Security configurations to protect against 0-day exploits?

Question

Let's say someone has sensitive information on their computer and can is a potential target of 0-day exploits/attacks.

Assuming that they follow conventional security advice (using a firewall, antivirus, encryption, and an updated operating system), are there any other ways to help defend or protect against 0-day exploits and attacks?

This question is much too general. If you have a specific question on how to protect against specific attacks, such as 0-days, that's a somewhat more narrow and answerable question. — Verbal Kint, Aug 23 '16 at 18:29
Without knowing the details this becomes very hard to answer. That type of projects? What is am advanced user? Is such a person aware of the threads? Also, why would a 0-day be more likely in a specific region? — Yorick de Wid, Aug 23 '16 at 18:29
@YorickdeWid good point on the regional 0-day lunacy. Although I would argue that as network infrastructure increases, the treat of 0-days increases. Even automated bots aren't going to wait around for a snail-paced dial-up connection coming from the middle of nowhere. — Verbal Kint, Aug 23 '16 at 18:54
@VerbalKint Yes there are exceptions. Another one being a government driven specific target, eg.. 'anyone around Tehran'. Unrelated to this topic ofc. — Yorick de Wid, Aug 23 '16 at 19:02
We can help you with specific threats or concerns, but "how does one secure a computer?" is too vague and general to answer. — schroeder, Aug 23 '16 at 19:07
@Verbal Kint I will modify my question to fit into this category then (0-days), @.Yorick de Wid That can be a military project for example, an advanced user is someone who know more than the basis (know the underlying working of a computer, is aware of how malwares propagate,is conscientious about what he is doing etc), this person is not aware but can be relatively suspicious because of what he is working on, the 0-day is deployed in a specific region because the attacker know that the region can potentially house multiple people working on the same secret project — Bin Laden's son, Aug 23 '16 at 19:09
@cnn That is very relevant to the question, so add that to the topic :) — Yorick de Wid, Aug 23 '16 at 19:11
Sure, use an air-gapped network. Glue-up the USB ports and remove the CD-ROM drive. — Neil McGuigan, Aug 23 '16 at 19:20
@NeilMcGuigan I admire the creativity, but even then a computer can be used to transmit and receive information. There are actually stories of the NSA listening to variations in fan speeds on air-gapped networks to extract data. If you want a 100% secure computer, buy a rock. — Verbal Kint, Aug 23 '16 at 19:25
@VerbalKint the question was about avoiding getting 0-days, not exfiltration. Put the computer in a sound-proof room with a Faraday cage :) — Neil McGuigan, Aug 23 '16 at 19:27
@NeilMcGuigan, ah, but you forget about other forms of radiation and light. I could shine x-ray's right through the Faraday cage and machine, measure the amount of radiation that is reflected off of bits on the hard drive, grab the encrypted data, and then do the same thing to the memory to grab the keys. — Verbal Kint, Aug 23 '16 at 19:39
@VerbalKint ah, but you forgot about the armed drone-copters with X-Ray detectors coming to get you... — Neil McGuigan, Aug 23 '16 at 19:41
@NeilMcGuigan It's a shame those drone-coptors don't have Faraday cages >:) — Verbal Kint, Aug 23 '16 at 19:59

score 0 · Answer 1 · answered Aug 23 '16 at 19:22

0

Unfortunately, the risk with 0-day attacks is that you don't know what they can do or what they will do. Even if you have an up-to-date operating system, firewall, antivirus, and even full-disk encryption, a fault in any of these could potentially give an attacker access to your system and your data.

With that in mind, discovering 0-days is always a race between the good guys and the bad guys. The bad guys want to find vulnerabilities and exploit them, while the good guys work to patch any suspected vulnerabilities through constant code reviews, audits, and penetration tests.

One argument that could be made is that software released from trusted vendors like Microsoft, Apple, or Google is that, because they have obscene amounts of money to throw at security, their software is much less likely to have vulnerabilities than the average third-party application. And even if a malicious hacker finds a vulnerability in the software, it still takes time to conduct research and develop an exploit that can target computers on a large scale, giving security researchers more time to find and fix the issue.

But ultimately, the fact is that no computer is 100% secure, and Murphy's law holds true. Anything that can go wrong will go wrong.

If this is a matter of secure storage, then there is something to be said about encrypting data and keeping offsite encrypted backups, without an internet connection with which hackers could use to exploit a system and get to the potentially encrypted data. Or there are always type-writers and safes. But conventional software and IT security can only go so far, especially when dealing with the unknown.

