In this episode, Lillian Ablon discusses cyber threat categories in relation to markets for stolen digital data; the longevity of zero-day vulnerabilities and the resulting impact on business risk profiles; and the white, gray, and black markets for zero-day exploits.
About the guest: Lillian Ablon is an information scientist at the RAND Corporation where her research addresses a range of cybersecurity topics including markets for zero-day exploits, cyber risks to the supply chain, markets for stolen digital data, cyber insurance, and corporate strategies for cybersecurity defense. She holds a BA in mathematics from UC Berkeley and an MS in mathematics from Johns Hopkins University. She was awarded a black badge at DEFCON21 and has recently provided congressional testimony on markets for stolen digital data.
Did you like the show? Please rate, review, and subscribe!
KEY EXCERPTS FROM THE LILLIAN ABLON INTERVIEW
(the text below has been condensed and edited for clarity)
John Villasenor: You've done some really important and influential work in at least two areas of cybersecurity. One is markets for stolen digital data, and the second is markets for zero-day vulnerabilities. And I'd like to start with your work on markets for stolen digital data. Would you be able to provide a general overview of the different categories of threat actors in that space, the overlap between them, and so on?
Lillian Ablon: Absolutely. So a lot of my research looks at the ecosystem of cyber crime and the ecosystem of data breaches: the attackers, the victims, and the defenders.
Last March, I testified before the [House] Committee on Financial Services, Subcommittee on Terrorism and Illicit finance. They wanted to know what happens after a breach. Data gets stolen. And then what happens to it? How does it get monetized? One the key things I wanted to get across to the committee members, in addition to how stolen data gets monetized, was that there are different types of cyber threat actors, and how one responds, from a defenders points of view, to a data breach or to an attacker, can differ based on who the different cyber threat actors are. So a large part of my testimony focused on describing and distinguishing four groups of note that carry out cyber incidents or attacks.
These cyber threat actors can be grouped by their separate goals, motivations, and capabilities. And the four groups that I note are cyber criminals, state-sponsored actors, cyber terrorists, and hacktivists. So let me go through them really quickly, each one.
Cyber criminals are motivated by financial gain. They care about making money as quickly and efficiently as possible. They want access to our personal financial or health data in order to monetize them on cyber crime black markets. Cyber criminals often operate behind anonymous networks, like TOR, The Onion Router. They use encryption technology and digital currencies like Bitcoin to hide their communications and transactions.
State-sponsored actors receive direction, funding, or technical assistance from their nation-state to advance that nation's particular interests. State-sponsored actors have stolen and exfiltrated intellectual property, sensitive personally-identifiable information, and money to fund or further their espionage and exploitation causes. In rare cases, data stolen by state-sponsored actors appears on underground black markets. Instead, that data is usually kept by the attacker for their own purposes.
And cyber criminals and state sponsored actors are of greatest concern to businesses and the government. So those are really who policymakers, organizations, companies should be thinking about.
The other two are cyber terrorism and hacktivists. Cyberterrorism unites two significant modern concerns: attacks via technology in cyberspace and traditional terrorism. Now, in theory, cyber terrorism consists of a politically-motivated extremist group or non-state actor, conducting a damaging, extreme cyber attack to influence an audience, force political change, or cause fear or physical harm. Now, to date, there have been no cases of terrorists using the internet to actually carry out cyber attacks, although terrorists do certainly use the internet for a number of purposes. But what's been done that's been attributed to cyber terrorism is really more akin to hacktivism.
And that brings us to the fourth group of cyber threat actors. Hacktivists are typically motivated by a cause: political, economic, or social. From embarrassing celebrities, to highlighting human rights, to waking up a corporation to its vulnerabilities, to going after groups whose ideology they don't agree with.
John Villasenor: And when we talk about markets for stolen digital data, it's important, of course, not only to consider the sale of the data as you do, but you've also looked at another aspect of that ecosystem, which is the tools used to obtain the data in the first place. I read through the written version of the congressional testimony, and you did a really great job explaining that ecosystem. I was wondering if you could tell our listeners a little bit about the types of goods and services that are on the market that somebody who intends to later sell stolen digital data can use to obtain it in the first place.
Lillian Ablon: So these black markets—we call them the hackers’ bazaar. They are the markets for cyber crime tools and stolen data that, traditionally, we would think of cyber criminals using to buy and sell stolen data, or to buy and sell the tools to carry out and facilitate cyber crime attacks.
These markets offer a diverse slate of products for all phases of the full cyber crime life cycle, from the initial hack, all the way through to monetizing the stolen data. So a couple examples include things like tools to help gain initial access onto a target—so that might be an exploit kit, along with a payload, the parts and the features of those payloads. For example, a feature that makes it so it will obfuscate that that payload came from that exploit kit. So if an antivirus signature is created to detect that payload, that obfuscation will allow it to get through the antivirus detection.
