Cyber security researchers and ethical hackers may wish to consider easing off on publicly disclosing vulnerability exploit code before patches have been made available, because doing so gives malicious actors a “clear and unequivocal” advantage, according to new data crunched by vulnerability management specialist Kenna Security and Cyentia Institute.
In the research study, Prioritisation to prediction, volume 7: establishing defender advantage, Kenna said that in about one-third of cases, it had found that ethical hackers – whom the industry relies on to some extent to identify new vulnerabilities and write proof-of-concept exploit code – made their code publicly available before the patch.
Kenna founder and CTO Ed Bellis said that for years the community has debated whether or not doing this improved overall security by getting patches developed more quickly, or whether it gives attackers an advantage, but that the research should remove any doubt over this.
“Practices that have long been central to the cyber security ecosystem, that many of us thought were beneficial, are in fact harmful to defenders,” said Bellis.
The analysis found that in cases when exploit code goes before a patch, an attacker gains an average 98-day advantage in exploitation.
The release of code also drives exploit volume, said the report. Only a tiny number, just 1.3%, of vulnerabilities have been exploited in the wild and have publicly available exploit code, but those vulnerabilities are exploited about 15 times more often than the 98.7% of vulnerabilities where code is not disclosed, and are used against six times as many potential victims.
“What we see is that the availability of exploit code drives both a volume of exploitation and makes it easier for hackers to deploy the types of attack most likely to cause serious damage to an enterprise,” said Wade Baker, partner and co-founder of Cyentia Institute.
“When exploit code is integrated into hacking tools – both legitimate and malicious – it becomes faster and cheaper to find and exploit security weaknesses.”
The researchers also uncovered little evidence to suggest that releasing exploit code either facilitated earlier detection of active exploits or pushed development teams to mitigate them faster.
“While there is no shortage of opinion on every side of the disclosure debate,” said Jay Jacobs, partner and co-founder of Cyentia Institute, “very little objective research has been done on both the potential benefits and harm caused by well-intentioned security researchers releasing weaponised exploit code. The data provides clear guidance to the security community: publicly sharing exploit code benefits attackers more than defenders.”
The report, which is based on data collated from Kenna’s own customers, also contains some insight into the preferences of malicious actors – when a published exploit allows for remote code execution (RCE) attacks it tends to be used up to 30 times more frequently than exploits that do not.
It also highlights the existence of a major disparity in terms of how long it takes organisations to fix vulnerabilities – up to 40 times longer on Linux-based or SAP software (900 days on average), than on Google or Microsoft products (22 days on average).