New Uses for Old Things: Bug Hunting

Real Simple, a popular magazine aimed at women interested in simplifying their lives, offers 15-minute recipes, organizational tips, and fashion and beauty advice. Each monthly subscription includes a section titled, “New Uses for Old Things.” It lists examples of everyday household items that have been cleverly repurposed. For instance, rather than discard the Heinz tomato ketchup bottle when the contents are finished, rinse it thoroughly and fill it with batter to make the perfect pancake. Apparently, this same concept is being applied in the cybersecurity world.

Although studies have found that the number of zero-day vulnerabilities discovered increased by 125% from 2014-2015, attackers are relying less on zero-day exploits to launch an attack because other vectors are easier, less risky, and more productive. Even though reliance on zero-day exploits as an attack vector may be declining, it doesn’t diminish the fact that the number of zero-day vulnerabilities continues to rise exponentially and technology companies are still very much at risk. Given this information, a new and lucrative market for zero-day vulnerabilities has emerged.

Bug hunting, the professionalization of hunting for and then selling zero-day exploits, has become a common practice for hackers regardless of the color of their hat. Sizable bounties are doled out by well-known companies who have security flaws in their technology, security vendors, and intelligence agencies.

For years, Google paid bug bounties to friendly hackers who told them about flaws in their code. The company took matters into their own hands when they launched Project Zero in July 2014. Project Zero is staffed by a team of security analysts employed by Google who are tasked with finding zero-day exploits. Bugs found by the team are reported to the manufacturer and made public once a patch has been released or if 90 days have passed since the bug was first discovered.

Founded by HP’s TippingPoint, the Zero Day Initiative (ZDI) rewards security researchers for discovering vulnerabilities. The ZDI Rewards Program allows researchers to earn points akin to frequent flyer miles that match the purchase price for each vulnerability submitted. The amount of points a researcher receives correlates to a status – Bronze, Silver, Gold, and Platinum. If a researcher receives over 65,000 points in calendar year 2015, they will have ZDI Platinum status in calendar year 2016.

Law enforcement agencies like the FBI offer handsome rewards to companies like Cellebrite, an Israeli company that offers mobile forensics solutions. Although this is a moral gray area because it infringes on an individual’s right to privacy, it’s hard to fault Cellebrite for wanting to monetize the vulnerabilities they discover or the FBI for using this information to go after shady suspects.

Despite that reliance on zero-day exploits as an attack vector may be on the decline, they remain a key element in cybersecurity due to their monetizability. This type of evolution is not unfamiliar, and can be likened to patents that have been deemed unusable for innovation and are monetized by individual inventors, law firms, and patent trolls. It will be interesting to observe how this evolution continues to play out.

SentinelOne just released a short guide to attack vectors – click here to check it out. And if you’re looking for either zero-day and known exploit protection, please visit our products page.