Author: Nir Gaist, Co-Founder and CTO, Nyotron
2018 began with the discovery of Spectre and Meltdown vulnerabilities, and while I predict IT security professionals will face a significant new and previously unknown threat(s) in 2019, it’s just as important to prepare for a long-established threat: attacks leveraging zero-days. We ended 2018 with Microsoft and Adobe both releasing patches for zero-day bugs in December. As is often the case when researchers discover zero-day vulnerabilities, the findings and patches are made available at no cost to the public to ensure all affected organizations can protect themselves. That raises the question of whether the federal government should do the same with any zero-day vulnerabilities it discovers. It’s a simple question to ask, but one that’s difficult to answer with just a “yes” or “no”.
The debate made worldwide headlines in 2013 when a Central Intelligence Agency (CIA) employee, Edward Snowden, leaked classified information about the U.S. government’s efforts around mass surveillance, which included hacking into commercial organizations and much more.
“What has received less attention is the government’s use and stockpiling of zero-day exploits.”
The term “zero-day vulnerability” refers to the fact that developers have zero days to address and patch a previously undiscovered vulnerability. To take advantage of such a vulnerability, an exploit needs to be created. Governments’ use of zero-day exploits has exploded over the last decade, feeding a lucrative market for defense contractors and others who uncover critical flaws in the software (and hardware), and sell information about these vulnerabilities to their government customers. For example, the infamous Stuxnet, a digital weapon used to attack Iran’s uranium enrichment program, used four zero-day exploits.
The Case for Sharing
The argument for publicly sharing zero-day threats is that they pose a significant, and possibly long-term, security risk to organizations and individuals both nationally and globally. According to the RAND Corporation report, “Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits,” zero-day exploits and their underlying vulnerabilities have a 6.9-year life expectancy, on average. That’s 2,521 days after the initial discovery, with 25% of those zero-days surviving for more than 9.5 years.
Not only can zero-day exploits enjoy long life spans, but when a vulnerability is discovered, it can be put to work very quickly. When it comes to the time required to create an exploit, RAND found that almost a third are developed in a week or less, with the majority being developed in approximately 22 days.
“There is also a chance that other parties (including our adversaries) have discovered the same zero-day and could be using it against our governmental and commercial entities. Even if an organization is rigorous about keeping up to date with patches, that does not guarantee a solution to the zero-day problem.”
You may now think, “Well, that settles it – the government should disclose every zero-day it discovers.” But hold on – one can make a strong case that the government should keep them secret in the interest of national security.
The Case for Stockpiling
The RAND report delves deep into the issue of stockpiling and hypothesizes that if zero-day vulnerabilities are very hard to find and hence the likelihood of stumbling across the same vulnerability that was discovered by the other party is low, then it makes sense to stockpile. The research estimates that only 5.7% of zero-day vulnerabilities are discovered by another entity per year. Hence, the “collision” rate, or the chance of the same vulnerability being discovered independently by multiple parties, is quite low. For that reason, stockpiling rather than disclosing may be beneficial for offensively focused entities.
“The argument in favor of stockpiling is that the discovery of zero-days is a costly process, but when successful, gives a government an asymmetric advantage versus the adversaries, allowing for practically undetectable intelligence gathering and even the ability to disable or sabotage opponents’ infrastructure.”
However, a U.S. presidential advisory committee convened in the wake of Edward Snowden’s leaks recommends against government stockpiling. The committee was charged with developing a set of recommendations for how to strike a balance between protecting national security interests, advancing the administration’s foreign policy agenda, and protecting citizens’ privacy and civil liberties.
The committee’s report includes 46 recommendations, including one on the topic of zero-day disclosure: “US policy should generally move to ensure that zero-days are quickly blocked, so that the underlying vulnerabilities are patched on US Government and other networks.” The report continues, “In rare instances, US policy may briefly authorize using a zero-day for high priority intelligence collection, following senior, interagency review involving all appropriate departments.”
It is clear that the panel’s recommendation favors disclosure. In response, the government stated that “there is a [zero-day review] process, there is rigor in that process, and the bias is very heavily tilted toward disclosure.”
That’s the view of Joe Nye, the veteran national security scholar, who makes the argument that “…if the United States unilaterally adopted a norm of responsible disclosure of zero-days to companies and the public after a limited period, it would destroy their value as weapons — simultaneously disarming ourselves, other countries, and criminals without ever having to negotiate a treaty or worry about verification. Other states might follow suit. In some aspect, cyber arms control could turn out to be easier than nuclear arms control.”
Still, the 2013 presidential advisory committee’s report referenced above counters RAND’s conclusion: “In almost all instances, for widely used code, it is in the national interest to eliminate software vulnerabilities rather than to use them for US intelligence collection. Eliminating the vulnerabilities — ‘patching’ them — strengthens the security of US Government, critical infrastructure, and other computer systems.”
It’s a fascinating debate, but don’t wait for a resolution before hardening your organization’s security posture to thwart zero-day based attacks. The chances are high that your organization may already have undetected malware leveraging zero-days vulnerabilities, since even next-generation antivirus solutions have a hard time detecting threats that are very different from what they have seen before. After all, a 6.9 year life span gives a zero-day lots of time to cause significant damage.
It is unrealistic to prevent all zero-days from gaining access to your systems, but you can stop the damage using traditional AV (or NGAV) solutions paired with a Positive Security model-based solution that defines what is allowed (aka “good” or “known”), and rejects everything else. Having both Positive and Negative Security solutions in your security stack provides the highest possible endpoint protection.
Nir Gaist, Founder and CTO of Nyotron, is a recognized information security expert and ethical hacker. Nir has worked with some of the largest Israeli organizations, written the cybersecurity curriculum for the Israel Ministry of Education, and holds patents for Behavior Pattern Mapping (BPM), a programming language that enables the monitoring of the integrity of the operating system behavior to deliver threat-agnostic protection.