A newly released RAND Corp. study found that zero-day vulnerabilities have an average life expectancy (time between first private discovery and public disclosure) of 6.9 years, making it a reasonable option to stockpile vulnerabilities for cyber defenders and attackers.
The study, “Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits,” was based on access to a dataset of over 200 zero-day software vulnerabilities. Zero-days are software vulnerabilities unknown to the vendor and can be used in cyberattacks with few direct defensive actions. The study seeks to inform researchers and policymakers with data on whether entities should publicly disclose or remain quiet about vulnerabilities based on how many are undetected and eventually found by others.
Based on the dataset, RAND researchers determined that the time between first discovery by private actors and later public disclosure of these zero-day vulnerabilities has a long average timeline of 6.9 years. They also found the chance that two separate persons would find the same zero-day (collision rates) is only about 5.7 percent per year.
This means the protection afforded by disclosing a vulnerability may be fairly modest and that stockpiling, or keeping quiet about discoveries, “may be a reasonable option for those entities looking to both defend their own systems and potentially exploit vulnerabilities in others,” RAND said.
RAND also said that of the vulnerabilities and exploits that take advantage of those vulnerabilities that it analyzed, almost 40 percent are still publicly unknown.
“Typical ‘white hat’ researchers have more incentive to notify software vendors of a zero-day vulnerability as soon as they discover it. Others, like system-security-penetration testing firms and ‘grey hat’ entities, have incentive to stockpile them,” Lillian Ablon, lead author of the study and an information scientist with RAND, said in a statement.
“But deciding whether to stockpile or publicly disclose a zero-day vulnerability – or its corresponding exploit – is a game of tradeoffs, particularly for governments,” she added.
Entities that learn about the vulnerabilities can creat exploits, code that takes advantage of the issues to access other parts of a system, execute their own code, act as an administrator, or take other actions. RAND noted a famous example is the Stuxnet worm – it used four separate Microsoft [MSFT] zero-days vulnerabilities to compromise Iran’s nuclear program
The researchers were also able to determine that 25 percent of the vulnerabilities do not survive to 1.5 years and only 25 percent survive for over 9.5 years. They did not find any vulnerability characteristics to indicate long or short lives. However, RAND said future analysts choose examine Linux versus other platform types, the similarity of open and closed source code, and exploit class types.
“Looking at it from the perspective of national governments, if one’s adversaries also know about the vulnerability, then publicly disclosing the flaw would help strengthen one’s own defense by compelling the affected vendor to implement a patch and protect against the adversary using the vulnerability against them,” Ablon said.
“On the other hand, publicly disclosing a vulnerability that isn’t known by one’s adversaries gives them the upper hand, because the adversary could then protect against any attack using that vulnerability, while still keeping an inventory of vulnerabilities of which only it is aware of in reserve. In that case, stockpiling would be the best option,” she said.
RAND also used colorful language to distinguish the status of vulnerabilities. They are “alive” if publicly unknown, “dead” if publicly known, and at various points in between. Ablon highlighted making these kinds of clear differentiations is too simplistic and could make it harder for vulnerability detection efforts.
Vulnerabilities can also be could also be called “immortal” if the flaw remains in a product because the vendor stopped maintaining the code or issuing updates and “zombies” if they are quasi-alive due to code revisions that make vulnerabilities exploitable in older product versions.
The public vulnerabilities are usually disclosed with a security advisory or software patch but sometimes developers or researchers post about a vulnerability online without issuing a security advisory, RAND said.
The organization found that once an exploitable vulnerability is found, a fully functioning exploit might be developed quickly. The median development time is 22 days. RAND highlighted, “That means any serious attacker can likely obtain an affordable zero-day for almost any target, given the typical life expectancies of these vulnerabilities and the short development time.”
However, most of the purchase price of those trying to buy zero-days is driven by its inherent value, lack of supply, and other factors rather than labor, RAND said.
RAND said this is the first publicly available research to examine vulnerabilities currently unknown to the public and helps establish initial baseline metrics that can amplify previous studies that relied on manufactured data, publicly known vulnerabilities, or expert opinion.
The study was funded by philanthropic contributions from RAND supporters, income from operations, and from the RAND Institute for Civil Justice. The institute seeks to improve the civil justice system by providing policymakers and the public with rigorous nonpartisan research, RAND said.
Lillian Ablon co-authored the report with Andy Bogart.