Why would an attacker ever want to sit on a zero-day exploit?











up vote
3
down vote

favorite
1












I am trying to understand why an attacker would want to wait to use a zero-day exploit.



I have read that an attacker does not want to waste the zero-day because they are typically very expensive to obtain in the first place, but it is not clear to me what is meant by “waste” here. Zero-days can be discovered by the community (e.g. security researchers) which would render it useless. In this sense, the zero-day has been wasted by the inaction of the attacker. Is there a risk with using the zero-day exploit too soon? It seems that an attacker would want to minimize the chances of the zero-day being discovered, and thus use it as quickly as possible.



Question: What factors would cause the attacker to wait to use a zero-day exploit?










share|improve this question







New contributor




jonem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
























    up vote
    3
    down vote

    favorite
    1












    I am trying to understand why an attacker would want to wait to use a zero-day exploit.



    I have read that an attacker does not want to waste the zero-day because they are typically very expensive to obtain in the first place, but it is not clear to me what is meant by “waste” here. Zero-days can be discovered by the community (e.g. security researchers) which would render it useless. In this sense, the zero-day has been wasted by the inaction of the attacker. Is there a risk with using the zero-day exploit too soon? It seems that an attacker would want to minimize the chances of the zero-day being discovered, and thus use it as quickly as possible.



    Question: What factors would cause the attacker to wait to use a zero-day exploit?










    share|improve this question







    New contributor




    jonem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.






















      up vote
      3
      down vote

      favorite
      1









      up vote
      3
      down vote

      favorite
      1






      1





      I am trying to understand why an attacker would want to wait to use a zero-day exploit.



      I have read that an attacker does not want to waste the zero-day because they are typically very expensive to obtain in the first place, but it is not clear to me what is meant by “waste” here. Zero-days can be discovered by the community (e.g. security researchers) which would render it useless. In this sense, the zero-day has been wasted by the inaction of the attacker. Is there a risk with using the zero-day exploit too soon? It seems that an attacker would want to minimize the chances of the zero-day being discovered, and thus use it as quickly as possible.



      Question: What factors would cause the attacker to wait to use a zero-day exploit?










      share|improve this question







      New contributor




      jonem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      I am trying to understand why an attacker would want to wait to use a zero-day exploit.



      I have read that an attacker does not want to waste the zero-day because they are typically very expensive to obtain in the first place, but it is not clear to me what is meant by “waste” here. Zero-days can be discovered by the community (e.g. security researchers) which would render it useless. In this sense, the zero-day has been wasted by the inaction of the attacker. Is there a risk with using the zero-day exploit too soon? It seems that an attacker would want to minimize the chances of the zero-day being discovered, and thus use it as quickly as possible.



      Question: What factors would cause the attacker to wait to use a zero-day exploit?







      zero-day






      share|improve this question







      New contributor




      jonem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question







      New contributor




      jonem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question






      New contributor




      jonem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 3 hours ago









      jonem

      1162




      1162




      New contributor




      jonem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      jonem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      jonem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






















          3 Answers
          3






          active

          oldest

          votes

















          up vote
          4
          down vote













          Because the old ways are the best.
          Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result?
          Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.






          share|improve this answer




























            up vote
            2
            down vote













            It's more likely that you'll burn a 0day by using it than by sitting on it.



            There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.



            Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.



            There are a few other reasons 0days may be kept for long periods:




            1. Some people simply hoard 0days for the sake of it. This is all too common.


            2. Maybe you borrowed the 0day from someone, in which case burning it would piss them off.


            3. Sometimes a 0day broker is sitting on them while waiting for the right client.







            share|improve this answer






























              up vote
              0
              down vote













              From the standpoint of the attacker, a zero-day exploit is a valuable resource because it is not publicly known. This gives the attacker the element of surprise when it is actually deployed, as the target will not be able to proactively defend against it.



              Each time a zero-day is used, there's a chance it'll be discovered by the target and the vulnerability patched out by the software vendor. Once the vulnerability is closed, the usefulness of the exploit is greatly reduced and limited to targets who have not updated the software. This is known as "burning" the exploit.



              Because the goal of most attackers today is to directly or indirectly gain money (e.g. by stealing personal information from the target and using it to commit identity fraud), zero-day exploits have economic value. The exploit loses its value if it is burned and rendered ineffective. In essence, a zero-day is a valuable and expendable weapon which should be saved for use against high-value targets that cannot be exploited through publicly-known vulnerabilities.



