“The early bird gets the worm” or “Can you be faster than FUD?”
This is an old saying and like most old sayings it bears some truth: the first one to notice an opportunity does indeed have an advantage. But I don’t want to philosophize about “ancient wisdom” or something the like but I want to address a quite up-to-date topic: 0-day prevention, early warning systems, heuristic detection and how fast you have to be to catch worms and 0-day exploits.
A lot of security vendors and open source security projects provide a very fast response to emerging threats. New worms and malware are detected quickly after appearance in the wild and signature patterns are updated a couple of times daily. So you should be safe. Really? How much of your resources would you spend on 0-day prevention and how effective is it? We have learned from some targeted high-profile attacks that there is room enough to slip through the net and break through virtually any cyber-defense (see our recent blog article about collateral damage).
The “FUD” I mentioned in the title doesn’t refer to the marketing strategy to spread “Fear, Uncertainty and Doubt” but it refers to a quality attribute of malware, especially packers: “Fully Undetectable“. Packers are pieces of software which obfuscate worms and malware in a way which makes detection complicated and unlikely. These packers belong to the best maintained software packages I’ve ever seen and browsing through the shallow waters of the “Deep Internet” you see lots of offers for daily updated FUD-packers and even “care-free packages” including a license for the packer, “bullet-proof” C&C servers and drop-zones for the cyber-loot. One-stop malware has become a convenience product
So it seems to me that the worms are getting faster than the birds. An evolutionary weapons race has emerged which, like some examples from wildlife ecosystems, will demand more and more resources on either side. Richard Dawkins points this out in his book “The Blind Watchmaker” and illustrates it with the example of the Cheetah and the Gazelle:
[…] the case of cheetahs and gazelles, where cheetahs evolve to be better at hunting and killing while gazelles evolve not to hunt and kill, but rather to evade capture.
The situation is a positive feedback system which will lead to exhaustion of resources on one of both sides. The cheetah has already arrived at a point, where the number of hunting attempts is limited. With a kill/hunting attempt ratio of roughly 10% to 20% and reduced energy reserves to save weight the cheetah is sailing very close to the wind, a few failures too much and the animal is completely exhausted, further reducing the chances for a successful hunt. Will we continue to mimic the cheetah or are there better ways, like writing more stable code or changing our pray (change the focus for our defenses)?
0-days are responsible for less than 1% of the security incidents according to the Microsoft Security Intelligence Report which brings up the question if spending significantly more than 1% of your security resources is worth to mitigate a rather low number of incidents. You have to know, what your potential opponent is up to and what the likelihood for the greatest possible loss is to make a wise decision.
If you have some detailed insight, papers, research or strategies for this topic: We still accept proposals for our DeepINTEL conference in late summer 2012: