There’s a security truism that goes something like this: Defenders must protect all machines against all vulnerabilities, while attackers need only to find one way on to a system or network.
It’s a nearly unwinnable game for those in charge of defending corporate networks and securing web-based services, one that’s tilted severely in the favor of hackers who stockpile vulnerabilities and exploits.
And the problem is those stockpiles, which are maintained by not only attackers, but also by some governments. Those on the offensive side of the vulnerability market want to build up their cadre of weapons, either by finding them or buying them—and by doing so, keep those bugs from being patched until they’re discovered by a white hat and disclosed to the respective vendor.
“On the defensive side, the goal is not just to find and fix bugs fast, but actually if you think it through,” says Katie Moussouris, chief policy officer at HackerOne and subject matter expert for the International Standards Organization (ISO), “the defensive side benefits most from when it can find the same vulnerabilities as are in the offensive stockpile and kill those.”
Moussouris, along with Dr. Michael Siegel, principal research scientist at MIT’s Sloan School, is expected to present at next week’s RSA Conference, collaborative research and data on those levers that most impact the zero-day vulnerability market. As part of a Facebook-funded program, Moussouris, Siegel, Dr. James Houghton of MIT, Collin Greene of Facebook, and Dr. Ryan Ellis of Harvard Kennedy School built a System Dynamics model to examine the zero-day market, the goals of the respective sides, and how to best tip the game in defenders’ favor.
The key, their model shows, is that access to better tools and techniques for bug discovery is much more valuable to defenders and brings them much closer to what Moussouris called “bug collisions” with vulnerabilities already stockpiled by an attacker.
“What our model is trying to show is that if you actually want to move the lever and tip the scales in favor of defenders, create incentives for tools and technology for defender,” Moussouris said. “If you talk to offensive-oriented bug hunters, they don’t use tools; they’re that good. You’re not going to get experts to work on the defensive side all the time. The question is how to scale skills on the defensive side. You can train them up, but it’s a slow process.”
Creating incentives for the development of tools used in bug hunting, such as new fuzzers, for example, helps drain the offensive stockpile, especially for mature, hardened software, and much more quickly than a bug bounty. Moussouris, for example, will next week demonstrate data points from the model that show a nine percent overlap in bugs in young software between offense and defense, while there’s a 0.8 percent overlap in mature products.
“Before I had permission to buy vulnerabilities in 2010, I had proposed buying tools and techniques,” Moussouris said in reference to her previous position with the Microsoft. “If a hacker came in with a slew of vulnerabilities, I had a suspicion there was a new tool too. If they wrote a fuzzer or detection tool, the MSRC would ask to see it and offer to pay them. We wanted to license the tool, not to run it, but to learn from what it was doing to improve what our own SDL was doing in terms of testing. ”
The zero-day market has been hotly debated for the better part of 24 months now. During his Black Hat keynote last summer, noted expert Dan Geer proposed a scenario where perhaps the U.S. government should buy all zero days at 10 times the market price point in order to compete with the marketplace. Governments play both sides of this equation, Moussouris points out, buying their share of zero days for offensive use, but also must defend against such exploits in the name of national security.
Moussouris says Geer’s proposal won’t necessarily “drain the swamps” of zero days, but will in fact drain the talent pool of fuzzer writers. She sees a scenario, for example, where testers and tool developers would try to earn a living from such bounties.
“That scheme coming from the defense market would prove disruptive to the [security] industry,” she said. “What could be done is something that incents publication and at the same time makes available tools and technology.”
Governments, too, aren’t asking the right questions, Moussouris said.
“What our research points to is that the government is debating the wrong question; the debate is at too low a level,” she said. “If you’re playing a high-stakes version of the Capture the Flag with other nations, you need to secure your own flags first. Incent tools and technology available to defenders and determine exploitability. That stuff needs more incentives.
“Individual bugs are important, but the level of conversation about tipping scales has to rise,” Moussouris said. “You always get better efficiency using tools.”