A paper by two Symantec researchers, ‘Before We Knew It: An Empirical Study of Zero-Day Attacks In The Real World’ (Bilge and Dumitras), came to my attention through Bruce Schneier’s blog. Instead of throwing a load of statistics (which I’m not a great fan of) at readers, I’ll offer up my thoughts on what the figures mean.
The paper was published by researchers who went about identifying possible exploits across 11 million hosts before their corresponding vulnerabilities were disclosed, basically by searching CVE and the Open Source Vulnerability Database for known vulnerabilities, and matching them against events that were examined by Symantec’s reputation system as possble exploits before disclosure.
Using this they were able to derive the lifecycle of a typical zero-day vulnerability (around 312 days), and the rate at which exploits increased after disclosure (by roughly 500%). The authors have identified the following stages in a vulnerability’s lifecycle.
1. Vulnerability introduced
2. Exploit released
3. Vulnerabiliy discovered by the vendor
5. AV signatures released
6. Patch released
Profit and Loss
According to recent studies by Forbes and Google (also cited in the paper) the market value of a typical zero-day vulnerability is between $5,000 and $25,000. Pierluigi Paganini has some interesting things to say on how this market might be operating.
Given the amounts of money involved here, it follows the use of zero-day vulnerabilities and exploits would be limited to attacks where the gains are known to be high, otherwise the attackers would be operating at a loss. We should therefore expect to see such exploits targeted carefully against a select handful of organisations in the period before disclosure.
Risk Digest (Or Restating the Obvious)
According to another study cited in the paper (Security Econometrics: The Dynamics of
(In)Security), around 94% of exploits are created after disclosure, which leaves us with around 5% that are truly zero-day exploits. This means the proportion of threats with knowledge of undisclosed exploitable flaws must be in a tiny minority, especially if governments and corporations are starting to buy substantial numbers of them. The majority would either be using automated tools, such as Metasploit to scan and exploit known vulnerabilities, or doing lamer stuff like DDoS. The researchers’ claim that vulnerability disclosure typically leads to a 500% increase in the rate of exploits attests to this.
In the bigger scheme of things, an organisation should statistically be facing a much lower risk from advanced external threats than from insiders, especially where a high turnover of employees are concerned. Of course, that’s assuming the organisations in question are doing basic things like AV, patching, auditing, segmentation, etc. etc.