Zero Days Are Not the Bugs You’re Looking For

The security community needs to change in order for effective defenses against zero-day vulnerabilities to emerge, experts say.

BERLIN–The technology industry often is used by politicians, executives and others as an example of how to adapt quickly and shift gears in the face of disruptive changes. But the security community has been doing defense in basically the same way for several decades now, despite the fact that the threat landscape has changed dramatically, as have customer needs. This situation is untenable and must change in order for effective defenses against zero-day vulnerabilities to emerge, experts say.

The use of exploits against zero days, or unpatched vulnerabilities, is nothing new. Attackers have been looking for and using new bugs for as long as there has been software to exploit. What’s changed in recent years is the scale of zero day exploit use and the kind of attackers using them. It used to be mainly individual attackers and some high-end cybercrime groups. But now, zero days are being used by governments, intelligence agencies and state-sponsored attack teams. In the hands of these groups, zero days represent a major threat to the targeted organizations, most of whom can’t keep pace with the patches coming out for known bugs, let alone defend against attacks on zero days.

“There’s no red button you can push to make this go away. This is going to go on and on and on,” Andreas Lindh of I Secure in Sweden said in a talk at Virus Bulletin 2013 here Wednesday. “We need to get our priorities straight. What I’m suggesting is that we get back to basics rather than buying more tools. The tools we have work pretty well when you use them correctly. We actually have really good tools. We need to start focusing on what matters, what really matters.”

Lindh said that the old concept of defense in depth, which has been ridiculed in some corners in recent years, still holds up in most cases if organizations implement their technology correctly and don’t sit back and expect miracles. One key to succeeding more often than not against high-level attackers, he said, is to harden the software we all depend on through the use of technologies such as ASLR and DEP, which prevent many common memory corruption attacks. The number of ways that attackers can get into systems has decreased in the last few years, Lindh said.

“There’s been a reduction in attack vectors they can use,” he said. “There’s not as much room for attacks anymore.”

In many cases, the exploits that are working are not insanely creative bits of work from elite attack teams, but rather copies of exploits produced by legitimate security researchers.

“These people aren’t really writing their own exploits. They’re begging for scraps from security researchers,” Lindh said.

Though much of the attention in the security community and media is focused on zero days and novel attacks, a lot of the damage in the real world is done through the use of exploits against known vulnerabilities. Addressing those holes is an efficient way to increase your winning percentage, Lindh said.

“We need to know that when we’re seeing vulnerabilities in software being exploited, they’re not the ones we’ve identified as being critical. We have to change,” he said. “We have to plug the gaps that are left. We need to do this based on what was learned, and then we need to do it again and again and again. Sooner or later the world’s going to change and we have to change with it. We need to get better at prioritizing what we do. We have to stop feeding users all this BS about APTs all the time. It’s not helping.”

 

Suggested articles

Discussion

  • anwar hoossin on

    yes
  • Älter und weiser on

    I think I agree with Herr Lindh. Defense in Depth still is the best strategy. Many tools really do work pretty well. ALSR really does help. Users are still really un-trainable. And the hype about APT is ridiculous for most users. Unfortunately, I still don't know what kind of cange Herr Lindh wants. Frankly, I believe most organizations don't care if their IT systems have a "low grade" infection (eg botnet clients) as long as it does not affect operations and does not steal money from the corp. To management, its like having a herpes infection that is in remission. Who cares.
  • Igal Zeifman on

    Does it really have to be one or the other? Why can't you use multi-layered approach to deal with known vulnerabilities and zero-days (blocking the later via reputation and generic rules)? This is a rhetorical question. Modern security providers are already doing that.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.