There are services to help scale or deliver a payload, support products to ensure that infrastructure is set up, or to provide cryptoanalytic services like decrypting things, breaking codes, breaking captchas. And then there's also considerations for how to manage the stolen goods. So there's kind of money laundering services, if you will.
The product slate keeps evolving with the technology, whatever is new or novel for the traditional consumer. So mobile devices, in recent years, cloud computing technologies, social media platforms that offers new entries for attack.
John Villasenor: Sounds like a thriving ecosystem.
Lillian Ablon: A thriving ecosystem. Absolutely.
John Villasenor: To the extent that you can answer without divulging information that wouldn't be appropriate to make public, I have to wonder, where are these markets located??
Lillian Ablon: All you need is an internet connection and a device, and you, too, can be a cyber criminal. There are ”as-a-service” offerings where you can hire someone to do whatever you want. So there are places where people need to have a high technical ability in order to operate on these markets. But, for a lot of it, any Joe or Josephine can really participate in these markets.
John Villasenor: It's an illicit economy, but it's nonetheless an economy, so I would imagine that things like reputation play a role in the ability of the market participants to charge higher or lower prices, just like in any other market, right?
Lillian Ablon: Absolutely. There is honor among thieves in this case. Reputation matters a great deal. A lot of these marketplaces, a lot of the websites and the forums look similar to something like an Ebay, or an Amazon, where each seller has reputation points.
John Villasenor: How do people pay in these markets?
Lillian Ablon: Most black market sites accept digital cryptocurrencies as payment, so the appeal to digital cryptocurrencies are things like semi-anonymity. Currently, bitcoin is a popular choice. It's not the only choice. There's other digital cryptocurrencies that are being used, that are rising up in popularity. But, I've also seen sites that accept web money, E-gold. I've even seen PayPal little buttons, that you can press, you know, "We accept PayPal," banners.
John Villasenor: Some of these folks are just taking money via PayPal?
Lillian Ablon: Yeah, perhaps not the smartest choice in tracking payments, but you know, people especially in the cyber crime ecosystem, they want to get paid. So, if they can get money, that's a good thing.
John Villasenor: Let's move on to your work on zero-days vulnerabilities. In 2017, you co-authored, and published through RAND, an important report that was titled “Zero-Days, Thousands of Nights, The Life and Times of Zero-Day Vulnerabilities, and Their Exploits.”
Lillian Ablon: Let me just kind of take a step back, and explain the zero-day vulnerabilities, just to get everyone on the same page.
So, as you may know, all software has bugs. Some of those bugs are security vulnerabilities. Some of those security vulnerabilities are exploitable, meaning that someone could write software to infect a system, steal a data, take control of a computer, or disrupt normal operations. A zero-day vulnerability is one that the vendor doesn't know about, so that there's no patch or software update to fix it.
Now, these zero-day vulnerabilities, or zero-days, are extremely valuable, as you might imagine. Whoever is in possession of one, has a lot of power, because the vendor is unaware about the vulnerability. It's essentially, kind of an open door into someone's system.
I was able to add to the limited existing body of research of zero-day vulnerabilities using a dataset I acquired of information about more than 200 zero-day vulnerabilities, and their exploits, over half of which are still considered zero-day. With this dataset, I had three dimensions of zero-day vulnerabilities that I examined. The dimensions are life status, longevity, and collision rate.
Life status answers the question, "Given a vulnerability, who knows about it?" And why do we care about life status? Well, it helps to determine whether a vulnerability is still considered a threat, as a zero-day vulnerability. So, I took the data, and I started by classifying each vulnerability as either “alive” meaning, vulnerabilities that are unknown to the public, and only known privately, and therefore still considered zero-day, or “dead”—those vulnerabilities that are publicly known, and therefore, no longer considered zero-day.
A lot of people talk about vulnerabilities as either unknown and known, or alive and dead. So once I looked at my data as alive or dead, I noticed that there were things that didn't quite fit into alive or dead, and there was granularity in each of those topics. For example, among the vulnerabilities that were alive, we separated them even further into two different categories, living vulnerabilities, those are vulnerabilities actively sought out by defenders, and immortal vulnerabilities. These are ones that will remain in a product in perpetuity because the vendor no longer maintains the code, or issues updates.
And then, in terms of things that weren't alive or dead, we had this class of vulnerabilities that we called zombies. They're kind of quasi-alive, quasi-dead. Due to code revisions, they can exploited in older versions, but not the latest version of a product. So we realized that vulnerabilities are dynamic in their zero-day status, and that both those on offense and defense, can really benefit from being more granular, more specific when discussing zero-days. For example, those who are defensively oriented could think about searching previous versions of code bases that are still in use, due to zombie vulnerabilities. A strong case could be made for incentivizing, upgrading to new versions of a piece of software as end of life projects can have dormant immortal vulnerabilities in them.
John Villasenor: That's a fascinating taxonomy. Can you explain a little bit about what longevity is, and what are the statistics on zero-day longevity?