Realistically though, the majority of viruses are going to target old, unpatched machines with no firewall. Unless hackers are specifically targeting a victim's machine, it is much more likely that they will go after the thousands if not millions of unpatched and vulnerable computers out there. And if they are directly targeting the victim, there are other ways of getting information out of them: https://xkcd.com/538/

answered Aug 23 '16 at 19:22

Verbal Kint

737
1
6
20

A ton of topic with the same answer every time, we can't do nothing, I was looking for a more optimist answer like using a HIDS, using white listing software etc, I've not posted this question on philosophy SE or Theoretical Computer Science SE, and no I don't want a 100% secure system, I know this is not possible, for example in the recent equation group attack the malware used 0-day vulnerability to propagate but dropping unsigned file on the system32 folder – Bin Laden's son Aug 23 '16 at 19:38
Insanity is doing the same thing over and over again and expecting different results. Sorry bud. – Verbal Kint Aug 23 '16 at 19:40
I don't understand you're comment ? – Bin Laden's son Aug 23 '16 at 19:43
But at least you can be thankful that AI algorithms aren't widely implemented by hackers yet. Just imagine if instead of security researchers and black-hat hackers constantly rushing to find new exploits manually, we have artificial intelligence bots that can duke-it-out at the speed of light. – Verbal Kint Aug 23 '16 at 19:43
It's a quote by Einstein. If you've found the question asked before, there's no point in asking it again and expecting a different answer. – Verbal Kint Aug 23 '16 at 19:44
this is the time first that I ask this question and was hoping my question was different from the others but apparently not, basically what I can do is pay for an AV and pray..., I'm sure they are ways to minimize the risk and that what I wanted to know adn what about solution that stop code injection or disabling the posibility of installing new kernel modules etc – Bin Laden's son Aug 23 '16 at 19:59
I understand, but it also seems like you know how to mitigate computer security risks in general. The problem is that you're dealing with the unknown, a dynamic attack which can target static defenses. But happy to help, and if you could mark this question as answered it would be greatly appreciated. – Verbal Kint Aug 23 '16 at 20:01
Yes, I really appreciate your answer and will mark it as answered but I wait for potential other (better) responses, the attacker is also dealing with the unknown because the target is potentially indistinguishable from the masses in the country but saying nobody can do nothing against it, it's like saying let's wait for this 0-day and get rekt (after being used against hundred of people) and let our system like they are (a basic antivirus...) – Bin Laden's son Aug 23 '16 at 20:13
The NSA doesn't seem to think much of the argument that big companies make more-secure software: https://assets.documentcloud.org/documents/3031637/pages/FOXACID-OVERALL-BRIEFING-Third-Revision-Redacted-p19-normal.gif – Alexander O'Mara Aug 23 '16 at 20:21
@AlexanderO'Mara, this is probably room for extended discussion. But you do have a valid point. It is also entirely possible that the extra security implemented by major companies is only ever equaled or slightly surpassed by eager attackers looking to get in. The more something is worth hacking into, the more money companies are willing to spend to secure it – Verbal Kint Aug 23 '16 at 20:23
Exactly no persistence possible with a white listing software or the lifetime will be reduced with a folder integrity checker for new or altered PE file, fanny was in the wild for more than 5 years but the lifetime could have been less if the majority of people out there was not relying only in their AV and saying we can't do anything against 0-days and I have no idea what is a room for extended discussion already heard of it but still don't know... – Bin Laden's son Aug 23 '16 at 20:30
Room for discussion is just a phrase or saying. I'm not using room as in the noun "room", but rather saying that Alexander's question could merit a larger/extended conversation on that specific topic. For example, if a father was talking to their son's teacher, and the teacher said that the boy had "room for improvement", the teacher is saying that the son could do better in school. – Verbal Kint Aug 23 '16 at 20:36

dotproi · Accepted Answer · 2016-08-23T20:52:12.187

I concur with the comments made about the question being "too broad". I also agree with the statement that when it comes to 0-day exploits we don't have the appropriate countermeasures in place. That is,when we observe the pieces of infrastructure those exploits are targeting in isolation.

However, one could conceive of a case in which even though the exploit delivered does not have signatures/patches yet, the methods of delivery of said exploit or other characteristics of the attack might not be as novel.

This paper on the Cyber Security Kill Chain model is old but gold.

It basically pivots around the idea that intrusion can be modelled in such a way that several (very rough) layers can be defined and elements of X,Y or Z campaign might have been seen in the past (liabilities) and can be leveraged to detect advanced intrusion attempts.

The proposed layers are:

Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command and Control (C2)
Actions and Objectives

Bear in mind that these layers are not as neat in practice, or organizations might not be able to identify which ones took place or at what stage the intrusion was detected.

The paper makes a "proposal" for countermeasures based on each stage of the intrusion model.

It later goes on to put forth a campaign analysis thought exercise with some useful graphs.

Let me know if I am on the right track at all.

A near perfect answer and I love how you have approached the problem. I put your answer as accepted but if another better answer come up it's possible this will change, thanks :) — Bin Laden's son, Aug 23 '16 at 21:10

Security configurations to protect against 0-day exploits?

2 Answers2