Why would an attacker ever want to sit on a zero-day exploit?
up vote
3
down vote
favorite
I am trying to understand why an attacker would want to wait to use a zero-day exploit.
I have read that an attacker does not want to waste the zero-day because they are typically very expensive to obtain in the first place, but it is not clear to me what is meant by “waste” here. Zero-days can be discovered by the community (e.g. security researchers) which would render it useless. In this sense, the zero-day has been wasted by the inaction of the attacker. Is there a risk with using the zero-day exploit too soon? It seems that an attacker would want to minimize the chances of the zero-day being discovered, and thus use it as quickly as possible.
Question: What factors would cause the attacker to wait to use a zero-day exploit?
zero-day
New contributor
add a comment |
up vote
3
down vote
favorite
I am trying to understand why an attacker would want to wait to use a zero-day exploit.
I have read that an attacker does not want to waste the zero-day because they are typically very expensive to obtain in the first place, but it is not clear to me what is meant by “waste” here. Zero-days can be discovered by the community (e.g. security researchers) which would render it useless. In this sense, the zero-day has been wasted by the inaction of the attacker. Is there a risk with using the zero-day exploit too soon? It seems that an attacker would want to minimize the chances of the zero-day being discovered, and thus use it as quickly as possible.
Question: What factors would cause the attacker to wait to use a zero-day exploit?
zero-day
New contributor
add a comment |
up vote
3
down vote
favorite
up vote
3
down vote
favorite
I am trying to understand why an attacker would want to wait to use a zero-day exploit.
I have read that an attacker does not want to waste the zero-day because they are typically very expensive to obtain in the first place, but it is not clear to me what is meant by “waste” here. Zero-days can be discovered by the community (e.g. security researchers) which would render it useless. In this sense, the zero-day has been wasted by the inaction of the attacker. Is there a risk with using the zero-day exploit too soon? It seems that an attacker would want to minimize the chances of the zero-day being discovered, and thus use it as quickly as possible.
Question: What factors would cause the attacker to wait to use a zero-day exploit?
zero-day
New contributor
I am trying to understand why an attacker would want to wait to use a zero-day exploit.
I have read that an attacker does not want to waste the zero-day because they are typically very expensive to obtain in the first place, but it is not clear to me what is meant by “waste” here. Zero-days can be discovered by the community (e.g. security researchers) which would render it useless. In this sense, the zero-day has been wasted by the inaction of the attacker. Is there a risk with using the zero-day exploit too soon? It seems that an attacker would want to minimize the chances of the zero-day being discovered, and thus use it as quickly as possible.
Question: What factors would cause the attacker to wait to use a zero-day exploit?
zero-day
zero-day
New contributor
New contributor
New contributor
asked 3 hours ago
jonem
1162
1162
New contributor
New contributor
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
up vote
4
down vote
Because the old ways are the best.
Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result?
Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.
add a comment |
up vote
2
down vote
It's more likely that you'll burn a 0day by using it than by sitting on it.
There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.
Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.
There are a few other reasons 0days may be kept for long periods:
Some people simply hoard 0days for the sake of it. This is all too common.
Maybe you borrowed the 0day from someone, in which case burning it would piss them off.
Sometimes a 0day broker is sitting on them while waiting for the right client.
add a comment |
up vote
0
down vote
From the standpoint of the attacker, a zero-day exploit is a valuable resource because it is not publicly known. This gives the attacker the element of surprise when it is actually deployed, as the target will not be able to proactively defend against it.
Each time a zero-day is used, there's a chance it'll be discovered by the target and the vulnerability patched out by the software vendor. Once the vulnerability is closed, the usefulness of the exploit is greatly reduced and limited to targets who have not updated the software. This is known as "burning" the exploit.
Because the goal of most attackers today is to directly or indirectly gain money (e.g. by stealing personal information from the target and using it to commit identity fraud), zero-day exploits have economic value. The exploit loses its value if it is burned and rendered ineffective. In essence, a zero-day is a valuable and expendable weapon which should be saved for use against high-value targets that cannot be exploited through publicly-known vulnerabilities.
This means, for example, that an attacker targeting a system running an older version of a particular piece of software with known vulnerabilities would want to use an existing, publicly-available exploit rather than use the zero-day exploit and risk burning it. Why waste a valuable resource when you can get the job done with a less expensive solution?
add a comment |
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
4
down vote
Because the old ways are the best.
Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result?
Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.
add a comment |
up vote
4
down vote
Because the old ways are the best.
Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result?
Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.
add a comment |
up vote
4
down vote
up vote
4
down vote
Because the old ways are the best.
Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result?
Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.
Because the old ways are the best.
Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result?
Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.
answered 2 hours ago
McMatty
2,1251112
2,1251112
add a comment |
add a comment |
up vote
2
down vote
It's more likely that you'll burn a 0day by using it than by sitting on it.
There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.
Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.
There are a few other reasons 0days may be kept for long periods:
Some people simply hoard 0days for the sake of it. This is all too common.
Maybe you borrowed the 0day from someone, in which case burning it would piss them off.
Sometimes a 0day broker is sitting on them while waiting for the right client.
add a comment |
up vote
2
down vote
It's more likely that you'll burn a 0day by using it than by sitting on it.
There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.
Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.
There are a few other reasons 0days may be kept for long periods:
Some people simply hoard 0days for the sake of it. This is all too common.
Maybe you borrowed the 0day from someone, in which case burning it would piss them off.
Sometimes a 0day broker is sitting on them while waiting for the right client.
add a comment |
up vote
2
down vote
up vote
2
down vote
It's more likely that you'll burn a 0day by using it than by sitting on it.
