Last month the National Institute of Standards (NIST) database of software vulnerabilities, the National Vulnerability Database (NVD), was taken offline for several days because it was discovered that the web servers hosting the NVD, as well as other government databases, had been compromised by a software vulnerability. It was disclosed that the appropriate patch had likely been applied after the exploit had compromised the web servers, but that the exploit had been active for about two months. The details of this ironic incident were widely reported in the security trade press; my purpose here is not to critique the incident but rather to understand what lessons we might learn from this unfortunate event.

The first lesson, based not only on this incident but more convincingly on evidence and surveys of both government and industry security professionals is that in spite of all of the perimeter defense measures we take and in spite of our diligence in applying patches as they are released, that we may well suffer the same fate. We may, at this very moment, have malware on our web servers or other network assets that has burrowed in and is gathering unprotected critical data and transmitting it to a bad actor outside our domain.

The second lesson, I believe, is that our typical malware detection and remediation procedures leave much to be desired. We gain some measure of satisfaction from having shut the barn door before the horse (the data in this case) escaped, but while the door was open a horse thief sneaked in and is biding his time before leading our horse out the back door of the barn.

In this blog, I’ll review the problem; next week I’ll identify tools and processes that can help solve the problem.

Perimeter protection has advanced in effectiveness over the past few years. Firewalls, email anti-virus software, and intrusion prevention systems are constantly defending our networks from known malware based on digital signatures and other clues. These defenses, however, have an Achilles heel: the so-called zero-day attack.

A zero-day attack is simply one that has not been seen before and thus there is no digital signature to guard against. The development of a new exploit that can be used in a zero-day attack is big business. Hackers can sell these exploits for hundreds of thousands of dollars (see Figure 1).

In an effort to neutralize this trade in malware, some software vendors offer cash awards for zero-day exploits in order to take them off the market and neutralize the problem by issuing a patch before the vulnerability can be exploited by criminals or those who engage in cyber espionage. This activity sometimes takes the form of contests such as the Pwn2Own contest conducted under the auspices of the Zero Day Initiative, where substantial prize money is contributed by multiple legitimate vendors.

The irony of the NVD compromise was that the NVD is the primary, worldwide reference for software developers seeking the most current information on known software vulnerabilities that should be avoided as they build their applications. If the NVD, sponsored by both NIST and the United States Computer Emergency Readiness Team (US-CERT), can be hacked, can we afford to be smug with our own perimeter defenses?


Figure 1: Source: The Economist, March 30, 2013

There is nothing particularly unique about the means that a zero-day attack uses to elude perimeter defenses, the problem is that the defenses are not, at that moment, in time primed to recognize it as malware. The malware entry vector may be a phishing email, drive-by download, Trojan, a compromised USB stick picked up at a recent trade show, or one of many other methods.

If and when the exploit becomes known it will be entered into the NVD and the appropriate software vendor will, after some delay for development and testing, deploy a patch. Perimeter defense software and appliances will likely be updated by their vendors to offer a level of protection to unpatched systems, but there will inevitably be a window of vulnerability for unpatched systems. To minimize this window of vulnerability patches should be applied as soon as they are available. In some cases, for example the recent web server JAVA code exploits, it will be prudent to disable certain functionality until such time as patches are available.

For those of us unfortunates who are victims of a successful zero-day exploit, the malware now inside the perimeter begins to do its work and we, its victims, begin a journey of cyberpain not unlike the journey of Dante into the Inferno. The malware may be programmed to lie low for a period of time or it may begin work immediately. It will be programmed to disable or open portals in our perimeter defenses so that it can communicate. It may communicate with its command and control center for further instructions or it may already be programmed to begin gather data for exfiltration, especially if it is an advanced threat specifically designed for a high-value target (See Figure 2). The method and sophistication of its attack is only limited by the creativity of its maker. In any case we are well and truly had at this point and need to seek out and destroy the malware before it can do harm. Without skill and sophisticated tools we will lose critical data.

The detection and remediation effort is, unfortunately, not an occasional effort. There is no bat signal that warns us that malware is about. The very nature of a zero-day attack is its stealth and we must constantly patrol for incursions. Next week, we’ll discuss how to approach this challenge with confidence.

Figure 2: Source: CSO Online

Interested in learning more about cybersecurity? The GovDefenders Virtual Event is a free online cybersecurity conference on April 24. Join us from your desk as experts from NetApp, Symantec, ForeScout, Red Hat, Quest Software, SolarWinds, and DLT Solutions, discuss trends, best practices, and the future of public sector cybersecurity. Register today!