Every now and again, there is a massive shift in cybersecurity that alters the battlespace entirely. Sometimes it is difficult to detect in real time, but when you look back, it was obvious that the landscape was being forever altered, right under your feet.
Today, the proliferation of zero day exploits and the closed opaque economy where they are traded is forever changing the rules of engagement. Exploits are cheap and plentiful, allowing attackers to move quickly and undetected, striking corporations before they even realize they are attacked, in places where they don’t even know they are vulnerable.
In many ways, cybersecurity is a race against time. Today, defenders are trailing badly, and often losing. Today, the most common awareness defenders have that a vulnerability exists is when an advisory has been issued, and advisories are only issued after an adversary has bought a bug, weaponized it, and used it against organizations just like yours.
Because of the rapid speed at which systems can be compromised, defenders exhaust their days reacting to attacker’s moves, mitigating damage rather than preventing it. From the time an attack is launched that damage is costly — to the wallet of the company, the reputation of its technology, its relationship with customers and the brand.
This has been allowed to perpetuate because zero day exploits are developed and traded beyond the view of defenders. Researchers often develop exploits using their own resources and ingenuity, but have no good avenue to share information. Bug bounty programs identify issues one bug at a time, but have largely failed to provide workable solutions for the research community. Frustrated by the struggle to raise awareness with defenders, exploits often end up in the hands of attackers, who use exploits to gain an insurmountable head start on defenders, and fuel their illicit businesses with dollars paid in ransomware attacks.
At Desired Effect, we aim to blunt the supply chain advantage that currently benefits attackers, and deliver defenders proactive solutions to address their vulnerabilities before they are exploited.
‘The New Normal’
The growth of zero day exploits over the last decade has been staggering. In 2012, there were only two exploitations of zero day vulnerabilities, according to Mandiant. By 2021, there were 80, which was more than double the number in 2019. By 2023, zero days accounted for 70% of exploited vulnerabilities.
Exploits operate a larger share of cyber attacks, and they are coming faster than ever before. The time-to-exploit has fallen rapidly, from 63 days in 2018-2019 to just five days in 2023, according to Mandiant.
To be sure, zero day exploits have long been a weapon in the nation-state context, as witnessed from Stuxnet to the Shadow Brokers.
But the latest uptick has introduced a new economic paradigm that has fueled the spread of attacks not only into governments and major vendors, but also into hospitals, local governments, infrastructure-layer software, connected devices, and more. Zero day attacks have risen alongside ransomware, as 75% of ransomware in 2022 were linked to zero-days, according to Sophos. This creates an avenue for attackers to generate revenue from breaches. Attackers can obtain an exploit, shut down systems through a ransomware attack, and use the earnings to fuel more attacks. This is creating businesses that are not only illicit and destructive, but also profitable. Affordable and accessible zero day exploits are a core driver of their growth.
While this shift has brought devastating attacks, signs indicate we are only at the beginning of this wave.
As a top British cyber officer warned: “More routine initial exploitation of zero-day vulnerabilities represents the new normal which should concern end-user organizations and vendors alike as malicious actors seek to infiltrate networks.”
With profit as their motive and rapidly advancing tools and techniques at their disposal, attackers will be incentivized to launch more risky and devastating attacks. Defenders currently have a disadvantage, but they are not powerless to respond. Rather, they must shift their stance to take proactive steps, seize the upper hand, and hit attackers at the source.
Today, attackers benefit from two key advantages that allow them to stay several steps ahead of attackers.
Awareness. With zero day exploits, the bad guys know where to break in. They have knowledge of a vulnerability, and there’s no defense for it because the defenders don't know it exists. Defenders are blind, and that puts them behind. We need to flip this. If defenders know about a zero day exploit first, they can take action to prevent being exploited. Data on zero day exploits is critical, and corporations and governments have taken initial steps to release more. But this is a drop in the bucket. It’s not enough to stop devastating attacks.
Sourcing. Attackers know how to obtain zero day exploits quickly and cheaply. They know they can undercut government and corporate buyers by offering streamlined deal structures and quick transactions. They’ve priced this into their business model, and continue to commit crime because it pays. The researchers who discover zero day exploits are often marginalized from these transactions, while corporations and governments can’t move fast enough. When they can, the terms are often unfavorable.
Until now, defenders have not had easy opportunities to engage the vulnerability research community and leverage the free market to their advantage. The head in the sand, hide behind our castle walls and wait and hope strategy is hardly a strategy at all. We need a new mechanism to deliver vulnerability data, ahead of attacks.
We need a new way to connect buyers and sellers that provides a mechanism for corporations to obtain zero day exploits, and remove them from the market. Bug bounty programs often offer privacy terms that end up being a deterrent to researchers.
The growing weaponization of zero day exploits is unlike past waves of cybersecurity threats. We can meet this challenge head on, but the tools and approaches we’ve used in the past won’t work.
We need to be proactive to act ahead of attacks, not defensive and reactive.
We need to consider economics, incentive structures, and supply chains that motivate attackers, not just how they infiltrate our systems.
We have to value researchers as contributors and partners, not mercenaries.
As with any major shift in the landscape, there is room to create new ways of maneuvering the changed world. Exploits can provide valuable intelligence when they reach defenders first. With better tools and structures for engagement, we can attract the best, and make zero day exploits a cornerstone of defenders’ arsenal. Join us.
