Countermeasure for 0 day Threat?

darshandkd

Hello All!

This is my very first post to this forum, I am sorry if I break any rule.
I have just started preparing for CISSP and planning to crack it in next 6 months.

I am referring chapter #3 (i.e. Information Security and Risk Management) of Shaun Harris AIO CISSP book.

Could you please help me understanding what could be the countermeasure for 0 day threat?

Any help will be appreciated.

dbrink

Application white listing could be one countermeasure.

darshandkd

Hi Dbrink,

Thanks for the reply.
Could you please share any feasible example for the same?

dbrink

With 0 days it doesn't matter if your anti-virus signatures are up to date, the exploit will most likely be successful. Depending on what the exploit actually does, it could be prevented by application white listing. White listing has a list of applications that are allowed rather than having a list of applications that aren't allowed (black listing). If the 0 day exploit attempts to execute some code on the machine and that executable isn't on the white list it won't run and you have avoided the 0 day exploit.

I believe white listing is definitely more rare because it is very restrictive and that could turn into quite a management nightmare.

Hope this answers what you were wanting as an example.

JDMurray

Patching is also be an effective way to mitigate a known vulnerability for which an in-the-wild exploit hasn't yet manifested yet.

ppypo123

I guess the best countermeasure against 0 day Threat is Anomaly Based IDS/IPS. It is Behavioral based system that learns the Normal activity of your environment, and anything against this Normal Activity is considered attack.

They are also called Behavior or heuristic based IDS/IPS, And the 3 main types of them are - Statistical anomaly based, protocol anomaly based, and traffic anomaly based.

I don't know why they have mentioned this as Only IDS on Books, But I guess we can consider them as IPS also as they prevent and not only detect anything that is against the normal activity.

JDMurray

They're now starting to be called IDP (Intrusion Detection Prevention) systems. An IPS must also be functionally an IDS, and an IDP in logging-only mode is an IDS.

darshandkd

Hi Guys,
Thanks for helping resolving my concerns.
I have got my answer.

Many thanks.

Regards,
Darshan

paul78

Btw - as an aside - for 0 day browser exploits, one technique that I have been exploring is through the use of browser isolation using a micro vm. It can be an effective technique. I am not convinced that anomaly-based detection is a viable real-world option and I have not seen much evidence of their success; there are simply too many detectio evasion techniques out there. And while patching is always great to reduce the exploit window, they don't help with 0-day as mentioned.

JDMurray

paul78 wrote: »

And while patching is always great to reduce the exploit window, they don't help with 0-day as mentioned.

Yes, patches can only prevent zero-days from occurring in the first place, or fix them once they are known. In the time-of-exploit-deployment/time-of-patch-available window, patching is not an effective prevention.

ptilsen

paul78 wrote: »

Btw - as an aside - for 0 day browser exploits, one technique that I have been exploring is through the use of browser isolation using a micro vm. It can be an effective technique.

IMO it is one of the only effective techniques. Even restricted access accounts using restricted browsers with all the detection techniques in the world cannot eliminate browser vulnerabilities as attack vectors. I'm not familiar with any instance of compromising a VM's host, and while I'd admit it might be possible, at the end of the day it is IMO far more feasible to create a browser exploit capable of privilege escalation and heuristic evasion than a browser exploit capable of compromising a VM's host through the VM.