Crossroads Blog | Institute National Security and Counterterrorism

Cyber Exploitation

Offensive Markets for Vulnerability Research: Spooks & Suits

So I’m at Taia Global’s Spooks & Suits event, a wonderful conference touching on active defense and other cybersecurity topics.  The motto/theme? “Offense as defense.”  There are several talks going on both today and tomorrow, and I’m going to attempt to blog them as best I can (I will not be able to attend them all).  Obviously all credit to Taia Global and Jeffrey Carr (@JeffreyCarr) for putting this together.  Hashtag is #SNSDC

The first presentation I caught was Gunter Ollmann & Donato Ferrante’s “Offensive Markets for Vulnerability Research” talk.

Mr. Ollmann opened the talk by discussing exploits and vulnerabilities.  He noted that a vulnerability doesn’t necessarily equal an exploit, and a reliable exploit gets you a lot more $.  Interestingly, Mr. Ollman said that the people who find vulnerabilities are mostly 22-30 year  old males who work as consulting researchers and have a poor understanding of weaponization.  These consulting researchers may have contractual obligations for their companies, and if so, must decide whether to report a discovered vulnerability or sell the knowledge.

Mr. Ollmann went on to explain that the offensive market has 4 players:

  1. Small niche players (these are people who have personal relationships with those who find vulnerabilities);
  2. Bug bounties (companies offer cash rewards for people who discover vulnerabilities, and Mr. Ollmann noted these bounties have been increasing; Google offered a $1 million bounty);
  3. Defense contractors;
  4. State representatives (Mr. Ollman explained that vulnerability discoverers, after notifying vendors of those vulnerabilities, often get messages saying I’ll pay you for the next vulnerability if you don’t go to vendor.  By the same token, these vulnerability finders will get emails from criminals saying your disclosure cost me $3 million, how dare you).

After Mr. Ollman finished, Donato Ferrante took the floor and furthered the discussion on zero days.  A bit of background: zero days come from vulnerability research (fuzzing), code review, and reversing.  A zero day doesn’t do anything, per se. It can be used to write code, or it can be used to patch.  I got a bit behind in the conversation, but Mr. Ferrante suggested the idea of writing a “call back home exploit” to effect attribution, noting that “[a]ttackers are humans too, at some point they will fail.”  We then transitioned to a discussion of call-backs and exploit-based watermarking, engendering a number of questions and robust debate amongst and between the audience and the speakers.  I wish I could give you a better description of the debate, but it was a bit too complex to break down quickly.  Great talk.

Please check out Taia Global’s website if you’re not at the conference.

Leave a Reply

Bitnami