By Gregory Hale
We are all in this together, at least that is what one security researcher said about releasing vulnerabilities and working with vendors.
“At the end of the day we are on the same team, there are just different perspectives,” said Billy Rios, founder of Spear Point Security during his keynote address Tuesday at the Industrial Control Systems Joint Working Group (ICSJWG) meeting in Denver, CO.
“What is the best way to get stuff fixed? We don’t see eye to eye,” Rios said. “There is a cost benefit analysis that goes on from a researcher’s perspective and from a vendor’s perspective.”
For researchers the notoriety of finding and releasing Zero Day allows for greater push in what they are trying to do.
“The motive behind dropping a Zero Day is it helps you build your brand. You get to control your own destiny as a researcher. You get to tell your side of the story first. Everyone reads the first salvo, There are tons of benefits to being the first mover.”
The way Rios was talking was it was often the classic Davey and Goliath story, where it is the one small researcher taking on the huge conglomerates.
“I put my messages out there the way I want the message to read,” he said. By the time the vendor realizes what is going on, he added, they really don’t know what hit them.
“I am a researcher,” Rios said, “but I have worked as a vendor. I can safely say that (Industrial Control System) ICS security sucks right now.”
In dealing with vendors, Rios said it all comes down to relationships and communication. However, sometimes other factors do come into play, especially when a researcher has been working on finding a vulnerability and the vendor disregards the work.
“There is some emotions attached to this and that can sometimes be a problem. When someone discards the work, it makes you react in ways you wouldn’t do. It is sometimes hard to detach the emotions.”
On top of that the playing field is changing fast.
He mentioned the old way of researchers talking and dealing with vendors, but today it is different. They also now have to deal with vulnerability brokers. These organizations will pay security researchers for vulnerabilities.
“It is a totally different world,” Rios said. “It is no longer a two-party conversation anymore between vendor and researcher. Brokers will pay to buy bugs. Researchers get fed up with the model. The easiest model is to sell the bug to a broker.”
“You have to understand these things exist; understand there are third parties that are interested in your vulnerabilities,” he said.
But is the responsible thing just selling out to a broker? The question to ask is what does the broker want with the vulnerability?
“They want weaponized exploits,” Rios said. “They will pay more for that. You have to ask why they want that?”
The complications continue between researchers, brokers, vendors and the ones using the exploits. Those people, he said, are the ones you have to watch out for.
“The ones using the vulnerability are the most dangerous ones; you don’t know what they are doing. The others you know who they are, but the other ones remain anonymous.”
“At the end of the day researchers are not the people you have to worry about,” Rios said. “You need to worry about the people you don’t know about. The people whose names you don’t know.”