On Oct 12 odix hosted an important conversation about the role of zero-day attacks in building a secure cyber defense. Hosted by odix’s Head of PR Yehudah Sunshine and driven by the critical insights of Halodata CEO Resham Ganglani and odix CTO Omri Eytan, the panel provided the jumping board to speak about the broad categorization and potential risks of Zero-Day attacks.
We’ll highlight some of the biggest takeaways and most impactful advice for the panel below.
What is a Zero-Day Attack?
Resham Ganglani:
“I think we’ve seen a lot of zero-day attacks recently and in the last year, but I think that the start or the beginning part of a zero-day attack is always the zero-day vulnerability, a vulnerability where a hacker or paid hacker advisory or even a threat analyst looks for a vulnerability in the software and or existing network that is unknown to the manufacturer or the software creator provider.
And that makes use of this to create an exploit. Once the exploit is created, an exploit package is created. And then it’s a matter of when it’s used, and when it’s used. It becomes a zero-day attack because it’s unknown to anyone and you know it, it causes a lot of damage”
How is the Zero-Day attack different than like a ransomware attack or the broader idea of malware?
Omri Eytan:
“Zero days and ransomware are a bit different kind of terms in different terminology fields. For Zero days, in practice the term shifted a bit over the years, it started out as vulnerabilities that were available while on product launch. It now refers, in some cases to the days that have passed, since the vulnerability or exploit is available, and exploited in the wild. We’ve seen some places where zero-days is referred to the amount of time passed since the signature-based detection engines know how to detect these attacks and vulnerabilities.
So, we’ve seen a lot of shifts in how the industry deals with these kinds of threats. Long time and if we relate it, you know, try to relate it to ransomware.
So, no one zero day is dropped, it typically isn’t related to any specific form of ransomware. I think that if we think about you know, the mitre attack matrix, and you know all the different tactics than ransomware talks about the entire chain, from you know, the entry point up until to the impact where the attacker demands the ransom, we typically see zero-days being dropped and get being published. And after, depending on the complexity of implementation, we see them employed in various attacks, mainly ransomware, ransomware, as a service. So we have the ransomware, whereas the service providers, add the zero-day vulnerability and capabilities into their ransomware as a service platform. So it’s a capability that we see the threat actors, adding to their toolset. If we’re talking about the commercial side of it.”
What are the metrics and costs of Zero-Day attacks?
Resham Ganglani:
“From a perspective where you’re looking at, initially zero day, exploits were difficult to find. People had to meet it today, like Omri mentioned as a marketplace for it. And such marketplaces exist, and prices are listed. And experts vary right from drive by attacks to zero touch attacks to no action required, or, you know, a lot of them are inserted into documents or into insert into PDF attacks inserted into mobile phishing attacks. And there are a lot of different exploits that are available.
And based on you know, we saw that recently one of the attacks was used on Jeff Bezos on his mobile phone a few years ago. But yeah, exactly. So these kinds of attacks and marketplaces exist and you can go on from y to zero Diem, which is a website where they list some of these exploits and the kind of money people are willing to pay to buy such exploits. It’s gone, it’s gone, used to be up to a million, but in the last year or so we’ve seen exploits being sold for up to 2.5 million. So the exploits are curated, they’re still zero day. No one knows what’s that about. The objective is they’re what ones what the user wants to happen or what how they want it to happen. And so we’re both for sale. And you know, me by interview, I read up a bit on the rhodium site and they were saying in the last three years, you can see that the cost of exports, the most expensive exports have gone up 1150%.”
Who are the key players driving Zero Day attacks?
Omri Eytan:
“Because of the high development costs that we’ve mentioned, eventually, zero days should have an impact. And it should be a justified impact. It could be a financial impact that covers the expenses. Or it could be an impact. No, that is worth the price for, let’s say, a nation state that wants to, for political reasons, do something to rival a nation or even do some bad stuff to businesses and other places. But I think that we need to kind of look at, first of all, who’s developing zero days, who’s buying zero days? And eventually what are they deploying it for?
For a long time, we’ve had nation states developing zero days for their political agenda as offense tools as legit offense tools. So these types of zero days usually start from a requirements so recon is done. We want to do X to Y. You recall their systems and now we need to figure out okay, they have these systems software apps in place. These are the targets that I need to find zero days for in order to get in. The impact is known prior to getting started. So that pretty much focuses the security research and zero day development towards the systems that the designated Target has. There’s kind of general capabilities, though, having the ability to strike software that is readily available. But these are in the one of the nation state categories that have a lot of funding and have in house programs, allegedly, to do all that.
But lately, we’re seeing a lot of cyber offense companies that are buying these exploits, in order to sell product to sell service, they’re selling their offensive capabilities, to corporates that want to do wanna engage in espionage, on their competitors, to other governments that want to monitor threats of any kind. And I think that here, again, it differs according to the business model, again, shifting back to the business terminology.
Let’s say that a cyber offense company offer their services, that is not a cheap product, it’s priced very high. And a zero day, once it’s used, it’s been out there.
So there’s a risk of the zero day being discovered, and then eventually being patched updated, etc. So the cost here is the customer is very high, and it justifies a high price. For the zero day capability. That’s on one end, that’s a single deal, high budget. But on the other hand, you have, let’s say, a lot of exploits that are zero day exploits that are used in mass. So the impact is spam ransomware, something that will bring in smaller amounts of money across the board. And that pretty much ensures that the zero they will be burned. Because the carpet bomb who you are able to reach and at that point, it’s out there, security, researchers will eventually patch it. But the business model is different. You just know do a mass deployment. And eventually, you have that few dozens, hundreds of thousands would pay the ransom eventually. So it just brings me back against that. It’s just it’s a matter of business model eventually.
Resham Ganglani:
“It can be anyone, and it can be any business. But as we, as Omri already pointed out, we’re seeing that it’s becoming more of a business better organized, better manage that marketplace being available. And it could be for corporate espionage. It could be targeted corporate espionage, it could be someone creating an exploit selling it, and not knowing why it’s used or who it’s being used for, because it’s a marketplace, or it can be specifically targeted from a nation to a nation factor.
They could be competitors. It could be just people playing around. I mean, in our region in Southeast Asia, what we’ve seen is there are times where politics you know, political situations, take a high note the extensions, and then you see like, you know, Indonesian hackers groups saying let’s attack Malaysia, let’s whatever exploits you have used them. I think Malaysian companies or Singapore companies, or vice versa, and it becomes, you know, emotions and the hackers come up from nowhere.”
To watch the full panel and learn more about the rise of Zero-Day attacks click here
