It’s basic economics: When supply drops but demand keeps rising, price goes up. It’s no different for pieces of information that give cyberattackers big advantages.
The number of zero-day exploits revealed in the wild fell for a third straight year in 2016, pushing the prices for them skyward and driving attackers to use alternative tactics, according to new research from Symantec.
The total number of zero-days exploited — a “zero day” is a software vulnerability that hasn’t been disclosed to the vendor and thus hasn’t been patched — dropped to 3,986 in 2016, Symantec said. That number was as high as 4,985 in 2014.
Meanwhile, demand for zero-days is as high as it’s ever been. Zero-days discovered by security researchers are purchased by a wide variety of parties including militaries, intelligence agencies, law enforcement, software vendors, cybercriminals and military contractors. Their intentions also vary widely: Some buyers want to fix and defend software, others want to mount offensive cyber-operations via vulnerabilities.
No matter the motivation of the buyer, however, it’s an increasingly worthwhile transaction when you can make it.
“If [attackers] find something exploitable, there is now more value,” Symanetc’s Kevin Haley said.
Zero-day vulnerabilities can take anywhere from several days to months to develop. Software companies, meanwhile, are better at catching them before outsiders do.
“As the major vendors like Microsoft and Apple have gotten more serious about patching vulnerabilities within their platforms, the number of vulnerabilities that are 0-day’s has decreased. As a result, price for actionable, current, 0-day exploits has increased,” Blake Darche, a former computer network exploitation analyst at the National Security Agency, wrote to CyberScoop. “From a defense perspective however, most organizations struggle to patch known exploits fast enough to prevent a damaging cyber attack. These organizations should move towards patching actively exploited vulnerabilities by hackers as they are occurring to further their defensive readiness.”
Common software products like Microsoft Windows, Adobe’s ubiquitous Flash player and Google’s Chrome browser are generally more robust and less likely to have vulnerabilities that can actually be exploited in the wild, said Alex Rice, the chief technology officer and co-founder of the bug bounty platform HackerOne.
“It’s not just that those bugs don’t exist as much anymore, it’s that the level of expert and the cost to exploit them has gone up significantly,” he said.
Helping hands get involved
In addition to security achievements at major software vendors like Google, Microsoft and Apple, a significant chunk of credit goes to bug bounty programs that open up new legal demonetization avenues and shift the profit motivation towards responsible disclosure to vendors. All of a sudden, more researchers than ever are being paid to find vulnerabilities that can then be fixed. The crowded field and extra money makes finding the bugs for exploitation far more difficult than it was in the past.
On HackerOne, for instance, about 20,000 zero-day vulnerabilities were found, disclosed and resolved mostly in private in the last year alone. That number dwarfs the number of zero-day vulnerabilities counted by Symantec.
“Weaponizing an exploit in 2017 is much, much harder than it was even two to three years ago,” Rice said.
“The price has steadily risen each year,” said Jason Haddix, the head of trust and security at the bug bounty platform BugCrowd which runs programs for hundreds of companies and products. “There are different classes of vulnerabilities. If it’s a zero-day that causes remote code execution against a server or if it’s a low information level vulnerability but it’s still unknown, both floors have risen. You can see some zero-days go for as high as $50,000.”
That’s the number for bug bounty platforms. On the offensive side of the market, the price goes much higher. Zerodium, a company that buys and sells zero-day research, lists $1.5 million as the top price it will pay for a single submission. The company paid out $600,000 per month for undisclosed vulnerabilities, according to a 2015 interview with the CEO. He predicted $1 million per month spent by the end of that year. Offensive cyberweapons dealers differ from defensive markets like bug bounties because zero-day dealers have more specific wants and needs due to their military and governmental clients’ needs.
“Bug bounties and other defensive contests are far too low in relative price to be directly competitive with the offense market prices and that will always be the case,” said Katie Moussouris, founder and CEO of cybersecurity firm Luta Security. “If bug bounties were as high as offense market prices, then no company would be able to pay high enough salaries to full time employees to compete. The levers by which the vulnerability markets will move are far more complex than simply prices. Incentives will have to be creative and unique for them to draw out the best hackers and the most interesting bugs.”
Attackers try other avenues
Given the increased difficulty in finding zero-day exploits, attackers are increasingly turning to different tactics like social engineering in order to compromise targets. One of the highest-profile hacks of 2016 — the hacking of the Gmail account of Hillary Clinton’s campaign chief John Podesta — took place with a phishing campaign followed by exfiltration of data from cloud services
“It’s pushing the bad guys to find other ways,” Symantec’s Haley said. “That’s why they’re moving towards email and using social engineering. If the OS is hardened, if you can’t fool the OS, you can always go back to fooling the user. We haven’t been able to harden our users quite enough yet.
The easiest way to compromise an organization used to be through Flash or Windows, Rice said.
“The bar there has been steadily rising to the point where, for many adversaries, if they want to compromise an organization the easiest way in often is their employees and the software they’ve written that’s unique to them, because it doesn’t have same level of maturity that software by Google, Microsoft or Adobe has,” he said.
The increased rarity and rise in price of zero-days is “a good thing,” Haddix said. He predicts the trend will continue as more businesses launch bug bounty programs, raise reward levels higher and adopt security tactics pioneered by larger vendors.
“This is ultimately good news,” Rice said. “The software we rely on most consistently is getting significantly harder to exploit and vulnerabilities are far more rare.”