So often, we talk about cybersecurity as a competition between good guys and bad guys, great powers and ingenious disrupters. But as I’ve discovered in 20+ years in software exploitation, the truth is that too few people talk about is that all of this talks place in an economic system. It’s time to talk about the market forces that make our systems vulnerable.
I previously posted an outline of the steps that compose an exploit’s lifecycle, emphasizing that the drive to a CVE and a patch is largely unseen by the defensive community.
Afterwards a friend reached and condensed several hundred words into:
“Zero day is such a garbage term. While you may be hearing about a bug for the first time, for me, it's like ‘-300 day’, I've had a very long head start"
Unfortunately, oftentimes the research ends up in the hands of criminal elements who utilize weaponized exploits to victimize organizations, long before a CVE is created, long before a patch is created and long before the patch is installed.
In that blog, I promised to elaborate on the underlying value of the exploit landscape. This is particularly important, because above all, this is not a technical problem. If it were a matter of throwing more defensive technology at the problem, we would’ve solved it by now. Rather, this is a problem of economics and market incentives, and we won’t solve it until we treat it that way.
Desired Effect is ½ built to make life better for exploit researchers and (non-criminal) operational buyers. The other ½ is built on the thesis that everyone has been looking at the exploit landscape from a suboptimal (i.e. there’s a good business opportunity) perspective.
They don’t create risk. They make fascinating and highly valuable discoveries about risk inserted into a fielded product by its creators. Rarely do they weaponize or use the bugs operationally.
Well. The options aren’t good:
Historically this has been met with either, “thanks we’ll take it from here” (and then nothing actually happens, and vendors knowingly leave their users at risk), or the researcher is presented with some form of cease-and-desist or other censure.
For the record, I love bug bounty. I think it’s critical for organizations to leverage crowd-sourced expertise they couldn’t otherwise hire or retain. And I love that bug bounty is working a thankless battle to repair relationships between vendors and researchers (see above). But bug bounty has limitations in scope and terms and it is not all that difficult to type “bug bounty scam” into the social media platform of your choice and see endless postings of researchers who - right or wrong - felt disrespected enough to publicly post about their experience. So clearly there is still a gap to fill.
For those who have a favorite nation or set of nations, you can market your research to law enforcement, military, or intelligence communities. These entities pay out increasingly higher amounts. But there are two big challenges here. First, the pool of researchers who have moral or ethical objections to governments’ operational use is substantial. Second, the procurement cycle is awful. 12 to 18 months in some cases for capabilities, even those that fulfil standing requirements, for money to flow. Not every researcher wants to wait that long. Some brokers attempt to arbitrage this and buy bugs hoping to hold and flip. Frankly speaking, I did that when I was a broker. That worked when bugs were $4,000. It’s a lot harder when some can go for $4M!
Ahhhh. “Hi Mr. or Mrs. Researcher. I have with me some money and I’ll give it to you right now sight unseen if you don’t ask too many questions.” The amounts of money can be life changing for some, particularly as the talent pool for impactful bugs spans the entire globe. Wow. No legal threats, no delays? Could seem tempting. And because there really aren’t many other options, and there aren’t many buyers, the price points can be relatively low, especially considering how lucrative it can be to use one bug to gain a ransomware foothold during the entire period the bug remains zero day.
And now you can see why criminals seem to always be several steps ahead of the defensive community. Until we can make the profitability of crime less profitable, no amount of tech in your tech stack will keep attackers at bay. They’ll leverage a zero day and you’ll be perpetually playing whack-a-mole… a losing proposition. While other entitiess can try to reduce a criminals’ revenues — negotiate the ransoms down or refuse to pay them, increasing fines or prison terms for getting caught, etc. — at Desired Effect we come at it from the opposite angle. Let’s make it more costly for attackers to obtain their critical tooling. Let’s leverage the collective buying power of the defensive community to incent researchers with a more lucrative alternative. Let’s find ways to get this information into the hands of defenders as quickly as possible. Ahead of weaponization and ahead of victimization.
The number of defenders far outnumbers the number of attackers.
The total budgets spent on defense far outpaces the costs of attackers.
Defensive personnel undergo years of formal degree-bearing learning and technical certifications.
So why are attackers several steps ahead of the defenders? Because they engage the research community and buy bugs. And this leads to a misconception of the value prop.
Defenders don’t want to acquire and take possession of exploits. They simply want their existing risk to go away. They want to make sure bad actors cannot gain access to this information before defenders. But their numbers and budgets eclipse attackers. So at Desired Effect we aim to help both researchers and defenders by implementing a model that allows both to benefit from the AWARENESS of the bug, not necessarily by moving the bug itself.
Defenders, who very much care about quantifiably reducing risk, want to know where that risk is, and get the data as early as possible.
We provide a novel, new path for researchers, one that puts them in the drivers seat, setting terms they are comfortable with including price and who they will (or won’t) work with, alleviating them from some of the moral quandaries that incumbent offerings present.
As shared in the last post, there was a time when the opacity benefited both seller and buyer. But those are relics of a past age. So how does Desired Effect power its Exploit Intelligence feed? With a vibrant marketplace that pushes portions of its members’ annual fees towards researchers to help incent the world’s best research.
We believe that by solving two adjacent problems together — increasing compensation for the researchers and reducing the mean time to risk awareness for defenders — we can finally disrupt the profitability of crime. We can remove tools, drive up the cost of tools, and reduce the number of unaware targets.
That is our Desired Effect.