              This means, for example, that an attacker targeting a system running an older version of a particular piece of software with known vulnerabilities would want to use an existing, publicly-available exploit rather than use the zero-day exploit and risk burning it. Why waste a valuable resource when you can get the job done with a less expensive solution?






              share|improve this answer























                Your Answer








                StackExchange.ready(function() {
                var channelOptions = {
                tags: "".split(" "),
                id: "162"
                };
                initTagRenderer("".split(" "), "".split(" "), channelOptions);

                StackExchange.using("externalEditor", function() {
                // Have to fire editor after snippets, if snippets enabled
                if (StackExchange.settings.snippets.snippetsEnabled) {
                StackExchange.using("snippets", function() {
                createEditor();
                });
                }
                else {
                createEditor();
                }
                });

                function createEditor() {
                StackExchange.prepareEditor({
                heartbeatType: 'answer',
                convertImagesToLinks: false,
                noModals: true,
                showLowRepImageUploadWarning: true,
                reputationToPostImages: null,
                bindNavPrevention: true,
                postfix: "",
                imageUploader: {
                brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
                contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
                allowUrls: true
                },
                noCode: true, onDemand: true,
                discardSelector: ".discard-answer"
                ,immediatelyShowMarkdownHelp:true
                });


                }
                });






                jonem is a new contributor. Be nice, and check out our Code of Conduct.










                draft saved

                draft discarded


















                StackExchange.ready(
                function () {
                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f198951%2fwhy-would-an-attacker-ever-want-to-sit-on-a-zero-day-exploit%23new-answer', 'question_page');
                }
                );

                Post as a guest















                Required, but never shown

























                3 Answers
                3






                active

                oldest

                votes








                3 Answers
                3






                active

                oldest

                votes









                active

                oldest

                votes






                active

                oldest

                votes








                up vote
                4
                down vote













                Because the old ways are the best.
                Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result?
                Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.






                share|improve this answer

























                  up vote
                  4
                  down vote













                  Because the old ways are the best.
                  Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result?
                  Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.






                  share|improve this answer























                    up vote
                    4
                    down vote










                    up vote
                    4
                    down vote









                    Because the old ways are the best.
                    Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result?
                    Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.






                    share|improve this answer












                    Because the old ways are the best.
                    Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result?
                    Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered 2 hours ago









                    McMatty

                    2,1251112




                    2,1251112
























                        up vote
                        2
                        down vote













                        It's more likely that you'll burn a 0day by using it than by sitting on it.



                        There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.



                        Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.



                        There are a few other reasons 0days may be kept for long periods:




                        1. Some people simply hoard 0days for the sake of it. This is all too common.


                        2. Maybe you borrowed the 0day from someone, in which case burning it would piss them off.


                        3. Sometimes a 0day broker is sitting on them while waiting for the right client.







                        share|improve this answer



























                          up vote
                          2
                          down vote













                          It's more likely that you'll burn a 0day by using it than by sitting on it.



                          There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.



                          Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.



                          There are a few other reasons 0days may be kept for long periods:




                          1. Some people simply hoard 0days for the sake of it. This is all too common.


                          2. Maybe you borrowed the 0day from someone, in which case burning it would piss them off.


                          3. Sometimes a 0day broker is sitting on them while waiting for the right client.







                          share|improve this answer

























                            up vote
                            2
                            down vote










                            up vote
                            2
                            down vote









                            It's more likely that you'll burn a 0day by using it than by sitting on it.



                            There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.



                            Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.



                            There are a few other reasons 0days may be kept for long periods:




                            1. Some people simply hoard 0days for the sake of it. This is all too common.


                            2. Maybe you borrowed the 0day from someone, in which case burning it would piss them off.


                            3. Sometimes a 0day broker is sitting on them while waiting for the right client.







                            share|improve this answer














                            It's more likely that you'll burn a 0day by using it than by sitting on it.



                            There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.



                            Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.



                            There are a few other reasons 0days may be kept for long periods:




                            1. Some people simply hoard 0days for the sake of it. This is all too common.


                            2. Maybe you borrowed the 0day from someone, in which case burning it would piss them off.


                            3. Sometimes a 0day broker is sitting on them while waiting for the right client.








                            share|improve this answer














                            share|improve this answer



                            share|improve this answer








                            edited 28 mins ago

























                            answered 57 mins ago









                            forest

                            28k1385101




                            28k1385101






















                                up vote
                                0
                                down vote













                                From the standpoint of the attacker, a zero-day exploit is a valuable resource because it is not publicly known. This gives the attacker the element of surprise when it is actually deployed, as the target will not be able to proactively defend against it.



                                Each time a zero-day is used, there's a chance it'll be discovered by the target and the vulnerability patched out by the software vendor. Once the vulnerability is closed, the usefulness of the exploit is greatly reduced and limited to targets who have not updated the software. This is known as "burning" the exploit.



                                Because the goal of most attackers today is to directly or indirectly gain money (e.g. by stealing personal information from the target and using it to commit identity fraud), zero-day exploits have economic value. The exploit loses its value if it is burned and rendered ineffective. In essence, a zero-day is a valuable and expendable weapon which should be saved for use against high-value targets that cannot be exploited through publicly-known vulnerabilities.



                                This means, for example, that an attacker targeting a system running an older version of a particular piece of software with known vulnerabilities would want to use an existing, publicly-available exploit rather than use the zero-day exploit and risk burning it. Why waste a valuable resource when you can get the job done with a less expensive solution?






                                share|improve this answer



























                                  up vote
                                  0
                                  down vote













                                  From the standpoint of the attacker, a zero-day exploit is a valuable resource because it is not publicly known. This gives the attacker the element of surprise when it is actually deployed, as the target will not be able to proactively defend against it.



