[Full-disclosure] On the "0-day" term

Jason Coombs jasonc at science.org
Tue Feb 14 06:45:32 GMT 2006 

Steven M. Christey wrote:
> One would hope that there is some critical mass (i.e. number of
> compromised systems) beyond which any in-the-wild 0-day would become
> publicly known.

We can't presume that all 0-day exploits will end up being widely 
observed and thus become well-known. This is not a valid presumption 
even if it ends up being true in practice, today.

The real challenge is for incident response forensics staff to equip 
themselves ahead of time with the necessary tools (and sources of 
forensic logs, including, for example, full packet capture logs of all 
network traffic within a rolling window time period that is as lengthy 
as possible) to be able to identify a 0-day exploit used as the source 
of entry for a one-off intrusion event.

Being able to detect, reliably, any changes made to configuration 
settings or on-disk and in-memory binaries altered by the intruder is 
good, too, but the capability to ascertain precisely what vulnerability 
got exploited to gain entry in the first place is critical to keeping 
the same well-prepared intruder out the second time around.

Some of the technical barriers to achieving full forensic awareness 
within the time period during which a relevant 0-day event occurred 
include the use of SSL and other encryption which bypasses simple packet 
capture logging (unless one's SSL engine also logs all session keys 
generated) and the processing power and storage space required to 
capture, store, and analyze such a large quantity of real-time and 
historical data. Not to mention the questionable probability that the 
log windows will be wide enough to contain useful information when an 
intrusion is finally noticed.

Dramatic improvements in this area of computer and network forensics 
would fundamentally alter modern information security. I do not see how 
any organization can believe itself to be adequately secured when the 
simple ability to prove security measures are working, and quickly 
determine the precise method of failure when they break down, 
essentially does not exist today.

Sincerely,

Jason Coombs
jasonc at science.org

Full-Disclosure is hosted and sponsored by Secunia.