NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Immunitysec Daily Dave> 2010-q1

Re: [Dailydave] A change

From: Haroon Meer (haroonsensepost.com)
Date: Tue Jan 19 2010 - 04:30:09 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Dave (all)

On 15 Jan 2010, at 20:39, dave <daveimmunityinc.com> wrote:
> ...... Perhaps the era of IDS and AV and scanners has come to an
> abrupt end? We can only hope.
>
> Everyone says an attack is "sophisticated" whenever any 0day is
> involved. But that should be the baseline. Or rather, it IS the
> baseline
> and everyone seems to just be finding out.
>
> One of the things Immunity has been including in our services but is
> now
> offering seperately is a client-side 0day penetration test against a
> single host using CANVAS technology. You get your penetration verified
> during phone consultation. And you receive real-time analyst
> interpretation of results, plus delivery of log data at the end. For
> more information you can contact markimmunityinc.com.

I'm not usually the first person to defend IDS or AV, but contrasted
with a "client-side 0day penetration test against a single host" it
raises an interesting question..

If we do assume that 0day is the baseline, then surely a test that
exposes a host to a subset of 0day (without some sort of *cough*
heuristic defence or detection) achieves very little?

Ie. To misuse the quote, I would now know that I can be owned by known
(by canvas subscribers) unknowns, but it says nothing new of my
education/stance to the unknown unknowns. (If I assumed from the start
that 0day was the baseline.. Then I have learned nothing new from this
experience.)

If I was using the test to determine how my sandboxing worked, it
could make sense. If I was testing to see how my "anti exploitation
mechanisms" were working it could make sense. In the absence of any
sort of reactive defence, is there value in a semi-automated "click
here to get owned by 0day you can't currently defend against" type of
service?[1]

[1] Unless of course you are a vendor, and find it cheaper to capture
the CANVAS 0day list this way, instead of signing up for a subscription
__
Haroon Meer
haroonsensepost.com
+27 83 786 6637

** CRM114 Whitelisted by: From haroonsensepost.com **
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]