As part of the process of compiling the data for Symantec’s Internet Security Threat Report(ISTR), we discuss which metrics are critical to defining trends in thethreat landscape. We are constantly reassessing the validity of certainmetrics and looking for opportunities to create new metrics. Our datacollection capabilities have improved over the years with newacquisitions, new products, and new product features that allow us totrack different types of data. It is a great benefit that Symantec is acompany that has grown with the threat landscape. It is also a matterof internal policy with the ISTR team to rigorously question and debatethe relevance and validity of what we’re reporting on. I’d like to takethis opportunity to reflect a little bit on the process behind thecreation of one of the new metrics for this report – zero-dayvulnerabilities.
ISTR, Volume XI gave me an interesting research project – find thenumber of zero-day vulnerabilities. This seems like a fairlystraightforward task, but prior to being asked to perform it, therejust wasn’t any data…yet!
A little background on the data collection
Much of the vulnerability trends data in the ISTR comes from thesame source that powers the public SecurityFocus vulnerabilitydatabase. A team of threat analysts are devoted to the task ofpopulating the database. This team analyzes every public vulnerabilityreport, classifying it based on the type of vulnerability it is, itsimpact to various security properties, how it can be exploited, whetheror not it has been fixed, who reported it, etc. Each vulnerability isalso associated with a list of affected and unaffected products, fixes,and advisories.
This provides us with a rich set of data and metadata to analyze forthe vulnerability trends that are discussed in the report. However,there’s just some data we don’t include, like whether or not avulnerability is a “zero-day.” There is no flag in our database totrack this information. So, if someone asks me how many zero-days wehave observed, then that presents a serious challenge. The data must bebuilt from scratch and then correlated with our vulnerability database.
What is a zero-day vulnerability anyhow?
Before I started this project, I had my own intuitive understandingof what constituted a zero-day vulnerability. It loosely meant a publicvulnerability that wasn’t fixed by the vendor and had exploit codeand/or exploit activity associated with it. Holy Cow, Batman! That’salmost every Web application vulnerability that gets reported toBugtraq! That’s setting the bar too low, so I had to rethink thecriteria of what a zero-day is. I looked at projects that track thisdata and other people’s definitions and found that there isn’t really aconsensus.
After batting this back and forth with other people, this is what was settled on:
A zero-day vulnerability is one for which there issufficient public evidence to indicate that the vulnerability has beenexploited in the wild prior to being publicly known. It may not havebeen known to the vendor prior to exploitation, and the vendor had notreleased a patch at the time of the exploit activity.
In other words, zero-day vulnerabilities are phantoms. An unknownquantity of zero-day vulnerabilities exists at any given moment, butonce they’re exposed to the light they cease to be zero-dayvulnerabilities. We can’t speculate on unknown zero-days because ourdata includes only those vulnerabilities that we know about. This meansthat we have to concentrate on zero-day vulnerabilities that have been“outed.” It is also an “in the wild” vulnerability because activeexploitation is what makes zero-day vulnerabilities a concern.
Are zero-day threats becoming more prevalent?
The methodology we use to enumerate the number of zero-days is basedon our ability to discover exploit activity in the wild. This raisesthe question of whether or not zero-days are truly more prevalent thanthey have ever been or whether we’re getting better at discoveringthem. I don’t think we can ever have a definitive answer about thenumber of unknown zero-day exploits that are disseminating in the wildat any given time. My gut tells me that they’ve been out there for sometime and are probably more prevalent than the data indicates. We canextrapolate from the hard data that they are on the rise because publicincidents are more common.
For all of the technological solutions that are being marketed toaddress the zero-day problem, very little is said about is about thehuman aspect of the solution. I think it is important to note thatwe’re better equipped to detect these incidents. Symantec as a companyis better positioned than ever to detect these incidents. Enterprisesare also more aware of these issues and are more capable of discoveringthese attacks internally. I think there is also an unprecedented trendin the degree in which organizations are able to cooperate with thevendors of their deployed security platforms and assets. We could allbenefit from cultivating these relationships and putting more emphasison developing policies and processes to address the zero-day concern.We should also be investing in the personnel who are on the front lineso that they have the necessary skill sets to detect and mitigate thesevulnerabilities.
To read about the zero-day vulnerabilities and other vulnerability trends, please check out Symantec’s Internet Security Threat Report, Volume XI.