There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.
Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.
There are a few other reasons 0days may be kept for long periods:
Some people simply hoard 0days for the sake of it. This is all too common.
Maybe you borrowed the 0day from someone, in which case burning it would piss them off.
Sometimes a 0day broker is sitting on them while waiting for the right client.
It's more likely that you'll burn a 0day by using it than by sitting on it.
There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.
Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.
There are a few other reasons 0days may be kept for long periods:
Some people simply hoard 0days for the sake of it. This is all too common.
Maybe you borrowed the 0day from someone, in which case burning it would piss them off.
Sometimes a 0day broker is sitting on them while waiting for the right client.
edited 28 mins ago
answered 57 mins ago
forest
28k1385101
28k1385101
add a comment |
add a comment |
up vote
0
down vote
From the standpoint of the attacker, a zero-day exploit is a valuable resource because it is not publicly known. This gives the attacker the element of surprise when it is actually deployed, as the target will not be able to proactively defend against it.
Each time a zero-day is used, there's a chance it'll be discovered by the target and the vulnerability patched out by the software vendor. Once the vulnerability is closed, the usefulness of the exploit is greatly reduced and limited to targets who have not updated the software. This is known as "burning" the exploit.
Because the goal of most attackers today is to directly or indirectly gain money (e.g. by stealing personal information from the target and using it to commit identity fraud), zero-day exploits have economic value. The exploit loses its value if it is burned and rendered ineffective. In essence, a zero-day is a valuable and expendable weapon which should be saved for use against high-value targets that cannot be exploited through publicly-known vulnerabilities.
This means, for example, that an attacker targeting a system running an older version of a particular piece of software with known vulnerabilities would want to use an existing, publicly-available exploit rather than use the zero-day exploit and risk burning it. Why waste a valuable resource when you can get the job done with a less expensive solution?
add a comment |
up vote
0
down vote
From the standpoint of the attacker, a zero-day exploit is a valuable resource because it is not publicly known. This gives the attacker the element of surprise when it is actually deployed, as the target will not be able to proactively defend against it.
Each time a zero-day is used, there's a chance it'll be discovered by the target and the vulnerability patched out by the software vendor. Once the vulnerability is closed, the usefulness of the exploit is greatly reduced and limited to targets who have not updated the software. This is known as "burning" the exploit.
Because the goal of most attackers today is to directly or indirectly gain money (e.g. by stealing personal information from the target and using it to commit identity fraud), zero-day exploits have economic value. The exploit loses its value if it is burned and rendered ineffective. In essence, a zero-day is a valuable and expendable weapon which should be saved for use against high-value targets that cannot be exploited through publicly-known vulnerabilities.
This means, for example, that an attacker targeting a system running an older version of a particular piece of software with known vulnerabilities would want to use an existing, publicly-available exploit rather than use the zero-day exploit and risk burning it. Why waste a valuable resource when you can get the job done with a less expensive solution?
add a comment |
up vote
0
down vote
up vote
0
down vote
From the standpoint of the attacker, a zero-day exploit is a valuable resource because it is not publicly known. This gives the attacker the element of surprise when it is actually deployed, as the target will not be able to proactively defend against it.
Each time a zero-day is used, there's a chance it'll be discovered by the target and the vulnerability patched out by the software vendor. Once the vulnerability is closed, the usefulness of the exploit is greatly reduced and limited to targets who have not updated the software. This is known as "burning" the exploit.
Because the goal of most attackers today is to directly or indirectly gain money (e.g. by stealing personal information from the target and using it to commit identity fraud), zero-day exploits have economic value. The exploit loses its value if it is burned and rendered ineffective. In essence, a zero-day is a valuable and expendable weapon which should be saved for use against high-value targets that cannot be exploited through publicly-known vulnerabilities.
This means, for example, that an attacker targeting a system running an older version of a particular piece of software with known vulnerabilities would want to use an existing, publicly-available exploit rather than use the zero-day exploit and risk burning it. Why waste a valuable resource when you can get the job done with a less expensive solution?
From the standpoint of the attacker, a zero-day exploit is a valuable resource because it is not publicly known. This gives the attacker the element of surprise when it is actually deployed, as the target will not be able to proactively defend against it.
Each time a zero-day is used, there's a chance it'll be discovered by the target and the vulnerability patched out by the software vendor. Once the vulnerability is closed, the usefulness of the exploit is greatly reduced and limited to targets who have not updated the software. This is known as "burning" the exploit.
Because the goal of most attackers today is to directly or indirectly gain money (e.g. by stealing personal information from the target and using it to commit identity fraud), zero-day exploits have economic value. The exploit loses its value if it is burned and rendered ineffective. In essence, a zero-day is a valuable and expendable weapon which should be saved for use against high-value targets that cannot be exploited through publicly-known vulnerabilities.
This means, for example, that an attacker targeting a system running an older version of a particular piece of software with known vulnerabilities would want to use an existing, publicly-available exploit rather than use the zero-day exploit and risk burning it. Why waste a valuable resource when you can get the job done with a less expensive solution?
edited 4 mins ago
answered 12 mins ago
bwDraco
24319
24319
add a comment |
add a comment |
jonem is a new contributor. Be nice, and check out our Code of Conduct.
jonem is a new contributor. Be nice, and check out our Code of Conduct.
jonem is a new contributor. Be nice, and check out our Code of Conduct.
jonem is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f198951%2fwhy-would-an-attacker-ever-want-to-sit-on-a-zero-day-exploit%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown