Security practitioners are being outspent by a factor of 11 to 1 by ‘exploit brokerages’ that have formalised the conversion of new vulnerabilities into commercial opportunities, according to a new study that found brokerages are paying up to 500 percent more for zero-days than they did just two years ago.
It’s a sobering statistic that both highlights and explains the need for CISOs to prioritise the vulnerabilities most likely to be used in an attack, according to a new Tenable report and webinar analysing the exploit supply chain.
Concerted efforts by security researchers to discover and publish exploits had brought down their value on open markets, the analysis found, but “the high ROI on criminal operations means these will not be sufficient by themselves to fully make zero-day exploits unaffordable.”
Defenders had made some progress in beating cybercriminals to the punch using big bug bounties, but this had driven the bounties paid for zero-day exploits into the “astronomic six-digit figures” – and motivated black-market criminals to diversify their revenue streams by consumerising attack capabilities through cybercrime-as-a-service offerings.
Floor prices are being set by a third ‘gray market’, Tenable found, that is defined by nation-state and other state-sponsored agencies that are researching and developing exploits for “covert intelligence operations” – complementing the white and black markets in a “symbiotic” ecosystem.
Leaks of such gray-market exploits – such as the ominously destructive EternalBlue harnessed by WannaCry and the newer BlueKeep vulnerability – have already created widespread problems for enterprises.
With an estimated $US200 billion ($A293b) in money laundering activity alone stemming from cybercrime – compared to the $US136b ($A200b) worldwide spend on security tools that is only expected to reach $US151b ($A226b) by 2023 – the imbalance between attackers and defenders was unlikely to get better any time soon.
The increasing concentration of market power in formalised exploit brokerages – which have taken over from previous generations of darknet-scouring freelancers – had been perpetuated by the increasing cost of developing exploits, estimated at $US30,000 ($A44,000).
“Independent researchers now frequently sell to the exploit brokerages directly or use freelance exploit brokers as middlemen,” the report says, noting that “this trend has concentrated the zero-day and exploit market into the hands of a few big players and, to a degree, also governments.”
This changing market dynamic means that the sale of exploits on darknet sites had “all but faded”, the report notes, as the increasing interplay between white, gray, and black markets built up a self-reinforcing V2E ecosystem by which vulnerabilities are converted into exploits.
Tenable outlines five core segments of the V2E supply chain – ranging from vulnerability discovery and exploit R&D to exploit brokering, production, and consumption – and notes that some segments are dominated by a “quite small” number of players.
“Information asymmetry and market value based on knowledge exclusivity are defining characteristics of the V2E market,” the report notes, “and separate the market players between those that want to publicly release knowledge about vulnerabilities and exploits to facilitate better defence and those that actively seek to keep this sort of information secret to retain its value for offensive purposes.”
A full spectrum of players had staked out various parts of the V2E supply chain, ranging from independent researchers and software/hardware vendors and service providers to cybersecurity vendors, cybercrime-as-a-service providers, exploit brokerages and brokers, bug bounty programs, and state-sponsored actors.
Tenable built models to estimate how lucrative this ecosystem is for its participants, noting that gray-market exploit brokers publish public price lists and activity is dominated by large brokers that can pony up the millions of dollars for an exploit that could become worthless if someone else also discovers it.
Salary estimates vary with specialisation from around £36,500 ($A69,000) to $US82,480 ($A121,000) and up but have a “realistic ceiling” for billable services such as penetration testing. Entry-level attack developers, by contrast, start earning up to $US90,000 ($A132,000) per year and upwards in the US market.
Exploits also vary by target platform, Tenable found, with an Adobe Acrobat remote code execution vulnerability peaking at $US80,000 ($A117,480) while an Android remote code execution and privilege escalation 0-click can command up to $US2.5m ($A3.7m).
Figures like that reinforce the hyper-competitive nature of the V2E supply chain, Tenable found, noting that the volatility of speculative cryptocurrencies had created additional challenges to the financial models used to manage exploit supply and demand.
Also challenging cybercriminals’ financial models were bug bounties, which seek to motivate would-be exploit developers to disclose their findings rather than selling them to the highest bidder.
The white market has increased the cost of exploit development but increased the cost of new zero-days, the report notes – while warning that despite some successes bug-bounty programs remain inconsistently beneficial at best.
“In theory exploit developers can earn upwards of millions of dollars – potentially becoming millionaires with a single exploit – but in reality those are the outliers and the vast majority of researchers who are involved in bug bounties and community research earn very little.”