the secretive 0-day market @greybrimstone @netragard [email protected] “we protect you from...
TRANSCRIPT
![Page 2: The Secretive 0-Day Market @greybrimstone @netragard adriel@netragard.com “We protect you from people like us”](https://reader036.vdocument.in/reader036/viewer/2022062805/5697bfd51a28abf838cad85e/html5/thumbnails/2.jpg)
First, what is 0-day?
0-day = Undisclosed or unknown to the public.
![Page 3: The Secretive 0-Day Market @greybrimstone @netragard adriel@netragard.com “We protect you from people like us”](https://reader036.vdocument.in/reader036/viewer/2022062805/5697bfd51a28abf838cad85e/html5/thumbnails/3.jpg)
Second, what is vulnerability?
Vulnerability = susceptibility to risk or harm
![Page 4: The Secretive 0-Day Market @greybrimstone @netragard adriel@netragard.com “We protect you from people like us”](https://reader036.vdocument.in/reader036/viewer/2022062805/5697bfd51a28abf838cad85e/html5/thumbnails/4.jpg)
0-day + vulnerability
As it relates to computer security, a 0-day vulnerability is an undisclosed software flaw that can be used to control the flow of execution in a
computer’s memory.
![Page 5: The Secretive 0-Day Market @greybrimstone @netragard adriel@netragard.com “We protect you from people like us”](https://reader036.vdocument.in/reader036/viewer/2022062805/5697bfd51a28abf838cad85e/html5/thumbnails/5.jpg)
Who is really responsible?
Does anyone know who is responsible for the creation of 0-day vulnerabilities? Where does
the risk really come from?
![Page 6: The Secretive 0-Day Market @greybrimstone @netragard adriel@netragard.com “We protect you from people like us”](https://reader036.vdocument.in/reader036/viewer/2022062805/5697bfd51a28abf838cad85e/html5/thumbnails/6.jpg)
Software & Hardware Vendors
Hackers do not create 0-day vulnerabilities, technology vendors do.
Any time you deploy a new technology you are introducing 0-day vulnerabilities into your
environment, even if it’s a “security” product.
![Page 7: The Secretive 0-Day Market @greybrimstone @netragard adriel@netragard.com “We protect you from people like us”](https://reader036.vdocument.in/reader036/viewer/2022062805/5697bfd51a28abf838cad85e/html5/thumbnails/7.jpg)
Question
Do 0-days pose a higher risk than published vulnerabilities?
![Page 8: The Secretive 0-Day Market @greybrimstone @netragard adriel@netragard.com “We protect you from people like us”](https://reader036.vdocument.in/reader036/viewer/2022062805/5697bfd51a28abf838cad85e/html5/thumbnails/8.jpg)
Fear of the unknown
The risks associated with 0-day’s are hugely distorted and amplified by the media and even
the security industry.
![Page 9: The Secretive 0-Day Market @greybrimstone @netragard adriel@netragard.com “We protect you from people like us”](https://reader036.vdocument.in/reader036/viewer/2022062805/5697bfd51a28abf838cad85e/html5/thumbnails/9.jpg)
What is the real risk of 0-day?
According to the Verizon Data Breach Investigations Report (DBIR) the risk associated with 0-days is negligible when compared to the
risks associated with known vulnerabilities.
DBIR reports that 99.9% of exploited vulnerabilities had been compromised more than one year after the associated CVE was
published.
![Page 10: The Secretive 0-Day Market @greybrimstone @netragard adriel@netragard.com “We protect you from people like us”](https://reader036.vdocument.in/reader036/viewer/2022062805/5697bfd51a28abf838cad85e/html5/thumbnails/10.jpg)
and…
97% of compromises observed in 2014 were attributable to just 10 CVEs most of which dated
back to the early 2000’s.
![Page 11: The Secretive 0-Day Market @greybrimstone @netragard adriel@netragard.com “We protect you from people like us”](https://reader036.vdocument.in/reader036/viewer/2022062805/5697bfd51a28abf838cad85e/html5/thumbnails/11.jpg)
and…
Half of the CVEs published in 2014 went from publish to pwn in less than one month.
![Page 12: The Secretive 0-Day Market @greybrimstone @netragard adriel@netragard.com “We protect you from people like us”](https://reader036.vdocument.in/reader036/viewer/2022062805/5697bfd51a28abf838cad85e/html5/thumbnails/12.jpg)
Here’s a pretty graph
![Page 13: The Secretive 0-Day Market @greybrimstone @netragard adriel@netragard.com “We protect you from people like us”](https://reader036.vdocument.in/reader036/viewer/2022062805/5697bfd51a28abf838cad85e/html5/thumbnails/13.jpg)
So what is the real risk of 0-day?
0-day equates to about 0.01% of all known compromises. Most of the 0.01% aren’t
memory corruption.
![Page 14: The Secretive 0-Day Market @greybrimstone @netragard adriel@netragard.com “We protect you from people like us”](https://reader036.vdocument.in/reader036/viewer/2022062805/5697bfd51a28abf838cad85e/html5/thumbnails/14.jpg)
Common Sense
The likelihood of vulnerability exploitation increases as more people learn about the
vulnerability and/or its methods of exploitation.
![Page 15: The Secretive 0-Day Market @greybrimstone @netragard adriel@netragard.com “We protect you from people like us”](https://reader036.vdocument.in/reader036/viewer/2022062805/5697bfd51a28abf838cad85e/html5/thumbnails/15.jpg)
0-day lifespan
The biggest secret in the 0-day marketplace is the 0-day. Keeping that secret is challenging.
