How do you defend specifically against attackers utilizing any or all of the commercial exploit kits?

Question

There are several commercial exploit kits available containing 0day vulnerabilities:

White Phosphorus Exploit Pack http://www.immunityinc.com/products-whitephosphorus.shtml
Agora Exploit Pack http://gleg.net/agora.shtml
VulnDisco Exploit Pack Professional http://www.intevydis.com/vulndisco.shtml
D2 Exploitation Pack http://www.immunityinc.com/products-dsquare.shtml
... plus many more

What are the techniques to defend against such kits short of purchasing each to learn what they contain?

Merged the following question with the one above:

What are techniques to defend against popular crimeware kits/packs? For example, the crimeware packs described on http://mipistus.blogspot.com/:

CrimePack Exploit Kit
Eleonore Exploit Pack
Phoenix Exploit Kit
Black Hole Exploit Kit
SpyEye
Siberia Exploit Kit
JustExploit Exploit Pack
YES Exploit Pack
... plus more

Another description of CrimePack by Brian Krebs.

score 9 · Answer 1 · answered Nov 12 '10 at 09:04

9

This is such a massive question that I think the only answer is going to be to practice a defence in depth approach to security. Start at the first point of contact and build up protection down the the very core.

In order to see what those type of kits are doing make sure you are logging and monitoring everything, this should give you some idea of what is happening.

answered Nov 12 '10 at 09:04

Toby

709
6
8

I think in order to practise defence in depth the org would have to download and test each crime pack to identify the specific vunerbilities that their network exposes. Auditing is part of the solution, but you need to know where to look in the logs. – Anonymous Type Nov 16 '10 at 22:59
The good thing is is that most of these exploit packs list the techniques they use, so you shouldn't necessarily have to run them yourself. – Rory Alsop Dec 27 '10 at 18:11

score 9 · Accepted Answer · answered Nov 14 '10 at 14:17

I defend myself by not running any of the apps targeted by any of those exploits.

I suggest elinks(1) on grsecurity Linux.

If you mean, "How do you defend a large organization filled with many users and systems running some, if not all, of the apps targeted by a massive list of exploit packs and crimepacks?", then the correct answer is to implement an information security management program that specifically includes a specialized risk management program focused on identifying exploit-packs/crimepacks and designing (and continually implementing and improving) a list of controls that specifically safeguard against them.

score 2 · Answer 3 · answered Nov 12 '10 at 11:59

2

As mentioned by @Toby, the best way to defend against 0day attacks is by defense-in-depth and audit trailing.

answered Nov 12 '10 at 11:59

Henri

1,525
10
11

How do you defend specifically against attackers utilizing any or all of the commercial exploit kits?

3 Answers3