proxy firewall has the capability to inspect all seven layers and take action based on the topmost (application) layer, where most zero day threats reside.
The intelligent layered security approach allows a firewall to deliver the full zero day protection of an application proxy, with limited impact on network performance.
Depending on the port and protocol, only a few checks are needed for most packets.
While there are no automated tools or documented steps for cleanup after a zero day attack, the best defence against such attacks is ensuring that systems are tested within a Metasploit framework (an open source attack simulator) and using application proxy firewalls with intelligent layered security.