5

Earlier this week the head of the NSA's Tailored Access Operations unit rather remarkably gave a presentation at the USENIX Enigma security conference. (News coverege here and here; video of the talk here). The topic of the talk: how to defend against sophisticated, persistent, nation-state-level attackers, like, well, the TAO. As one might expect, there were no jaw-dropping revelations of classified, novel techniques for hacking or defense. But the TAO chief nonetheless made at least a few thought-provoking points. One of them was about the NSA's use of zero-day exploits. Or, actually, the uncommonness thereof:

“A lot of people think that nation states are running their operations on zero days, but it’s not that common,” he said. “For big corporate networks persistence and focus will get you in without a zero day; there are so many more vectors that are easier, less risky, and more productive.”

One might be suspicious, on any number of grounds, that the head of the NSA's hackers could simply be understating the role of using zero-days in these obviously classified operations. And obviously, there have been any number of documented nation-state operations in recent years that have used zero-days. (None more extensively than Stuxnet attacks orchestrated in large part by, yes, the NSA.) Still, even if the degree of his dismissiveness was a little bit "thou doth protest too much", I've definitely read and heard similar things from other sources recently sounding similar themes. (Like this article, and this presentation at Defcon last month.) And, incidentally, the rest of the talk was pretty persuasive that NSA hackers are adept at finding and getting in through cracks in a target's defenses without needing to resort to zero-days.

(Edit: To clarify, for this question I take "zero-day" to mean a vulnerability and accompanying exploit the existence of which are unknown to the defender and to general infosec community when they are used in an attack.)

So, the question: anybody know of any info--from statistics of some kind, anecdotes of personal experience, whatever you think significant--that speaks to how often sophisticated attackers who have access to zero-days--in other words, basically nation-states actually resort to using them in attacks?

mostlyinformed
  • 2,715
  • 16
  • 38
  • 4
    Publicly known 0-days or secret 0-days? There are lots of examples of 0-days being exploited "in the wild" when they are announced (but not yet patched). – schroeder Jan 29 '16 at 21:49
  • @schroder Good point. I was thinking of zero-days that are secret, or at least, secret from the defender and the general infosec community. (I understand some exploit-for-sale entities will sell sometimes sell information about a zero-day to more than one country or organization. So I suppose a vulnerability/exploit could be known to more than one entity but still be "secret".) I will clarify that. – mostlyinformed Jan 30 '16 at 00:51
  • Yeah the use of the term `zero-day exploit' is sort of a misnomer. I find it interesting when there is no public code available but an adversarial team like a nation state or criminal org all of a sudden uses an exploit for a patched vuln where the patch is 0-3 months old. This happened twice in the Stuxnet codebase, as an example (patches were available but no known exploit code was). What's scary about very-recent patches with no public exploit code is that many IDS/IPS/UTM devices do not have signatures yet. Red-team engagements can't use them yet for adversarial simulation. – atdre Jan 30 '16 at 02:06
  • IMHO it's easily understandable that those who have resources of 0-days available would prefer not to use them as long as they could somehow manage to achieve their goals without using (in a sense wasting, due to the risk of the employed 0-days being subsequently known and hence no longer 0-days that could be advantageously used in the future) these precious resources. A remote analogy: Good physicians commonly hesitate to prescribe (strong) antibiotics to treat inflammations excepting in cases of necessity. – Mok-Kong Shen Jan 30 '16 at 15:44
  • @atdre All those admins practicing vulnerability management by considering only vulns that have or get widely known exploits to be "urgent" priorities for patching. And considering it fine to leave the rest of the patches in evaluation and testing for weeks, or months, or...however long. After all, there are no exploits for those vulnerabilities, right? – mostlyinformed Jan 31 '16 at 09:38
  • @Mok-Kong Shen Certainly it makes sense to not use zero-days where you don't need to do so, as you well stated. The underlying question, I guess, is how often do three-letter defense and intelligence agencies do need to do so. They have incentives to make usage as limited and targeted as reasonably possible. But given some of the numbers that pop up here and there on resources spent to acquire or develop them --Snowden documents suggested the NSA spent *at least* $50 million in one year of buying them--usage of them is probably not quite as rare as the TAO chief implied. – mostlyinformed Jan 31 '16 at 09:57
  • @halfinformed: You have IMHO a valid point. However, intuitively not all 0-days are equally strong/sophisticated, so one would choose to use them in a certain optimal way, i.e. attempting to keep the best ones, if feasible, for future use, I believe. – Mok-Kong Shen Jan 31 '16 at 17:27
  • Every time a 0day is used, it risks no longer being a 0day. This is often referred to as "burning" a 0day. – forest Jun 17 '18 at 22:37

3 Answers3

5

I drove a project that looked at this while I was at Microsoft. The answer is that the vast majority of breakins do not use 0 day. We used malware as a proxy for breakins, because data was more accessible and puts the use of 0days in perspective.

The data here doesn't break out sophisticated attackers, but the arguments you put forth as to why no one wants to use 0days are solid. They were probably used in Stuxnet because of the air gaps.

https://blogs.technet.microsoft.com/mmpc/tag/sir-v11/

Since that's a long report, I should add that it's the opening section, "Zeroing in on malware propagation methods" which addresses the question.

Adam Shostack
  • 2,659
  • 1
  • 10
  • 12
1

Breaking in is all about research. You need to spend time surveying a network and it's various points of entry or access. Part of that will be reviewing the hardware firmware and software running.

The first point of attack I might pick would be wifi. I would find out the model of access point they use and then download the firmware. Once I have the firmware file I can usually see all the files, php pages, and settings that system has by default.

If I discover a weakness then that's a zero day. But if I discover a weakness in how the administration configured that device it's not nessisarily a zero day. So I am looking for weaknesses and sometimes find a zero day that so happens to be a weakness.

Zero days are important because they are weaknesses. But information is much more valuble. More often I can find weakness in configuration by end users and administrators then I can corporations who have at least spent some time thinking this kind of stuff over.

TL;DR; If you want to attack you research. Every model. Every firmware. Every patch. You find out everything you can and it becomes obvious how networks are weak.

Nick Young
  • 209
  • 1
  • 4
0

From what I've seen personally, heard from speakers at conferences, and read news articles about, most companies are extremely porous when it comes to security. So it should come as no surprise that attackers generally don't have to use 0-day vulnerabilities.

If you want hard data, Trustwave has published some statistics they gathered from investigations available at https://www2.trustwave.com/rs/815-RFM-693/images/2015_TrustwaveGlobalSecurityReport.pdf

Steve Sether
  • 21,480
  • 8
  • 50
  • 76