Resolution to zero-day debate not in cards for foreseeable future
Logan Brown and Ted Ross weigh in with ThreatPost
ThreatPost, April 22 2016 | Was the Federal Bureau of Investigation justified in paying over $1.3 million for a hacking tool that opened the iPhone 5c of the San Bernardino shooter? For some in the security community, the answer is a resounding yes. For others, the answer is not so clear-cut.
Ted Ross, CEO of Exodus Intelligence, which has its own vulnerability purchasing program, is in favor of the FBI’s reliance on zero-day community. He said it’s unrealistic to think that the US government alone can solve cyber security issues. “A solution (in cases like this) will only work with good collaboration between government and industry,” Ross said.
“I would actually think this is much more cost efficient to purchase the capability rather than it would be to hire, train and retain the talent capable of such research,” said Logan Brown, president of Exodus Intelligence. “There is a very finite amount of people in the world that can do this research. Recruiting, paying, and retaining these elite few is no easy or cheap task.”
May 1-4, Exodus Intelligence will be in attendance at the 2016 FS-ISAC Annual Summit. One of the FS-ISAC’s major conferences, attendees are comprised of various security technology companies, DHS (as well as other government agencies), and of course, many financial institutions. This is a major industry forum for collaboration on critical security threats facing the global financial sector. The FS-ISAC is known to be the most influential ISAC group, with multiple other ISACs replicating their direction.
Exodus Intelligence will be pleased to meet with customers in attendance at this event. Please email firstname.lastname@example.org if you are attending the event and would like to meet.
On May 17, Exodus representatives will be in London to attend the 2nd NATO – Industry Threat Vector Analysis Workshop. Several themes will be discussed, such as:
- NATO and industry views of current and emerging threats
- Making the Threat Intelligence data actionable
- Practical outcomes
We look forward to discussions regarding the expanding threat landscape with NATO and UK Government officials.
Exodus partners with Cisco
Exodus now has a formal joint research relationship with Cisco. As a result, we have the ability to sell and distribute SNORT signatures (which have been thoroughly tested) for our 0-day and N-day vulnerabilities.
Snort’s open source network-based intrusion detection system (NIDS) has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching and matching. These basic services have many purposes including application-aware triggered quality of service. This feature coupled with Exodus 0-day/N-day signatures will allow customers to slow down attack traffic without alerting the attacker (rate-limit to not allow large file transfers), which buys time for take-down operations.
The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans.
Snort can be configured in three main modes: sniffer, packet logger, and network intrusion detection. In sniffer mode, the program will read network packets and display them on the console. In packet logger mode, the program will log packets to the disk. In intrusion detection mode, the program will monitor network traffic and analyze it against a rule set defined by the user. The program will then perform a specific action based on what has been identified. Applying 0-day/N-day signatures to these three modes allows for detection and remediation of advance threats.
The beautiful thing about SNORT, is that most defense/detection products can consume SNORT signatures in some manner. The Exodus 0-Day and N-Day vulnerabilities are now easily made actionable through the use of these signatures.
Exodus is proud to announce that we have implemented new data and delivery mechanisms for machine-machine connections. We are now able to share Exodus metadata to various threat intelligence platforms using STIX, CybOX and TAXII in addition to our API.
We chose to embrace STIX/TAXII due to the direction of DHS and the industry at large. From the US-CERT website: “The DHS Office of Cybersecurity and Communications, National Cybersecurity and Communications Integration Center, and US-CERT are leading efforts to automate and structure operational cybersecurity information sharing techniques across the globe:
- TAXII™, the Trusted Automated eXchange of Indicator Information
- STIX™, the Structured Threat Information eXpression
- CybOX™, the Cyber Observable eXpression
International in scope and free for public use, TAXII, STIX and CybOX are community-driven technical specifications designed to enable automated information sharing for cybersecurity situational awareness, real-time network defense and sophisticated threat analysis.”
For more details, please visit:
CPE identifiers and CVSS scores
Along with the new Exodus metadata, we are now able to provide CPE (Common Platform Enumeration) identifiers and CVSS scores. This allows our customers to understand when new Exodus vulnerabilities could impact their specific applications (through the use of a threat intelligence platform) making both the 0-day and N-day vulnerabilities relevant to our customer’s environments.
Joel Bagnal: Government Security Consultant
Over the past seven years, Joel has served in cybersecurity leadership roles with Extenix LLC, Detica Inc., BAE Systems and L-3 Communications. Previously, Joel served as the Deputy Assistant to the President of the United States for Homeland Security and Counterterrorism, holding key roles as chair of the Homeland Security Council Deputies Committee and co-chair of the Counterterrorism Security Group. During his tenure, Joel developed the National Strategy for Homeland Security and Presidential Directives on cybersecurity, continuity of government, incident management, public health and medical preparedness, information sharing, and emergency preparedness planning. Additional roles include the Special Assistant to the President for Homeland Security, Senior Director for Threat Countermeasures Incident Management and Emergency Preparedness, and Chief of Staff and Executive Secretary of the Homeland Security Council. He also served as the Special Assistant to the President and Senior Director for Domestic Counterterrorism where he held a key role as the principal advisor to the Assistant to the President for Homeland Security for all matters pertaining to prevention of terrorism against the United States homeland. Moreover, Joel coordinated national response actions to terrorist threats and incidents that impacted homeland security including adjustments to the National Threat Level.
Mario Pirker: Security Researcher
Mario comes from a mixed background of both security and software engineering. At Barracuda Networks, he focused on a range of Linux Kernel mode development, as well as vulnerability assessment and reverse engineering. His primary areas of research center on vulnerability discovery and exploitation. We are excited to have Mario on the Exodus N-Day team!
Terry Smith: VP of Business Development
Terry Smith joined the company on April 18th to help build the technology alliances and partnership program. Terry recently left IBM as the dedicated Big Data and Analytics account executive for the HP account. Prior to IBM, Terry held business development and sales leadership roles with Fortify Software, VeriSign, iDEFENSE and McAfee. He brings over 18 years experience in technology sales, strategic alliances and business development to the Exodus team. In his spare time, he likes to play golf, travel and spend time with his wife and daughter.
Exodus is currently accepting applications for Zero-day and N-day researchers as well as qualified candidates for our Spring 2016 Internship program hosted at our Headquarters in Austin, Texas.