When discussions around the ways cybercriminals and hackers are able to compromise and penetrate an organization, it regularly leads to the use of exploits and exploit kits. Because all software can contain flaws and bugs, a threat actor only has to either find a new, undisclosed vulnerability (zero-day) or use the many vulnerabilities already disclosed and create a weaponized exploit to compromise a machine or device. This was true of the top threats in 2017 including WannaCry, Petya/Not-Petya, and the Equifax breach. Cybercriminals know that patch management is hard and many systems within an organization either haven’t been patched or cannot be patched due to obsolete software or vendor policies around managing devices. All of these pose critical gaps in organizations defenses, but the good news is there is an organization that has been on the forefront of supporting responsible disclosure of vulnerabilities that will ultimately protect organizations from both known and unknown exploits.
Trend Micro’s Zero Day Initiative, or ZDI, was founded in 2005 to encourage the responsible reporting of zero-day vulnerabilities to vendors by financially rewarding researchers through an incentive program. Today, ZDI is the world’s largest vendor-agnostic bug bounty program with more than 3,500 independent researchers around the world, in addition to the internal team, who submit previously undiscovered vulnerabilities found within a myriad of enterprise business applications including, but not limited to, Microsoft, Adobe, Apple, VMware, Oracle, and even SCADA/ICS applications which are used in many nations’ critical infrastructures. Through this program, ZDI is able to obtain and validate undisclosed vulnerabilities and work with the affected vendors to responsibly disclose the vulnerability. In most cases, the vendors ensure there is a patch available before the vulnerability is publicly disclosed. Two key annual events, Pwn2Own and Mobile Pwn2Own allow researchers to come together and submit their vulnerabilities for monetary incentives and to be awarded Master of Pwn. These events are another way to obtain new vulnerabilities which are then managed by ZDI and the vendors to provide patches to the public.
You may be wondering how can we (Trend Micro) say ZDI is the “world’s largest bug bounty program?” Don’t take our word for it – Frost & Sullivan published a report “Analysis of the Global Public Vulnerability Research, 2017” profiling many of the public vulnerability reporting agencies including ZDI. Since 2007, ZDI has been profiled as the one program that has consistently reported not only the most vulnerabilities, but also the most critical vulnerabilities as well as the most reported to ICS-CERT. Some of the 2017 numbers from the report include:
What does this mean to the public and Trend Micro customers? ZDI and its independent researchers are helping to ensure many of the vulnerabilities found within operating systems and applications used by enterprises and organizations with SCADA/ICS critical infrastructures have a patch available to apply when the vulnerability is disclosed. This allows these organizations to apply patches and ensure they are protected against any exploits that are created by the threat actors that may target them. But, for Trend Micro customers using TippingPoint products, it also means preemptive protection for these vulnerabilities through a virtual patch before the publicly disclosed patch is made available by the affected vendor. In 2017, pre-disclosed filters were available for customers ahead of a vendor patch on average:
This minimizes the window of opportunity a threat actor has to create an exploit and utilized it in an attack before or even after a vendor has a patch available. Organizations can use virtual patching very effectively and ensure they are protected with minimal operational disruption. Protection against exploits and exploit kits is proactively enhanced through the world-class vulnerability research provided by ZDI.
Please add your thoughts in the comments below or follow me on Twitter; @jonlclay