Lillian Ablon: Absolutely. So longevity was the second dimension that we looked at. And this answers the question, “how long will a vulnerability remain in private knowledge before becoming publicly known?” Why do we care about longevity? It's an important question because it helps give a sense for how long zero-day vulnerabilities of this caliber exist.
And so, knowing longevity could help those planning operations against hard targets know how long they can out for. The likelihood of that vulnerability dying, or becoming publicly known. And it can also show vendors and security companies how well they're doing at keeping their own devices secure. So, a short, average lifetime might indicate that they're doing a good job finding and passing the vulnerabilities in a short amount of time. And a long lifetime would mean the opposite.
What we found was that the average life expectancy for a zero-day vulnerability was rather long—almost 7 years. In fact, that's kind of how we got the title of the report, "zero days, thousands of nights," because it's something like 2,521 days or nights, which equates to 6.9 years, which is rather long.
John Villasenor: I would have guessed something shorter.
Lillian Ablon: Right. This can impact a business' risk profile. So, for example, companies may be amassing huge amounts of liability. It can have business implications, it can have national security implications. It was pretty incredible to see the life expectancy be that long.
John Villasenor: In this market for zero-days, the global market, who purchases these things? Is it governments, is it cyber criminals, is it companies trying to identify weaknesses in their own systems, all of the above?
Lillian Ablon: All of the above. But there's not just one market for zero days. They're broken up into different types of markets and there actually are quite a few classifications of these markets. The way that we distinguish them are by who the initial buyer is, the public versus private nature of the vulnerability, and then the intended use of the vulnerability. We actually separate the whole zero day market into three groups. We call them the white market, the black market, and then the gray market, or sometimes it's called the government market.
Those in the white market seek to immediately turn their vulnerabilities over to the affected vendor and then have them used for defensive or security purposes. So people who search for vulnerabilities within their own company's products, as well as those who participate in bug bounties or vulnerability disclosure programs fit into the white market. The black markets are where zero-days are for criminal use, illicit purposes. They aim to keep the vulnerabilities private. The third market [is] the gray market or sometimes we call it the government market. In that market the vulnerabilities remain private, are used for either offensive or defensive purposes, and they might eventually be disclosed to the affected vendor, though that's not necessarily guaranteed, because they're typically first sold to government, a military, or a defense contractor.
John Villasenor: Let me ask a related question which is on bug bounties, which companies often offer to incentivize people who discover vulnerabilities to disclose them to the company that makes the software concern. From a purely economic perspective, are these bug bounties cost competitive? And what I mean by that is, if someone has discovered a vulnerability and only cares about the money, they don't care about the ethical or legal implications, don't they have a larger economic incentive to sell the vulnerability for the most money possible on the black market, as opposed to turning it over to a company in exchange for a bug bounty that may be a lot less?
Lillian Ablon: So in theory, yes. And I might just amend your question to be sell it to the gray market versus the white market. There really seems to be very little in the black market. So yes, more money can be made on the gray market. We found that the purchase price for zero-day vulnerability on the gray market was estimated to be ten times the purchase price of a zero-day vulnerability on the white market.
John Villasenor: Assuming that the hypothetical person in the question, who is someone who doesn't care about the ethical or legal implications [and is a] purely economic actor, why would they sell it to the white market?
Lillian Ablon: From a purely economic point of view, if you have a vulnerability that's wanted by the gray market, that might be something that you would try to sell to them. But the types of vulnerabilities that are wanted by both of these markets are actually quite different. Certainly companies, those who run bug bounty programs and vulnerability disclosure programs, want those really difficult to find vulnerabilities. But they also want vulnerabilities that can be easily found, that can be easily exploited, and those aren't ones that are necessarily going to be used by the gray market customers. But there's a number of reasons for the disparity in price, the ten times more in the gray market than the white market.
In the white market, researchers stop once they've found the vulnerability, or once they've created what's called a proof of concept of exploit, just kind of proving that this vulnerability can actually be exploited. Over on the black market, and in the gray market, really, researchers there need to create a fully functioning exploit, which can take ten times the amount of work. That fully functioning exploit needs to be able to be used in the wild sometimes. It needs to be able to be run on all different types of modes or through different types of infrastructure.
John Villasenor: I see, so there is a logic that it costs more in the gray market, because you have to do more before you can sell it.
Lillian Ablon: Yes. And the vulnerabilities on the gray market are often more complex, deeper in code, harder to find and then harder to exploit than those bought and sold on the white market. So there's a reason for that ten times. So if you have a vulnerability that's wanted by both markets and your only motivation is financial gain, then the gray market would be where you would get more money. But it often takes someone who is highly skilled at finding the vulnerability and then creating that fully functional exploit in order to participate on the gray market. Now, the white market does try to pull in security researchers by making the case on ethical grounds, citing responsibility to disclose, offering recognition in legal-type payouts, and then also the will to do good and to protect the internet.