Anuraag Girdhar
June 1, 2014
Abstract
In this overview, I examine the market for software security vulnera-
bilities. I will focus on zero-days, which are newly-discovered unpatched
vulnerabilities that are especially lucrative for hackers and especially dan-
gerous for software companies. I’ll seek to resolve how to create a well-
functioning market for these vulnerabilities that improves computer secu-
rity for everyone. Often, the only market that exists for security exploits
is a black market, and that will figure heavily into the discussion. This
overview assumes a basic familiarity with economic concepts and game
theory.
1 Introduction
The pioneering computer scientist Donald Knuth (who also invented the TeX
typesetting system that I’m using for this overview) has an ongoing project
called The Art of Computer Programming. Ever since he published the first
volume of this encyclopedic resource in the late 1960s, he has offered a bounty:
a reward check for any reader who discovers an error in his code, in order to keep
everything accurate. While the rewards are small, capped at $327.68, hundreds
of readers have taken him up on this offer, most of them framing the checks as
one would frame an autograph of a movie star or a sports personality. Knuth’s
efforts provide an apt analogue for cybersecurity. Just as he is willing to pay
others to find bugs to improve the access to knowledge for future readers, many
have argued that vendors should be willing to pay for security hacks and bugs
to improve safety for future users.
1
market is flooded with Personally Identifiable Information (PII). This is why
large breaches have been infrequent in the past; it’s not (only) because intru-
sion detection systems (IDS) become more robust over time. It appears that
credit cards are easy to price taking type, expiration and limit as parameters,
while pricing other stolen information like intellectual property (IP) is much
more ambiguous. Exploit kits also range widely in price based on the degree of
automation they provide, and they may be bought or rented as a service.
Perhaps the most distinguishing characteristic of the black market is its
reliance on trust for transactions. Malicious hackers have an intricate “vetting”
system on their Internet Relay Chats (IRCs) and forums, ensuring that only
verified buyers and sellers can participate. The recent rise of cryptocurrencies
for online transactions also permits a more anonymous and secure black market.
The report identifies botnets as the primary source of cybercrime today.
Botnets can be used for spam or Distributed Denial of Service (DDoS) attacks.
Indeed, even the nascent Internet of Things (IoT) has recently succumbed to
botnets launching DDoS attacks, including a recent high-profile attack from
a smart refrigerator. Botnets are inherently an internet technology, linking
thousands or even millions of machines to carry out large-scale attacks. Botnets,
like exploit kits, vary widely in price and have gotten cheaper over time.
2
these competitions existed, benign security researchers often feared legal injunc-
tion for their work, and so would not report them to the vendors. For example,
consider the following two anecdotes:
3
2013 update of the Wassenaar Arrangment, intrusion software is now dual-use
controlled. (41 countries are signatories on the Wassenaar Arrangement, in-
cluding the United States). According to the European Commission website,
dual-use items are civilian goods that ‘may have military applications;’ indeed,
government clients often stockpile zero-days as cyberweapons in preparation for
attacks against other countries.8 According to COUNCIL REGULATION (EC)
No 428, dual-use controls particularly scrutinize the questions of re-export and
end use, the latter of which may come under fire in the case of zero-day sales.
We haven’t seen the effects of this development yet, but in May 2014, VUPEN
founder Chaouki Bekrar responded to the new regulations via a series of Twitter
posts.
rules/export-from-eu/dual-use-controls/
9 Samuel Gibbs, The Guardian, “Microsoft pays $100k bounty to British researcher who
4
Brenner, former NSA inspector general, responds “to some degree the
proposal to forbid the use of zero-day attacks is a proposal to shut down
signals intelligence.”12 However, the issue seems to only be contentious in
the US; other countries may have fewer qualms about such cyberwarfare.
IV. How to prevent large-scale data breaches (or is it possible?) It is
obvious that the IDS that firms like Target employ are far from foolproof,
but it doesn’t make sense for them to participate in hacking competitions;
such large-scale data breaches are usually low-sophistication botnet at-
tacks, which don’t require a security researcher to crack. Do they need to
hire security research teams of their own?
V. How can we apply game theoretic research to some of these
open questions? There is a growing body of literature on computer
hacking, modeling it as a game played between an attacker and an IDS,
or an attacker, vendor and social planner. They often focus on issues like
optimal vulnerability disclosure time, which will be a useful thing to know
if and when the market is legitimized.
5
that thenceforth, exploits responsibly revealed to the vendor would earn more
points than those that were sold on the black market.
6
5.1.2 Conclusion
In the end, it’s not really trickery that accomplishes the task, but a principle
from mathematical logic called common knowledge (or common belief, in this
case). An item p is common knowledge among a set of players G if all the players
in G know p, they all know that they all know p, and so on, ad infinitum. And
once they buy into it, the only way that hackers could undermine this system is
if they were to read this paper and through their internet channels, distribute
it. In that case, they could collectively boycott the system as follows: each
of the hackers would individually proclaim to the entire group that they were
abandoning the Google rankings in favor of some other ranking list, or to return
to the informal pre-ranking system.
