The Ponemon Institute’s “State of Endpoint Security Risk 2018” report has a number of interesting findings. Two of these findings stand out. First, 52% of respondents say that cyberattacks “cannot be realistically stopped.” Second, they state that zero-day attacks are four times more likely to compromise a target.
You know that saying that “it takes a village to raise a child”? Well, it takes a community to build a secure software product.
Zero-day vulnerabilities have met their match in the form of the Zero Day Initiative (ZDI). In this article, I’ll look at why we all need to work together to go from zero to security hero.
What is A Zero-Day Vulnerability and Why Is It Such a Big Deal?
Software vulnerabilities and issues like OS and software configuration flaws make us susceptible to a cyberattack. Software flaws give hackers a hook into a system: This we know. When someone talks about a “zero-day vulnerability,” what they mean is that the flaw is still fresh, untouched (or fixed/patched) — it’s like virgin snow. The vendor of the software product that contains the flaw has yet to fix it. This makes the flaw particularly attractive as far as a cybercriminal is concerned: To them, it is like an open door that has yet to be closed.
“Zero-day” literally means there have been zero days available to fix the vulnerability. It becomes a race against time — the hackers packaging zero-day exploits to take advantage of the flaw before a patch is released and users update their software.
Hackers generally find out about the existence of a zero-day vulnerability through a black market set up to sell data on the vulnerability to those who wish to exploit it.
Understanding what a zero-day vulnerability is explains why Trend Micro started the Zero Day Initiative. We need to take the vulnerabilities out of the hands of the hacker.
What Is the Zero Day Initiative?
Trend Micro started the Zero Day Initiative (ZDI) back in 2005. Their philosophy was, and continues to be, that the security industry is filled with highly-skilled people so why not tap that resource? These security professionals come across software flaws on a daily basis. So let’s draw on those skills and findings and incentivize the flaw finders with a financial payout. This idea became the Zero Day Initiative.
The ZDI is a way of creating an ecosystem of skilled professionals to counterbalance the “black market” for vulnerabilities. Instead, the ZDI builds a “white market” for these same vulnerabilities.
One of the key things about the Zero Day Initiative is that it acts as a degree of separation, keeping the security researcher and the vendor separated. The ZDI making sure that the vulnerability reporter is kept anonymous.
You may ask why is this necessary. Vendors can be quite sensitive about their services and systems being tested for flaws. In fact, researchers can be wary of reporting a flaw for fear of a lawsuit. One example being the cease-and-desist letter sent by PWC to researchers who had found a critical security flaw in one of their tools.
Individuals wishing to report a vulnerability sign up as a ZDI researcher. They can then share the security flaw with ZDI, and published security advisories are placed on the Zero Day Initiative site. ZDI is then responsible for managing the zero-day information and communicating with vendors.
ZDI also runs an annual security contest, PWN2OWN. The contest is based around different topical subjects each year. This year’s PWN2OWN 2019 contest includes the Tesla Model 3 connected car as a target for the competition hackers. The outright winner will be given the car as a prize. Vulnerabilities found during the competition can reach pay-outs of up to $300,000.
How Does the Zero Day Initiative Operate?
There are a few basic steps to the ZDI that lubricates the wheels of the project:
Step 1: A zero-day flaw is reported to the ZDI.
Step 2: Internal ZDI researchers check the bug out to validate it is a zero-day vulnerability.
Step 3: Trend Micro then splits the flaws up into Trend Micro clients and other vendors.
Step 4: Trend Micro informs the customer of the bug; they then inform other vendors of their zero-day flaw.
Step 5: Vendors are given 120 days to make a patch available. If they do not show at least progress towards a fix in those 120 days, a notice is sent out so that enterprises can check the risk against their systems. Extensions to the 120-day cut-off can be requested.
What’s the Difference Between the Zero Day Initiative and Bug Bounty Programs?
Bug Bounty programs are generally run by a specific vendor to identify software vulnerabilities in their own codebase. For example, Google has the Vulnerability Reward Program which pays up to $31,337 for qualifying bugs found in their offerings.
The Zero Day Initiative is not confined to one vendor. It encourages vulnerability researchers to look across the entire software industry for vulnerabilities. It then handles these data, reporting to the vendor on behalf of the researcher and paying a fee to the flaw finder as a reward.
The nature of the ZDI is what differentiates it from bug bounty programs. This approach supports the entire industry. Small software houses who could not otherwise afford a bug bounty program can potentially have zero-day exploits identified.
The Black and White of Zero-Day Vulnerabilities
One of the reasons that the Zero Day Initiative came about was because zero-day vulnerabilities were being sold on the Dark Web. Trend Micro wanted to push Dark Web-listed zero-day exploits into the light of the white market, legitimizing their sale and keep them from falling into the wrong hands.
The creation of a program that levels the playing field and encourages the collaboration and sharing of vulnerabilities in software will ultimately create safer IT solutions. The industry coming together, using the vendor-neutral Zero Day Initiative as a platform for change, is welcome in a cyberworld growing increasingly complicated. It doesn’t replace the vendor-focused bug bounty programs but instead enhances them.
The ZDI is a community effort. And it seems to be working. The Dark Web has seen a decrease in zero-day vulnerabilities for sale while the white market picks up the difference, with bug bounty programs and the Zero Day Initiative being a legitimate way for security researchers and bug hunters to get paid for their expertise and hard work.
- PwC sends ‘cease and desist’ letters to researchers who found critical flaw, ZDNet
- Published Advisories 2019, Zero Day Initiative
- Pwn2Own Vancouver 2019: Tesla, VMWare, Microsoft, and More, Zero Day Initiative
- Google Vulnerability Reward Program (VRP) Rules, Google Application Security
- Why the market for zero-day vulnerabilities on the dark web is vanishing, Fifth Domain