Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday March 21 2017, @05:53AM   Printer-friendly
from the keep-it-to-yourself dept.

RAND corporation recently received rare access to study a couple hundred 0-day vulnerabilities and their exploits.

It turns out that 0-day vulnerability discoveries live for about 6.9 years, and that the ones found by a pair of serious opponents (typically nation-state governments) have only a few percent overlap. This means that releasing discoveries to the public provides very little defensive value while obviously destroying offensive ability.

The report (summary and full text[PDF]) includes quite a bit more about the industry, including some estimates of pricing and headcount.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by vux984 on Tuesday March 21 2017, @06:02AM (7 children)

    by vux984 (5045) on Tuesday March 21 2017, @06:02AM (#481978)

    "and that the ones found by a pair of serious opponents (typically nation-state governments) have only a few percent overlap."

    Wait ... HOW did they find THAT out? Did Russia or China give them a stack of their stock-piled zero-days so they could compare to the CIA/NSA ones?? I mean seriously... what possible methodology are they using here? I don't get it.

    But if its true then we should logically be using ours to steal theirs and then notify the manufacturers/vendors etc about them; so that they get closed. I mean, if there really isn't much overlap, then closing discovered foreign owned 0-days down should be a priority for the NSA... that is half their mandate after all. Why aren't they releasing a steady stream of foreign-discovered 0-days to 'our team'.

    Starting Score:    1  point
    Moderation   +3  
       Insightful=3, Total=3
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 0) by Anonymous Coward on Tuesday March 21 2017, @06:21AM

    by Anonymous Coward on Tuesday March 21 2017, @06:21AM (#481983)

    The PDF explains it well. There are a bunch of fancy statistics, particularly relating to lifetime. The weakest assumption is that the set of vulnerabilities found in the private set of about 200 is of a similar nature as the ones that are public. Still, it's not a bad assumption, especially given the known properties of that set of vulnerabilities. From there we may compute the chance that a pair of adversaries will discover the same bugs or different bugs.

    The NSA may well be releasing a steady stream of foreign-discovered 0-days to 'our team'. There is no way they'd take credit for it. Probably they'd use anonymous bug reports to the vendor.

  • (Score: 2) by fadrian on Tuesday March 21 2017, @01:14PM (2 children)

    by fadrian (3194) on Tuesday March 21 2017, @01:14PM (#482090) Homepage

    Wait ... HOW did they find THAT out? Did Russia or China give them a stack of their stock-piled zero-days so they could compare to the CIA/NSA ones?? I mean seriously... what possible methodology are they using here? I don't get it.

    You could get lists of your allies' 0-days and compare to them to see if there was much overlap, too. Well, you could if we had any allies anymore... Thanks, Trump!

    --
    That is all.
    • (Score: 0) by Anonymous Coward on Tuesday March 21 2017, @01:45PM

      by Anonymous Coward on Tuesday March 21 2017, @01:45PM (#482111)

      Obvious questions:

      Where did Rand get the data and why would they expect the source to be truthful?

      The analysis seems to be about an 'us' versus 'them' pair. this results in a small overlap which leads to holding our zero day's.
      It seems like in the real world, there are many 'them's with varying degrees of visibility.
      How could the information source know that the 'them' they provided data for is representative of the whole situation?

      The elephant in the room is that there are so many bugs and so little time.
      Aside from finding and outing zero day's, what can be done to address this situation?
      This report seems to say that the best action is to continue the current situation.
      Unfortunately, that makes everybody's computer a war zone.
      There must be a better path.

    • (Score: 2) by tangomargarine on Tuesday March 21 2017, @02:29PM

      by tangomargarine (667) on Tuesday March 21 2017, @02:29PM (#482150)

      Assuming of course you trust said allies to give you the complete list, which would be doubtful, Trump or no.

      --
      "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
  • (Score: 0) by Anonymous Coward on Tuesday March 21 2017, @04:40PM (2 children)

    by Anonymous Coward on Tuesday March 21 2017, @04:40PM (#482232)

    "and that the ones found by a pair of serious opponents (typically nation-state governments) have only a few percent overlap."

    Wait ... HOW did they find THAT out? Did Russia or China give them a stack of their stock-piled zero-days so they could compare to the CIA/NSA ones?? I mean seriously... what possible methodology are they using here? I don't get it.

    Because it's the NSA's (and others') job to know this, and they are much better at it than a random armchair spy on the internet.

    Truthfully I don't know how they know, but several ways I can think of are:
    1) Their 0-day exploits have clear signatures (e.g. recognizable internet traffic patterns), and they don't see them in domestic networks.
    2) The have out-of-channel sources of information (e.g. compromising some of the authors or discoverers of the 0-day exploits)
    3) They set up honey-pots, and look for how they are compromised
    4) They look at historically discovered 0-day holes and extrapolate from them
    5) Compare between "friendly" organizations (e.g. NSA can talk to CIA and others) to compare and contrast what exploits they have independently discovered, and extrapolate from that

    You know... the exact some thing that security firms do to locate security holes...

    • (Score: 0) by Anonymous Coward on Tuesday March 21 2017, @05:08PM

      by Anonymous Coward on Tuesday March 21 2017, @05:08PM (#482245)

      It's #4 and #5, with multiple ways of estimating and lots of statistics.

    • (Score: 3, Insightful) by vux984 on Tuesday March 21 2017, @09:41PM

      by vux984 (5045) on Tuesday March 21 2017, @09:41PM (#482416)

      1) Their 0-day exploits have clear signatures (e.g. recognizable internet traffic patterns), and they don't see them in domestic networks.

      Most exploits 'stockpiled' aren't going to be visible, and when deployed very narrowly targeted. There's not going to be much to see nor when to see it.

      2) The have out-of-channel sources of information (e.g. compromising some of the authors or discoverers of the 0-day exploits)
      3) They set up honey-pots, and look for how they are compromised

      Safe to assume both sides are working those angles, and that's going to result in an *increase* in overlap; as one sides 0-days get added to the arsenal of the other side.

      4) They look at historically discovered 0-day holes and extrapolate from them
      5) Compare between "friendly" organizations (e.g. NSA can talk to CIA and others) to compare and contrast what exploits they have independently discovered, and extrapolate from that

      It get tricky because you are polluting the well; seeing the others exploits, even if they were independently developed is going to guide what you look for in future for your own, making your future independently developed exploits...somewhat less independent. Would you have found X if you hadn't seen the other guys Y... etc. Plus western hackers might have the same general approaches and even cross-contamination of staff over time so there might be more overlap between CIA and NSA than you'd find elsewhere.

      And for a lot of bigger exploits like remote root through the browser its a chain of exploits. So even if only one element in the chain is common to both parties exploit kit fixing that element will shutdown both chains.

      Then there is also that exploits aren't developed in isolation -- they'll be drawing from what is publically released, and again that contaminates the independence if they are both approaching targets with starting points that contain many of the same 'script kiddie' and or 'black market' exploits -- because how do you know the market isn't selling to the stockpiles on both sides. Again creating direct overlap, but also contaminating the independence of future exploits.

      It doesn't make extrapolation impossible, but its definitely harder. And its really hard to imagine RAND has good data to work from. So I'd think their estimates of overlap would be really loose.

      Plus are they counting all overlap the same? Maybe Microsoft Word is swiss cheese so exploits for word will have little overlap. But maybe OpenBSD and LibreSSL are much smaller attack surfaces and those exploits have higher overlap... if we both have 100 exploits, 99 for MS word and 1 for BSD; and its the same 1 for BSD but a different 99 for Word you could just as easily argue that we have 50% overlap as 1% depending on how you write the results up.