7
their security vulnerabilities, but it also encourages accountability and peer-
monitoring. With a larger group of people looking out for the interests of such
a corporate collective, vulnerabilities are more likely to be repaired even before
they are subject to the inquest of one of the hacking competitions.
8
known as a RAM-scraper.16 The account data is decrypted within the RAM
of the PoS machine, and the RAM-scraper harvests this data using regular
expression searches. Target already has a security team in Minneapolis, and
recently installed a malware detection system called FireEye (although it’s most
reliant on the free consumer product Malwarebytes Anti-Malware), which was
set up to alert another security team in Bangalore, India.17 The Bangalore
team reported back to the Minneapolis team, and they Minneapolis team did
not respond. And thus, 70 million accounts were compromised.
As I mentioned above, heists of this scale used to occur very infrequently,
because they would depress the market value of PII. However, with more hackers
operating today than ever before (many from geographically disparate regions),
it is harder to collusively time large attacks. Nieman Marcus experienced a
very similar attack in December of 2013, compromising 1.1 million credit card
accounts. Moreover, PoS malware is a relatively new technology, and many
hackers will try to exploit it before retailers universally implement the relevant
anti-malware. The disturbing result is that data breaches have been increasing
in size over time.
Trend Micro (2014) suggests many precautionary measures for retailers in
the meantime, viz., limit access to the internet, disallow remote access, update
OS patches, routinely delete cardholder data, but this is all rote advice. And of
course, remove poor management. The real question becomes how to create a
market to regulate access to technology like the ALINA family of PoS malware.
While the Amazon-esque website ExploitHub has been in operation since 2010,
billing itself as “the first legitimate marketplace for validated, non-zero-day
exploits,” most new malware is still shared on hacker forums. The best way to
prevent large-scale data breaches is for ExploitHub or a similar website to extend
its reach into the shadier hacker forums and more carefully vet its customers.
Technology, Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew
It, (March 13, 2014)
9
Alpcan and Başar (2004, 2006) modeled a similar game, although abstracted
away from this specific context. The nature player they described in their game
was a sensor network, and the security research team corresponds to an IDS
in their framework. In their first paper, they came to some fairly intuitive
conclusions: by increasing the cost to itself, the IDS can make the attacker suffer
also, but reducing the defense response leaves it vulnerable. In the dynamic
game where the sensor network’s detection capabilities gradually improve over
time (a very reasonable assumption), the hacker is best off launching brief,
high-intensity attacks, which we of course observe.
The second paper more closely approximates reality and, using Markov De-
cision Processes (MDPs), varies the information available to each player. Here,
the sensor detection network has an associated matrix of transition probabili-
ties, and both the attacker and defender can have knowledge of subsets of this
matrix. If the sensors consistently report inaccurately and the IDS has perfect
information (i.e., complete knowledge of the inaccurate reporting), then it will
stop relying on the sensor detection network and play aggressively regardless of
the signal it receives. This is the opposite of the case we observe in the Target
data breach. The signal sent by the FireEye software was accurate, but appar-
ently the chain of communication from FireEye to Bangalore to Minneapolis
obfuscated the signal like a game of telephone, and the security team responded
meekly in turn.
6.2 Cyberwarfare
Game theory often accomplishes more than what rhetoric alone can in the way
of persuasion. The following analysis provides a stronger case for why countries
should enter into multilateral agreements to restrict the use of zero-days for
military operations.
Moore, Friedman and Procaccia (2010) define three variable parameters for
inclusion in their analysis: technological sophistication p, social externality cost
δ, and willingness to attack q. δ corresponds to the risk of hackers re-discovering
the vulnerability and exploiting it as a half-day. In the first game they consider,
the strategy spaces of the players are to Stockpile knowledge of discovered secu-
rity flaws in preparation for future attakcks, or Defend: (S, D). They conclude
that without internalizing the social externality cost, neither player has incen-
tive to defend. Therefore, to dissuade country-level players from engaging in
cyberwarfare, we need to force them to internalize their externalities.
In the second game, they allow players to acutally carry out attacks. They
find that the strategy is most likely to be (A, A) if Player 1’s p and q values are
both middling, or if one is high and another is low. Thinking about what the
parameters p and q represent, one realizes that this covers most of the situations
that are likely to occur. With such bilateral belligerence, shortcircuiting is
inevitable.
7 Conclusion
Simply given the scope of vulnerabilities that exist, the market for cybersecurity
is a difficult topic to tackle. This has only been a brief overview, but the list
of references will no doubt be a valuable resource for further exploration into
10
this field. There are many open questions in addition to the ones I addressed in
Section 4: I reproduce selected questions mentioned in the RAND corporation
report here as directions for future research:
There are many other interesting applications of game theory to the market
for exploits, including, as I mentioned earlier, determining optimal vulnerability
disclosure time. While the players and their strategies are often tricky to tease
out in black market contexts, I believe that game theory provides a valuable
tool to understand these markets. And certainly, in true hacker spirit, we could
reverse engineer these games to ensure that everything plays out as we desire.
References
Point-of-sale system breaches: Threats to the retail and hospitality industries.
Trend Micro Incorporated, 2014.
Tansu Alpcan and Tamer Başar. IEEE, 2:1568 – 1573, 2004.
11