Stories
Slash Boxes
Comments

SoylentNews is people

RAND Study Suggests 0-Day Exploits Should be Stockpiled

posted by Fnord666 on Tuesday March 21 2017, @05:53AM   Printer-friendly
from the keep-it-to-yourself dept.

"Albert" writes:

RAND corporation recently received rare access to study a couple hundred 0-day vulnerabilities and their exploits.

It turns out that 0-day vulnerability discoveries live for about 6.9 years, and that the ones found by a pair of serious opponents (typically nation-state governments) have only a few percent overlap. This means that releasing discoveries to the public provides very little defensive value while obviously destroying offensive ability.

The report (summary and full text[PDF]) includes quite a bit more about the industry, including some estimates of pricing and headcount.

Original Submission

 
This discussion has been archived. No new comments can be posted.
RAND Study Suggests 0-Day Exploits Should be Stockpiled | Log In/Create an Account | Top | 20 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Tuesday March 21 2017, @04:40PM (2 children)

    by Anonymous Coward on Tuesday March 21 2017, @04:40PM (#482232)

    "and that the ones found by a pair of serious opponents (typically nation-state governments) have only a few percent overlap."

    Wait ... HOW did they find THAT out? Did Russia or China give them a stack of their stock-piled zero-days so they could compare to the CIA/NSA ones?? I mean seriously... what possible methodology are they using here? I don't get it.

    Because it's the NSA's (and others') job to know this, and they are much better at it than a random armchair spy on the internet.

    Truthfully I don't know how they know, but several ways I can think of are:
    1) Their 0-day exploits have clear signatures (e.g. recognizable internet traffic patterns), and they don't see them in domestic networks.
    2) The have out-of-channel sources of information (e.g. compromising some of the authors or discoverers of the 0-day exploits)
    3) They set up honey-pots, and look for how they are compromised
    4) They look at historically discovered 0-day holes and extrapolate from them
    5) Compare between "friendly" organizations (e.g. NSA can talk to CIA and others) to compare and contrast what exploits they have independently discovered, and extrapolate from that

    You know... the exact some thing that security firms do to locate security holes...

  • (Score: 0) by Anonymous Coward on Tuesday March 21 2017, @05:08PM

    by Anonymous Coward on Tuesday March 21 2017, @05:08PM (#482245)

    It's #4 and #5, with multiple ways of estimating and lots of statistics.

  • (Score: 3, Insightful) by vux984 on Tuesday March 21 2017, @09:41PM

    by vux984 (5045) on Tuesday March 21 2017, @09:41PM (#482416)

    1) Their 0-day exploits have clear signatures (e.g. recognizable internet traffic patterns), and they don't see them in domestic networks.

    Most exploits 'stockpiled' aren't going to be visible, and when deployed very narrowly targeted. There's not going to be much to see nor when to see it.

    2) The have out-of-channel sources of information (e.g. compromising some of the authors or discoverers of the 0-day exploits)
    3) They set up honey-pots, and look for how they are compromised

    Safe to assume both sides are working those angles, and that's going to result in an *increase* in overlap; as one sides 0-days get added to the arsenal of the other side.

    4) They look at historically discovered 0-day holes and extrapolate from them
    5) Compare between "friendly" organizations (e.g. NSA can talk to CIA and others) to compare and contrast what exploits they have independently discovered, and extrapolate from that

    It get tricky because you are polluting the well; seeing the others exploits, even if they were independently developed is going to guide what you look for in future for your own, making your future independently developed exploits...somewhat less independent. Would you have found X if you hadn't seen the other guys Y... etc. Plus western hackers might have the same general approaches and even cross-contamination of staff over time so there might be more overlap between CIA and NSA than you'd find elsewhere.

    And for a lot of bigger exploits like remote root through the browser its a chain of exploits. So even if only one element in the chain is common to both parties exploit kit fixing that element will shutdown both chains.

    Then there is also that exploits aren't developed in isolation -- they'll be drawing from what is publically released, and again that contaminates the independence if they are both approaching targets with starting points that contain many of the same 'script kiddie' and or 'black market' exploits -- because how do you know the market isn't selling to the stockpiles on both sides. Again creating direct overlap, but also contaminating the independence of future exploits.

    It doesn't make extrapolation impossible, but its definitely harder. And its really hard to imagine RAND has good data to work from. So I'd think their estimates of overlap would be really loose.

    Plus are they counting all overlap the same? Maybe Microsoft Word is swiss cheese so exploits for word will have little overlap. But maybe OpenBSD and LibreSSL are much smaller attack surfaces and those exploits have higher overlap... if we both have 100 exploits, 99 for MS word and 1 for BSD; and its the same 1 for BSD but a different 99 for Word you could just as easily argue that we have 50% overlap as 1% depending on how you write the results up.