Attacks/Breaches
12/2/2013
11:06 AM
Levi Gundert
Levi Gundert
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail

Zero-Day Drive-By Attacks: Accelerating & Expanding

The zero-day attack business is no longer just about money, and patching is no longer the best defense.
1 of 2

1 of 2
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/3/2013 | 3:40:05 PM
Re: Patching not enough
That's a great observation and point about how, to quote Gartner,  information security is becoming a big data problem that will require a major shift in mind set and skills sets of security professionals. 

 

 

 
levigundert
50%
50%
levigundert,
User Rank: Apprentice
12/3/2013 | 1:56:44 PM
Re: Patching not enough
Absolutely. If the solution is going to be homegrown, the required resources - primarily human and time - are going to be substantial. It's more likely (especially for small and medium size businesses) that a behavioral prevention product will be purchased from a vendor that is already spending considerable resources on acquiring the right data and hiring top data science talent.

It's certainly possible to create an in-house solution, but it's likely to be cost-prohibitive for all but the largest organizations. Many of the Big Data tools are open source and straight forward to setup, but the barriers to entry are high for acquiring the data and talent necessary to compete with security vendor efforts.

That being said, security professionals should become familiar with Big Data tools and methodologies because it's the future of agile security programs.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/3/2013 | 12:33:23 PM
Re: Patching not enough
"...big data insight, talented data scientists, and evolving predicative signal identification.." that seems like a pretty steep learning curve for today's typical  information security professional, not to mention a totally different orientation. What do you think the corporate security team would look like in order to successfully develop and manage a behavioral solution? 
levigundert
50%
50%
levigundert,
User Rank: Apprentice
12/3/2013 | 12:00:24 PM
Re: Patching not enough
Thanks for the question Marilyn. Quite a few security vendors are currently competing to provide superior behavior scoring solutions. I'm obviously partial to what we're doing at Cisco with our cloud based approach, but the point is that subscribing to static threat intelligence lists - malicious IP addresses, domains, etc. - and creating derivative access lists (ACLs) is only going to protect users up to a point. From a risk management perspective that may be enough, but I think most INFOSEC departments realize that the emergence of zero day drive-by campaigns means new solutions are required.

A successful behavioral security solution is predicated on: big data insight, talented data scientists, and evolving predicative signal identification. This space is still new and I don't have proprietary metrics from different security providers specifically around zero day drive-by attacks, but I do know that businesses are interested in proven behavioral solutions.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
12/3/2013 | 9:38:04 AM
Patching not enough
Thanks for your detailed overview of the evolution of the zero-day attack, Levi. You make a great case for the need for new defenses that go beyond vulnerability identification and patch management. In terms of a "sensible" solution such as behavior scoring, where are you seeing that approach being adopted and how successful it is to date? 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3407
Published: 2014-11-27
The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 9.3(.2) and earlier does not properly allocate memory blocks during HTTP packet handling, which allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCuq68888.

CVE-2014-4829
Published: 2014-11-27
Cross-site request forgery (CSRF) vulnerability in IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allows remote attackers to hijack the authentication of arbitrary users for requests tha...

CVE-2014-4831
Published: 2014-11-27
IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allow remote attackers to hijack sessions via unspecified vectors.

CVE-2014-4832
Published: 2014-11-27
IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allow remote attackers to obtain sensitive cookie information by sniffing the network during an HTTP session.

CVE-2014-4883
Published: 2014-11-27
resolv.c in the DNS resolver in uIP, and dns.c in the DNS resolver in lwIP 1.4.1 and earlier, does not use random values for ID fields and source ports of DNS query packets, which makes it easier for man-in-the-middle attackers to conduct cache-poisoning attacks via spoofed reply packets.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?