Countermeasure for 0 day Threat?

darshandkddarshandkd Member Posts: 4 ■□□□□□□□□□
Hello All!

This is my very first post to this forum, I am sorry if I break any rule.
I have just started preparing for CISSP and planning to crack it in next 6 months.

I am referring chapter #3 (i.e. Information Security and Risk Management) of Shaun Harris AIO CISSP book.

Could you please help me understanding what could be the countermeasure for 0 day threat?

Any help will be appreciated.

Comments

  • dbrinkdbrink Member Posts: 180
    Application white listing could be one countermeasure.
    Currently Reading: Learn Python The Hard Way
    http://defendyoursystems.blogspot.com/
  • darshandkddarshandkd Member Posts: 4 ■□□□□□□□□□
    Hi Dbrink,

    Thanks for the reply.
    Could you please share any feasible example for the same?
  • dbrinkdbrink Member Posts: 180
    With 0 days it doesn't matter if your anti-virus signatures are up to date, the exploit will most likely be successful. Depending on what the exploit actually does, it could be prevented by application white listing. White listing has a list of applications that are allowed rather than having a list of applications that aren't allowed (black listing). If the 0 day exploit attempts to execute some code on the machine and that executable isn't on the white list it won't run and you have avoided the 0 day exploit.

    I believe white listing is definitely more rare because it is very restrictive and that could turn into quite a management nightmare.

    Hope this answers what you were wanting as an example.
    Currently Reading: Learn Python The Hard Way
    http://defendyoursystems.blogspot.com/
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    Patching is also be an effective way to mitigate a known vulnerability for which an in-the-wild exploit hasn't yet manifested yet.
  • ppypo123ppypo123 Member Posts: 8 ■□□□□□□□□□
    I guess the best countermeasure against 0 day Threat is Anomaly Based IDS/IPS. It is Behavioral based system that learns the Normal activity of your environment, and anything against this Normal Activity is considered attack.

    They are also called Behavior or heuristic based IDS/IPS, And the 3 main types of them are - Statistical anomaly based, protocol anomaly based, and traffic anomaly based.

    I don't know why they have mentioned this as Only IDS on Books, But I guess we can consider them as IPS also as they prevent and not only detect anything that is against the normal activity.
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    They're now starting to be called IDP (Intrusion Detection Prevention) systems. An IPS must also be functionally an IDS, and an IDP in logging-only mode is an IDS.
  • darshandkddarshandkd Member Posts: 4 ■□□□□□□□□□
    Hi Guys,
    Thanks for helping resolving my concerns.
    I have got my answer.

    Many thanks.

    Regards,
    Darshan
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    Btw - as an aside - for 0 day browser exploits, one technique that I have been exploring is through the use of browser isolation using a micro vm. It can be an effective technique. I am not convinced that anomaly-based detection is a viable real-world option and I have not seen much evidence of their success; there are simply too many detectio evasion techniques out there. And while patching is always great to reduce the exploit window, they don't help with 0-day as mentioned.
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    paul78 wrote: »
    And while patching is always great to reduce the exploit window, they don't help with 0-day as mentioned.
    Yes, patches can only prevent zero-days from occurring in the first place, or fix them once they are known. In the time-of-exploit-deployment/time-of-patch-available window, patching is not an effective prevention.
  • ptilsenptilsen Member Posts: 2,835 ■■■■■■■■■■
    paul78 wrote: »
    Btw - as an aside - for 0 day browser exploits, one technique that I have been exploring is through the use of browser isolation using a micro vm. It can be an effective technique.
    IMO it is one of the only effective techniques. Even restricted access accounts using restricted browsers with all the detection techniques in the world cannot eliminate browser vulnerabilities as attack vectors. I'm not familiar with any instance of compromising a VM's host, and while I'd admit it might be possible, at the end of the day it is IMO far more feasible to create a browser exploit capable of privilege escalation and heuristic evasion than a browser exploit capable of compromising a VM's host through the VM.
    Working B.S., Computer Science
    Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
    In progress: CLEP US GOV,
    Next up: MATH 211, ECON 352, ICS 340
Sign In or Register to comment.