Tenable declares there are far worse security threats to fear than zero-day exploits
‘If you’re scared of zero-days, you don’t know what you’re talking about’ claims Tenable
There's "a lot of bulls**t when it comes to cyber security" Gavin Millard, VP intelligence at Tenable, claimed at the company's Edge event, but chief among all of it is the unjustified fear of zero-day exploits.
There's a lot of focus on the potential catastrophe that can arise with a zero-day exploit inside a business' systems, and in the case of WannaCry, entire countries. However, Millard noted that "in reality, it's the same stuff that's being leveraged all the time". This is evidenced by the top four vulnerabilities being targeted by attackers right now.
According to Oliver Rochford, director of research at Tenable, three of the most targeted vulnerabilities are in Adobe Flash - a technology most browsers have abandoned - and the last is in Internet Explorer, a browser which is due to go end-of-life next year and no longer ships as the default browser on Windows machines.
It's these unexceptional vulnerabilities that security teams need to be stressing over, not the "sexy" zero-days, as Millard put it.
Exemplifying this, the researchers discovered that attackers would have a working exploit a week before the defenders could even detect it in a scan. This was the case in 50 of the most critical vulnerabilities that featured in a recent Tenable study. "This just shows you that this focus on zero-days is kind of pointless," Rochford added.
In fact, it's the "three-month-days" that can be the most damaging, according to Millard. WannaCry is a good example of this as it exploited vulnerabilities that were disclosed and patched, supposedly, months before the attack took place.
The same goes for NotPetya, both attacks can be traced back to one vulnerability (MS17-010) and in neither case was it a zero-day. This vulnerability was allegedly first discovered by the NSA but then was stolen by The Shadow Brokers (TSB), Millard said.
It's also alleged that the NSA tipped off Microsoft after it realised it had lost the exploits to TSB, allowing Microsoft to create a patch for it. Said patch was released on 14 March 2017, TSB disclosed the vulnerability a month later and then WannaCry hit on 12 May 2017, three months after Microsoft patched the issue.
Millard said the vulnerabilities were patched and organisations had tools that allowed them to identify the systems still open to attack, so nothing should have gone wrong, but it did.
The story of this vulnerability not only highlights how zero-days aren't the threats to be worried about but also emphasises the importance of effective patch management.
Malware is a careful craft
Away from the criticisms of security teams' beliefs, Rochford said that it doesn't matter how a vulnerability is exploited, it's going to happen; there's very little we can do stop it and cyber crime in general.
This is due to how lucrative the field is and the investment it would take to dwarf the revenue created by cyber crime. Citing statistics from Gartner, Rochford said cyber crime revenue is more than ten times the amount spent on cyber security, so the defenders must work smarter in order to keep up with the wealthy criminals.
The revenue generated by cyber crime is estimated at $1.5 trillion (1.17 trillion) while the amount spent to defend against the black hats is just $136 billion (105.7 billion). It's easy to see how lucrative the field is when you understand that even if just 0.05% of ransomware victims pay the criminals, their ROI soars to greater than 500%.
But it's not just enough to launch ransomware campaigns and expect massive payouts, it's important to create a campaign that's effective, but quiet enough to avoid too much attention. "There's a sweet spot in monetising it without wanting to be too public so that you can really sustain it," said Rochford.
Cyber crime is all about monetisation now, gone are the days where in the early 1990s people would just break into networks for fun. Millard mentioned Fluffy Bunny, a hacker in the late 90s who used to "pop really famous websites... and it was basically graffiti - there was no monetisation".
There's serious money to be made now. It's a trillion-dollar industry that isn't slowing down and cyber security teams are just playing catch up.