Immunising the supply chain: the economics of zero-day

Understanding an adversary’s needs is crucial in defence. While the cost of falling victim to ransomware has skyrocketed, raising the cost for threat actors can be a powerful disincentive.

The offensive cyber industry “seems to be taking the gloves off,” explained Matt Tait, COO of Corellium and former offensive cybersecurity specialist for the UK’s GCHQ intelligence service. Cyber threats continue to multiply, both in the realm of state sponsored espionage and in the financially motivated criminal world that spawned ransomware, Tait said during his keynote presentation for Black Hat USA 2021.

One of the more challenging scenarios, that organisations deal with are intrusions that leverage unknown network vulnerabilities — the zero-day attacks. Having had zero days to prepare themselves, defensive cyber teams can do little to prevent the attacker from gaining access.

But it is important to remember that “attackers have real bills to pay and real risks to look at,” Tait said.

Despite the recent uptick in incidents, “zero-day vulnerabilities have become much harder against hardened platform security systems,” Tait explained. It is usually necessary for today’s threat actor to acquire or develop a series of vulnerabilities, known as a zero-day chain, to achieve anything worthwhile inside a network.

“These things are very expensive thanks to platform security investments,” Tait emphasised. Whether the threat actor is a state-sponsored offensive cyber group or a criminal gang, there are costs needed to develop vulnerabilities.

It is a lot of work to research and select target organisations, to find the right attack surface, and to achieve the initial network intrusion. Then attackers need to convert this into a workable compromise through privilege escalation and/or lateral movement mechanisms. Whether this is for the purpose of extortion or intelligence gathering, it is typically expensive and time-consuming.

“Every time an actor that has one of these zero-day chains wants to use it, on an observable platform, this runs a risk: the possibility that, that zero-day chain, or some aspect of that intrusion, gets detected,” Tait said.

This can be a very expensive cost to that threat actor. Often various parts of the zero-day chain could become compromised. These tools need to be replaced as organisations patch systems to eliminate vulnerabilities.

Securing the research

It is important to understand that the threat actor’s costs protect organisations from rampant, indiscriminate use of zero-day chains through mass exploitation. Costs and risks of exposure, the loss of these vulnerabilities, force threat actors to be selective and only use zero-day chains on important targets with worthwhile pay-outs, Tait explained.

That is why anyone doing exploit detection or research must take extreme care of what they find. If they themselves become compromised, their research could get into the hands of criminals and state actors at minimum cost. This matters because when something costs little to acquire, it hurts less to lose it. Stolen zero-day changes the economics of mass-exploitation, Tait emphasised, so if you make or handle zero-day, it is essential that you keep it secure to protect others.

For the same reason, organisations need to be careful in how they compensate vulnerability researchers, Tait advised. Bug bounty platforms and companies often offer higher compensation or bonuses to individuals who call in complete zero-day chains, as opposed to isolated vulnerabilities.

This is a failure of incentive, Tait explained. The approach encourages vulnerabilities to be collected and held for longer periods of time. In practice, this leaves zero-day vulnerabilities unreported for longer while researchers develop full chains for maximum compensation. In turn, bad actors have more opportunity to steal these zero-day vulnerabilities at low cost.

Supply chain remedies

Another area where Tait advises change is in how the industry defends against supply chain attacks. These involve an attacker compromising a supplier, and then using that company’s software supply chain to infect downstream organisations. The most famous recent examples of these include the Kaseya and SolarWinds incidents.

Unfortunately, neither governments nor global organisations are positioned to tackle the problem. Platform vendors are the ones that must step in, Tait said, while highlighting that it is an unenviable task.

“All of the easy answers are bad, and the harder answers are really difficult. They bring you into conflict with some very, very entrenched, substantial busy interests,” he emphasised.

For example, in the mobile space, observability — the capacity to see what is happening and what has happened on a given system — is limited by design. Google and Apple, the main players in this space, constrain how much of their systems are visible or accessible to researchers. But this inhibits improvements in mobile cybersecurity.

Google noted in July that it understands persistent logs would be helpful for forensic uses, but they would also be helpful to attackers, and the company continually balances these different needs.

Tait sees this as something that needs to change. Without greater observability, improvements in security will lag. One strength of the mobile space, Tait highlighted, is the use of entitlements for applications rather than loosely governed access permissions.

“In the mobile space, your app does not have any components running as ROUTE or running as SYSTEM. There’s no SYSTEM-permissioned custom installer […] no SYSTEM-permissioned background updater,” he explained.

In the event that supply chain attacks compromise apps, they compromise only the isolated app and not the entire device. “Supply chain attacks do happen against mobile apps, but entitlements limit a lot of these damages,” Tait said.

Entitlements for apps can be given strict, nuanced, and bespoke preconditions. This allows developers to rail guard and limit an app’s ability to operate outside its typical operations. If it becomes compromised, by any kind of attack, the damage is greatly reduced.

In order to fix the Windows landscape, Tait advises similar deprivileging of applications through an implementation of entitlements.

Currently, Windows has two levels of privilege: it has the yes privilege, which means the application is running as system; and it has the maybe privilege, which means the application runs at medium integrity, Tait explained.

“We need to break these privileges apart into a working system of privileges that developers actually use,” he said.

“An entitlement system gives the machine a machine-readable understanding of what the app should be allowed to do. And that means that, in the event that that app becomes compromised — the ability of malware inside that app to do things outside of the scope of the application becomes dramatically reduced,” he said.

Finally, Tait explained that auditing requirements need to be imposed on the small group of necessarily high-permissioned applications. Equally, the industry needs to facilitate legal third-party scanning of applications at scale for mobile platforms, he advised.

Mark Swift is a Scottish freelance journalist and writer based in Paris. His work covers business, technology, European politics, and EU policy. Before writing for 4i-mag, he was a journalist for Young Company Finance Scotland, covering investment in Scottish technology start-ups. Mark's portfolio can be found here: