Hot off the heals of yesterday’s post!!!
I'm not trying to use buzzwords or get popular by using the term "0day threat" (in fact I hate the whole way we say "O-Day", it’s just annoying). In any case, there is an "O-Day" floating around for Microsoft systems, in particular the SMB service on Windows 2003 AD servers. Ouch. So you're probably saying, "But I have a firewall, IDS/IPS, Anti-Virus software, and patch management." So do a lot of people, which is why attackers use social engineering and "O-Day" attacks. You have to ask yourself, if someone wanted to target you, how successful could they be? What's stopping them from getting your users to click on a link or open an attachment? What stops your users from accessing SMB on your servers? How do your servers defend against a 0day attack? This is one reason why I love real-world hacking challenges. I've done several over the years, and it always starts out the same way. You have to defend the network for the first hour of the competition without a firewall and without patches. "But that’s not fair," people say, but that’s the real world. It’s like that scene from the movie "Dodgeball" where the coach has them all line up for training. He then takes out a giant wrench, and without warning, hurls it at one of the guys who gets clocked in the face. He then states, "If you can dodge a wrench, you can dodge a ball." So, if you can defend a "naked" network, you can certainly defend one with a firewall and other techniques. It’s not so much about protecting the attack to begin with, but what happens afterwards.
Further, if we look at defending without a firewall, without AV and missing patches it just so happens that your are getting frightfully close to the way the "real-world" is. AV can be easily bypassed. IDS is routinely sidestepped by simply using encryption or by the attackers using protocols you use to manage your network (SSL, SSH, RDP anyone?). So, with that in mind, how well can you defend your network?
Finally, sit down and think for a moment... How much would an attacker gain by obtaining access to your critical data? If the attacker can gain, say, a million credit card and they can get $1 on the black market for it, there is a significant up side for them to do this. If an attacker can gain one million by compromising your network, do you think there is a possibility they may go through the effort to develop or purchase 0day?
No friends, it has nothing to do with prevention anymore. It is now a questions of containment and detection.
Originally on episode 231.