As per report of information security organization, IICS; cyber espionage is one of the biggest threats to private sector companies. Cyber espionage can also be considered a part of cyber warfare between various countries. Many countries including US, UK, Russia, China etc. have been using cyber espionage as part of their military arsenal since long time. As per corporate information security experts, private sector companies and various computer security companies are realizing the importance of cyber espionage.
There is a drastic rise in number of cybercrimes and the need for information security consulting professionals. Even many countries that were not involved in cyber warfare activities, have now started running cyber warfare campaigns. Primary consumers of cyber warfare products are government agencies for controlling the cyber space and private sector companies for corporate information security and corporate espionage. The vendors of cyber warfare products are information security organizations, defense contractors, private sector computer security companies and independent hacker groups.
As per experts from information security organization, IICS; normally cyber espionage is done over long term. The objective of private sector espionage is stealing secret data and intellectual property data from the victims companies. Most of the time, these cases are state-sponsored or other cases are sponsored by private sector companies with the help of independent hackers or their own information security consulting professionals.
Cyber espionage for economic motives is very common as countries such as China are using data theft as a means to gain economic advantage in business deals. Information security organization experts claim that with these state sponsored attacks private sector companies in China can take market advantage by stealing competitor’s product designs, marketing and business strategies.
Dave Smith, information security consulting researcher at information security organization adds that usually zero-day exploits are used in conjunction with social engineering methods such as spear phishing and watering hole attacks to break into corporate information security architecture. Zero day exploits are used for cyber espionage and for doing cyber attacks. IICS, Information security organization which deals with zero day vulnerabilities and zero days exploits; mentions that there is huge market for these and are sold to highest bidders. Zero day vulnerabilities are used as weapons by governments, private sector companies, criminals, and private arms dealers.
Information security consulting researchers, who find these vulnerabilities, usually don’t get the necessary attention from software or hardware companies or worse in some cases these companies try to sue Information security consulting researchers. This is one of the reasons why information security consulting researchers sometime end up selling zero day vulnerabilities in black market or to cyber weapons dealers. That’s why computer security companies refer zero day exploits as cyber weapons.
Experts from Information security organization explain that there is a race to buy and pile up zero-days. Also the international arm control treaty doesn’t limit buying and selling of zero days as of now. US government has defined its policy towards zero-day disclosure, however other develop countries such as Australia, Spain, Germany , Russia and the United Kingdom have not even initiated the development of zero-day disclosure policy at all. Thus as of now computer security companies, independent information security consulting researchers and information security organizations can continue trading zero-days exploits as long as they are selling them to the right party.
Computer security company’s experts signal that at the present moment, governments from developing countries like Mexico, Brazil, Colombia, Costa Rica, Argentina, UAE, India, Pakistan, Israel have jumped into the race for buying zero day vulnerabilities. It’s very easy for independent information security consulting researchers to sell zero day vulnerabilities to governments of developing countries through brokers or information security organizations or computer security companies.
There are three kinds of markets for selling 0-day vulnerabilities, black zero day market, gray zero day market and white zero day market. Trading is done in black zero day market by independent hacker group, freelance information security consulting researchers and brokers. Roy Mcfadden, a corporate information security expert claims that many enterprises buy exploits from black zero day market. However high prize exploits are not sold through this market.
Trading is done in gray zero day market by computer security companies and information security organizations and governments. Jim Dean, a computer security company expert mentions that countries like USA, Russia, UK, Mexico, Brazil, Colombia, Costa Rica, Argentina, UAE, India, Pakistan, North Korea, Israel are some of the big buyers in gray zero day market. Also big defense contractors and information security organizations trade high value zero day vulnerabilities and exploits in this market.
Trading is done in white zero day market by freelance information security consulting researchers, computer security company’s researchers and information security organizations researchers. White zero day market is also known as bug bounty program. Roy Mcfadden, a corporate information security expert explains that software makers offer a sum of money, to anyone who finds in their software or hardware and discloses the existence of a vulnerability to them. Bounty is paid to those people who use their skills to find and disclose vulnerabilities so that software makers can fix them, thereby improving overall information security.
As per computer security company experts, the cost of a zero day depends on a multitude of factors. Following are some of the factors used to determine the trade value in zero-day exchange:
1. Target range of the vulnerability and exploit.
2. Level of diffusion till date of the vulnerability and exploit.
3. Scope of its usage.
4. Validity of the exploits.
5. Reliability of the seller of zero days.
6. Exclusive usage rights of the zero-day are also a important factor mentions Roy Mcfadden, a corporate information security expert.
7. Financial escrow service fees and insurance fees in high value cases.
8. Exchange broker connections.
9. Number of brokers and respective fees.
The day is not far when governments will be coming together to regulate zero day trade to control cyber arms race and cyber espionage. Cyber espionage is a global issue with actors such as government agencies, countries and other private sector companies targeting for political and commercial interests. IICS, an Information security organization has been tracking down cyber espionage activity globally and closely working with public and private sector to resolve corporate information security cases. Also our information security consulting experts have been actively involved in the global zero day landscape, thus helping our clients with advance intelligence solutions and services.
Read more about services of International Institute of Cyber Security here