A black hat selling vulnerabilities can make as much money as a white hat researcher using bug bounty programs, or a grey hat working for a nation state doing reverse engineering.
Speaking at a Tenable conference in London last week, director of research Oliver Rochford said that to have people do vulnerability research is expensive, and all of the white, black and grey markets are symbiotic, as despite the difference between being legal and illegal, the different factors “mirror each other as it starts with vulnerability discovery.”
Rochford said that this “shows how professional cybercrime has become,” pointing to the fact that the main difference between criminal and legal sides are ethics. In one slide, Rochford pointed out vulnerability discovery, exploit research and development are the same for both offense and defensive sides, while the differences fall at the "operationalization" side, where offensive sides look at espionage, sabotage and fraud, while defense sides look at threat intelligence and compensating control adaptation.
In his research, Rochford showed that in some cases you can earn more as a white hat vulnerability manager than as a black hat, with a black hat able to earn around $75,000 in this sort of work. Rochford said this “is achievable and attractive” and while it was more lucrative to do it legally, if it is not “it is a way to make a living.”
Looking at the value of exploits, Rochford said that you can earn around a million dollars for an Apache or Linux vulnerability on the dark market, while an exploit broker (grey market) will pay around $500,000. WhatsApp vulnerabilities on Android can earn a million dollars on the black and grey markets. The only vulnerabilities where vendor bug bounties can be more profitable are for Safari on iOS, while general iOS bugs can earn a million dollars for a bug bounty, and $2 million on the grey market.
Pointing at Bromium’s “Web of Profit” research, Rochford said that the revenue generated by cybercrime is estimated at $1.5 Trillion, while the total size of the cybersecurity market in 2019 was $136 Billion, according to Gartner.
Rochford also said that attackers have a median seven-day window of opportunity to exploit the vulnerabilities before the defender has even assessed for the vulnerability, and that is why “companies need to harden their attack surface and raise the level of attack.” He said that reducing market supply and increasing production cost also increases the value of exclusive zero days, thus incentivizing investment again.
Speaking at the event, Jose Maria Labernia, head of IT security and internal control at the European IT Services of Lafarge Holcim said that he did believe that zero-day exploits “are important as they can compromise a system.”
He said that not many companies have the capability to patch a zero-day as the speed and level of patching required “is not a matter of a zero-day, but the number of vulnerabilities to patch.” Asked by Infosecurity if a company would patch by the severity rating, he said that it was previously just about patching Microsoft and Unix, and then Flash came along, and now “there are so many components and web apps and it is really difficult to cope with the large exposure that organizations face.”
Labernia said that agile methodologies can be applied, and part of the process is regardless of whether a technology is “legacy or not, some cannot be patched,” So an option is to come up with full isolation and control every ingress and egress of traffic, “but this is a challenge for security teams and organizations push us as we grow in transformation.”