                                  Each time a zero-day is used, there's a chance it'll be discovered by the target and the vulnerability patched out by the software vendor. Once the vulnerability is closed, the usefulness of the exploit is greatly reduced and limited to targets who have not updated the software. This is known as "burning" the exploit.



                                  Because the goal of most attackers today is to directly or indirectly gain money (e.g. by stealing personal information from the target and using it to commit identity fraud), zero-day exploits have economic value. The exploit loses its value if it is burned and rendered ineffective. In essence, a zero-day is a valuable and expendable weapon which should be saved for use against high-value targets that cannot be exploited through publicly-known vulnerabilities.



                                  This means, for example, that an attacker targeting a system running an older version of a particular piece of software with known vulnerabilities would want to use an existing, publicly-available exploit rather than use the zero-day exploit and risk burning it. Why waste a valuable resource when you can get the job done with a less expensive solution?






                                  share|improve this answer

























                                    up vote
                                    0
                                    down vote










                                    up vote
                                    0
                                    down vote









                                    From the standpoint of the attacker, a zero-day exploit is a valuable resource because it is not publicly known. This gives the attacker the element of surprise when it is actually deployed, as the target will not be able to proactively defend against it.



                                    Each time a zero-day is used, there's a chance it'll be discovered by the target and the vulnerability patched out by the software vendor. Once the vulnerability is closed, the usefulness of the exploit is greatly reduced and limited to targets who have not updated the software. This is known as "burning" the exploit.



                                    Because the goal of most attackers today is to directly or indirectly gain money (e.g. by stealing personal information from the target and using it to commit identity fraud), zero-day exploits have economic value. The exploit loses its value if it is burned and rendered ineffective. In essence, a zero-day is a valuable and expendable weapon which should be saved for use against high-value targets that cannot be exploited through publicly-known vulnerabilities.



                                    This means, for example, that an attacker targeting a system running an older version of a particular piece of software with known vulnerabilities would want to use an existing, publicly-available exploit rather than use the zero-day exploit and risk burning it. Why waste a valuable resource when you can get the job done with a less expensive solution?






                                    share|improve this answer














                                    From the standpoint of the attacker, a zero-day exploit is a valuable resource because it is not publicly known. This gives the attacker the element of surprise when it is actually deployed, as the target will not be able to proactively defend against it.



                                    Each time a zero-day is used, there's a chance it'll be discovered by the target and the vulnerability patched out by the software vendor. Once the vulnerability is closed, the usefulness of the exploit is greatly reduced and limited to targets who have not updated the software. This is known as "burning" the exploit.



                                    Because the goal of most attackers today is to directly or indirectly gain money (e.g. by stealing personal information from the target and using it to commit identity fraud), zero-day exploits have economic value. The exploit loses its value if it is burned and rendered ineffective. In essence, a zero-day is a valuable and expendable weapon which should be saved for use against high-value targets that cannot be exploited through publicly-known vulnerabilities.



                                    This means, for example, that an attacker targeting a system running an older version of a particular piece of software with known vulnerabilities would want to use an existing, publicly-available exploit rather than use the zero-day exploit and risk burning it. Why waste a valuable resource when you can get the job done with a less expensive solution?







                                    share|improve this answer














                                    share|improve this answer



                                    share|improve this answer








                                    edited 4 mins ago

























                                    answered 12 mins ago









                                    bwDraco

                                    24319




                                    24319






















                                        jonem is a new contributor. Be nice, and check out our Code of Conduct.










                                        draft saved

                                        draft discarded


















                                        jonem is a new contributor. Be nice, and check out our Code of Conduct.













                                        jonem is a new contributor. Be nice, and check out our Code of Conduct.












                                        jonem is a new contributor. Be nice, and check out our Code of Conduct.
















                                        Thanks for contributing an answer to Information Security Stack Exchange!


                                        • Please be sure to answer the question. Provide details and share your research!

                                        But avoid



                                        • Asking for help, clarification, or responding to other answers.

                                        • Making statements based on opinion; back them up with references or personal experience.


                                        To learn more, see our tips on writing great answers.





                                        Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                                        Please pay close attention to the following guidance:


                                        • Please be sure to answer the question. Provide details and share your research!

                                        But avoid



                                        • Asking for help, clarification, or responding to other answers.

                                        • Making statements based on opinion; back them up with references or personal experience.


                                        To learn more, see our tips on writing great answers.




                                        draft saved


                                        draft discarded














                                        StackExchange.ready(
                                        function () {
                                        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f198951%2fwhy-would-an-attacker-ever-want-to-sit-on-a-zero-day-exploit%23new-answer', 'question_page');
                                        }
                                        );

                                        Post as a guest















                                        Required, but never shown





















































                                        Required, but never shown














                                        Required, but never shown












                                        Required, but never shown







                                        Required, but never shown

































                                        Required, but never shown














                                        Required, but never shown












                                        Required, but never shown







                                        Required, but never shown







                                        Popular posts from this blog

                                        數位音樂下載

                                        When can things happen in Etherscan, such as the picture below?

                                        格利澤436b