Every time a 0-day is used to compromise a target its chances of discovery increase
exponentially. Keeping a 0-day secret means limited & highly-controlled use or non-external
research based use.
![Page 16: The Secretive 0-Day Market @greybrimstone @netragard adriel@netragard.com “We protect you from people like us”](https://reader036.vdocument.in/reader036/viewer/2022062805/5697bfd51a28abf838cad85e/html5/thumbnails/16.jpg)
0-day lifespan
0-day’s are expensive. Anyone who purchases a 0-day exploit wants maximum value which is directly tied to lifespan. It is for this reason that it is rare for 0-day’s to be used for mass-compromise.
![Page 17: The Secretive 0-Day Market @greybrimstone @netragard adriel@netragard.com “We protect you from people like us”](https://reader036.vdocument.in/reader036/viewer/2022062805/5697bfd51a28abf838cad85e/html5/thumbnails/17.jpg)
Privacy
The federal government doesn’t need to use 0-days for mass surveillance. The government collects data directly from service providers.
![Page 18: The Secretive 0-Day Market @greybrimstone @netragard adriel@netragard.com “We protect you from people like us”](https://reader036.vdocument.in/reader036/viewer/2022062805/5697bfd51a28abf838cad85e/html5/thumbnails/18.jpg)
Privacy
If anyone decides to use a zero-day exploit to infringe on your privacy then chances are that you’ve done something to warrant that level of attention. You’ve made yourself a high-value target.
![Page 19: The Secretive 0-Day Market @greybrimstone @netragard adriel@netragard.com “We protect you from people like us”](https://reader036.vdocument.in/reader036/viewer/2022062805/5697bfd51a28abf838cad85e/html5/thumbnails/19.jpg)
Ethics
The ethics of a 0-day are determined by the humans that use them, not by the actual 0-day.
In 2013 the FBI allegedly used a FireFox 0-day to to take down a child pornography ring. Ethical or not?
![Page 20: The Secretive 0-Day Market @greybrimstone @netragard adriel@netragard.com “We protect you from people like us”](https://reader036.vdocument.in/reader036/viewer/2022062805/5697bfd51a28abf838cad85e/html5/thumbnails/20.jpg)
Ethics
Stuxnet, a computer worm first reported by security company VirusBlokAda in mid June 2010, was built to sabotage Iran’s nuclear program with a series of what would appear to be accidents. Stuxnet used multiple 0-days. Ethical or not?
![Page 21: The Secretive 0-Day Market @greybrimstone @netragard adriel@netragard.com “We protect you from people like us”](https://reader036.vdocument.in/reader036/viewer/2022062805/5697bfd51a28abf838cad85e/html5/thumbnails/21.jpg)
Buyers
Who buys 0-day exploits?
![Page 22: The Secretive 0-Day Market @greybrimstone @netragard adriel@netragard.com “We protect you from people like us”](https://reader036.vdocument.in/reader036/viewer/2022062805/5697bfd51a28abf838cad85e/html5/thumbnails/22.jpg)
Buyers
Security Companies
![Page 23: The Secretive 0-Day Market @greybrimstone @netragard adriel@netragard.com “We protect you from people like us”](https://reader036.vdocument.in/reader036/viewer/2022062805/5697bfd51a28abf838cad85e/html5/thumbnails/23.jpg)
Buyers
Security CompaniesGovernments
![Page 24: The Secretive 0-Day Market @greybrimstone @netragard adriel@netragard.com “We protect you from people like us”](https://reader036.vdocument.in/reader036/viewer/2022062805/5697bfd51a28abf838cad85e/html5/thumbnails/24.jpg)
Buyers
Security CompaniesGovernments
Organized Crime
![Page 25: The Secretive 0-Day Market @greybrimstone @netragard adriel@netragard.com “We protect you from people like us”](https://reader036.vdocument.in/reader036/viewer/2022062805/5697bfd51a28abf838cad85e/html5/thumbnails/25.jpg)
Buyers
Security CompaniesGovernments
Organized CrimeBut, not most software vendors
![Page 26: The Secretive 0-Day Market @greybrimstone @netragard adriel@netragard.com “We protect you from people like us”](https://reader036.vdocument.in/reader036/viewer/2022062805/5697bfd51a28abf838cad85e/html5/thumbnails/26.jpg)
Vetting buyers
Determining who should or should not be able to purchase 0-day exploits is becoming increasingly difficult. A framework needs to be created to support a legitimate 0-day market. The wassenaar arrangement is not the correct framework.
![Page 27: The Secretive 0-Day Market @greybrimstone @netragard adriel@netragard.com “We protect you from people like us”](https://reader036.vdocument.in/reader036/viewer/2022062805/5697bfd51a28abf838cad85e/html5/thumbnails/27.jpg)
Nessisary Technology
Banning 0-day’s == Increased Risk
All countries use 0-day vulnerabilities for offensive research (including North Korea).
![Page 28: The Secretive 0-Day Market @greybrimstone @netragard adriel@netragard.com “We protect you from people like us”](https://reader036.vdocument.in/reader036/viewer/2022062805/5697bfd51a28abf838cad85e/html5/thumbnails/28.jpg)
Questions
Contact Information:Adriel T. Desautels
@greybrimstone / @netragard
617-934-0269
We protect you from people like us
https://www.netragard.com