Zero-day vulnerabilities – newly discovered exploits that haven’t been previously identified – are now emerging more often. Worse still is the fact that these dangerous flaws sometimes aren’t pinpointed until hackers have already exploited them.
According to a prediction from Cybersecurity Ventures founder and Editor-in-Chief Steven Morgan, the frequency of zero-day exploits – which were a once-per-week occurrence in 2015 – could increase to once-a-day within the next four years.
A rise in cyberattacks is nothing new – this has been a trend within the technology industry for years now. This doesn’t mean, however, that researchers and developers shouldn’t take steps to quell the number of exploitable vulnerabilities present in critical software and IT systems.
Changing the tide: Vulnerability research
Enter vulnerability research, a growing trend that’s making waves in the cybersecurity industry. Vulnerability research is typically an undertaking for the engineering team, and oversees the use of advanced techniques in an effort to identify flaws or issues within software that could potentially be used for attacks, breaches or other security incidents.
This process means that zero-day threats and other software problems are identified sooner, hopefully before they fall into the hands of cybercriminals. In this way, infections launched thanks to new vulnerabilities decrease, and the attack vectors available to hackers drop.
An uphill battle: Special skills required
“The frequency of zero-day exploits could increase to once-a-day within the next four years.”
However, as Dark Reading contributor Rutrell Yasin pointed out, one doesn’t just jump into this kind of research. Vulnerability and security research require certain skills and capabilities, especially given the fast-paced nature of the current threat landscape.
“The discipline is suited for those people who have an innate curiosity of how software can be broken down or bypassed so you can do things with it that weren’t intended to be done,” Yasin wrote.
What’s more, researchers must be “immersed in technology” and have a high interest in understanding the operations and potential malicious uses of different systems as well as the ways in which they integrate with one another.
“Security engineers see the world differently than other engineers,” noted information security expert Bruce Shneier. “Instead of focusing on how systems work, they focus on how systems fail, how they can be made to fail and how to prevent – or protect against – those failures.”
The best researchers are those that consider themselves jacks of all trades, Yasin noted, but also have certain specialties. In this way, those specialized skills can be put to work in a way that benefits the research and helps pinpoint vulnerabilities that may have otherwise been overlooked.
Benefits abound on both sides of the coin
The advantages of vulnerability research aren’t hard to see. As attacks continue to increase in frequency and severity, vulnerability research provides an opportunity to reduce the available attack surface. As Morgan noted that this surface grows by 111 billion new lines of code annually, any efforts to cut down on available attack exploits is good news for users, code developers and the software vendors they work for.
As threat analyst Weimin Wu pointed out, vendors that leverage vulnerability research results to their advantage can considerably improve the solutions they’re creating for users, and take a proactive stance against the latest hacking tactics.
“It allows vendors to anticipate the exploit landscape, and craft solutions in advance accordingly,” Wu wrote.
This, in turn, helps better safeguard individual consumers and business users, who increasingly rely on software systems to manage sensitive information and support mission-critical operations.
White hats vs. black hats
What’s more, it’s important for researchers and users alike to keep in mind that if these vulnerabilities aren’t pinpointed by white hats, chances are very good that black hats will come across them and use them for malicious purposes at one point or another.
In addition, the work done by vulnerability researchers to identify exploits within one software program will likely benefit every other platform using similar coding and functions. In this way, efforts aren’t unique to the program at hand, but have the potential to benefit the entire software industry, ensuring the same exploitable mistakes aren’t repeatedly made.
Vulnerability research in action: Pwn2Own
Thanks to its importance, vulnerability research is now taking place on a larger, more public scale. One prominent example of this is Trend Micro’s Pwn2Own event, which brings together researchers and security experts from all walks of life and awards cash and prizes for the most successful exploit identifications.
This year marked the 10-year anniversary of Pwn2Own, which originally kicked off in 2007. Since then, the event has expanded to include new areas of research – this year, the Zero Day Initiative put more than $1 million in prizes up for grabs in categories including Virtual Machine Escape, Web Browser and Plugins, Enterprise Applications, Local Escalation of Privilege and Server Side.
Last year’s event saw the identification of a range of vulnerabilities. Once hacking teams pinpoint these items, contest organizers send research result details to the vendors so that steps can be taken to improve data safeguards.
“Therefore, as vendors learn more about the vulnerabilities in their software and devices, they can strengthen their cyber security, which in turn bolsters that of their customers,” Trend Micro’s Noah Gamer wrote in a 2016 blog. “How can consumers and businesses alike steer clear of these bugs in the programs they use on a daily basis? Implementing effective cyber security solutions could be the answer to this issue. By investing in these kinds of tools, they can protect their systems and make sure their data is safeguarded against malicious actors.”
This year’s event saw unprecedented interest, and the number of participant registrations required adding a third day to the competition. Researchers engaged in a number of important vulnerability research projects, including attempting a full virtual machine escape through Microsoft Edge, investigating Windows kernel and examining a VMware Workstation buffer.
Overall, vulnerability research will only become an increasingly critical process as the threat environment continues to expand. Any effort to shift the tide of malicious attacks is beneficial for researchers, vendors and users.
To find out more about this year’s Pwn2Own and the results of the competition, contact Trend Micro today.