"Deciding whether to stockpile or publicly disclose a zero-day vulnerability – or its corresponding exploit – is a game of tradeoffs, particularly for governments," is one of the conclusions reached in a new study by the RAND Corp.
One premise of the delve into zero-day vulnerabilities, or flaws in software for which no fix has been publicly released, is that they are useful in cyber operations – whether by criminals, militaries or governments, the RAND study found. The fact that they can remain undetected for years means users are susceptible to hackers while those looking to exploit the flaws have ample time and opportunity to take advantage.
The study, "Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and their Exploits," is based on what RAND terms "rare access to a dataset of more than 200 such vulnerabilities."
Speaking with SC Media on Thursday, Lillian Ablon, an information scientist with RAND and lead author of the study, would not reveal specifics about where RAND had gathered its dataset of zero-days, other than to say a "research connection" – identified in the study as a vulnerability research group masked as BUSBY – as well as relationships fostered from previous RAND studies of the underground market [The Hacker's Bazaar].
Regardless, the study looks not only at the coding but ponders what government and independent entities should do with zero-day vulnerabilities once detected. In other words, should they publicly disclose or keep quiet about the vulnerabilities.
"Typical 'white hat' researchers have more incentive to notify software vendors of a zero-day vulnerability as soon as they discover it," said Ablon. "Others, like system-security-penetration testing firms and 'grey hat' entities, have incentive to stockpile them."
Perhaps the most prominent example of an exploit of a weakness is the Stuxnet worm, which relied on four Microsoft zero-day vulnerabilities to penetrate the network and eventually disrupt operations of Iran's nuclear program. The RAND study contends that if an adversary, in this case Iran, had been alerted to the weaknesses in its system, it would have given the nation the upper hand, "because the adversary could then protect against any attack using that vulnerability."
Ablon told SC that oftentimes the thought of disclosing a zero-day assumes that making the flaw public implies a patch will be issued. But, she said, this is not necessarily true. For example, years after the Heartbleed bug was disclosed, the popular OpenSSL cryptographic software library was still being attacked.
The advise is that defensive strategies need to be broader than just finding and patching, she told SC. It will take a complete redesign of the infrastructure from the ground up, she said.
Touting its study as the "first publicly available research to examine vulnerabilities that are still currently unknown to the public," as opposed to previous studies that relied on "manufactured data, findings only from publicly known vulnerabilities, or expert opinion," the 115-page ebook is available free as a download here.
A spokesperson at RAND told SC that as a nonprofit, nonpartisan research organization, part of RAND's mission is to make its research widely available.