Steven M. Christey wrote:
One would hope that there is some critical mass (i.e. number of compromised systems) beyond which any in-the-wild 0-day would become publicly known.
We can't presume that all 0-day exploits will end up being widely observed and thus become well-known. This is not a valid presumption even if it ends up being true in practice, today.
The real challenge is for incident response forensics staff to equip themselves ahead of time with the necessary tools (and sources of forensic logs, including, for example, full packet capture logs of all network traffic within a rolling window time period that is as lengthy as possible) to be able to identify a 0-day exploit used as the source of entry for a one-off intrusion event.
Being able to detect, reliably, any changes made to configuration settings or on-disk and in-memory binaries altered by the intruder is good, too, but the capability to ascertain precisely what vulnerability got exploited to gain entry in the first place is critical to keeping the same well-prepared intruder out the second time around.
Some of the technical barriers to achieving full forensic awareness within the time period during which a relevant 0-day event occurred include the use of SSL and other encryption which bypasses simple packet capture logging (unless one's SSL engine also logs all session keys generated) and the processing power and storage space required to capture, store, and analyze such a large quantity of real-time and historical data. Not to mention the questionable probability that the log windows will be wide enough to contain useful information when an intrusion is finally noticed.
Dramatic improvements in this area of computer and network forensics would fundamentally alter modern information security. I do not see how any organization can believe itself to be adequately secured when the simple ability to prove security measures are working, and quickly determine the precise method of failure when they break down, essentially does not exist today.
Sincerely, Jason Coombs jasonc@xxxxxxxxxxx