According to the Identity Theft Resource Center, the 1,579 tracked data breaches in 2017 represent an alarming...
44% increase over the number of breaches from the previous year. According to various reports, hundreds of millions of records were exposed through misconfigured databases and by attackers who took advantage of vulnerabilities to gain access to systems. For instance, the city of Atlanta's government was paralyzed in late 2017 through a massive ransomware attack that caused a seven-day outage.
And that was only one example.
Although many techniques can be used to prevent these kinds of attacks when you understand how data breaches happen, keeping your software up-to-date with the latest version is the simplest place to start.
But what enables these attacks isn't often explored. How do attackers find a vulnerability, write a piece of code to take advantage of that vulnerability -- i.e., build an exploit -- build a software delivery system around the exploit and then deliver the attack itself? The key point to recognize in this process is that no single person undertakes all of this work.
Just as in most other marketplaces, it's important to understand how data breaches happen. The work of turning vulnerabilities into cash represents a value chain. Multiple actors in an organization specialize in one small piece of the value chain to provide the pieces that other actors use later in the chain.
This article will look at a recent research paper, "Economic Factors of Vulnerability Trade and Exploitation," by Luca Allodi out of the Eindhoven University of Technology in the Netherlands that examines the vulnerability exploit market. Before looking at the paper, however, consider the sort of economic value chain that stands behind the kinds of attacks discussed above.
Each of the steps in this exploit market chain can be -- and most often are -- performed by a different group of people. A group of researchers, for instance, uses penetration-testing tools, public announcements and insider-trading information, and reverse-engineering to discover vulnerabilities. They either sell this information on a marketplace or develop a small piece of code that takes advantage of the vulnerability. A piece of code that takes advantage of the vulnerability is called an exploit, and these are sold in an exploit marketplace, which is represented in the visual above by the circle between the "develop exploit" rectangles. Other groups or individuals develop delivery mechanisms, among them compromised webpages, viruses, worms and auto-run sequences to send out in an email and sell on a separate set of exploit markets.
Putting exploits together is how data breaches happen
Another group will purchase the exploits and delivery mechanisms, combining them into a system that is then used to perform the attack. These attacks can be used to deliver hosts to a botnet, exfiltrate data for later processing or other purposes. Finally, the botnet or exfiltrated data is placed in another marketplace, where they are purchased. Purchasers then make use of the data in different ways, including launching distributed denial-of-service attacks for hire or using credit card numbers to place charges and ultimately steal money directly from end users.
The health of one exploit market in this value chain can be used to gauge the health of the entire exploit marketplace. Exploits are a thin waist in the process, which means new vulnerabilities must be uncovered and exploits developed on a regular basis to drive value through the rest of the chain. In the case of Allodi's research paper, a researcher infiltrated one such popular exploit market to measure the number of new vulnerabilities represented by the exploits for sale. Several specific measures were taken from this information.
For instance, the researchers considered how many exploits were developed and sold for Common Vulnerabilities and Exposures (CVEs), how many were developed and sold for known vulnerabilities, and how many were developed and sold for zero-day exposures. CVEs are widely known vulnerabilities across a wide range of systems, such as buffer overflow and SQL injection attacks.
Known vulnerabilities are those discovered and reported in software. Patches are available for most of these vulnerabilities, so updating to a later version of the code will protect users from these exploits. Zero-day vulnerabilities are presumably unknown by the software creator, so there is no way to patch the software to defend against the vulnerability.
Patching can guard against how data breaches happen
In their sample, the researchers found 34 known vulnerabilities and CVE exploits were advertised, while only one exploit designed to take advantage of a zero-day vulnerability was advertised. This 34-to-1 ratio is instructive in showing just how important it is to apply patches when they are available. Most exploits available in these marketplaces take advantage of known vulnerabilities. In essence, attackers are counting on unpatched software, and they are even willing to pay for exploits that take advantage of known vulnerabilities, because they assume software will not be patched quickly enough to negate the effectiveness of an attack based on such exploits.
Another attention-grabbing result of the study is the time between the discovery of a vulnerability and the time it is available in the exploit market is decreasing. This shows the value chain is driving additional value to the consumers of the data -- or botnets, as the case might be -- over time. Faster turnaround times mean people involved at each step in the chain are building tools and processes to make more efficient use of vulnerabilities as they are discovered, moving them into the exploit marketplace quickly and ultimately into the wild, where they can be used to buy and sell data.
One crucial lesson to take away from this study in terms of how data breaches happen is it's important to patch quickly. As these value chains become more efficient, the need to patch quickly becomes an imperative if you don't want to suffer the fate of many other organizations struck by the tail end of the vulnerability value chain.