For Sale - Dark Web Exploits

Updating and patching to protect against vulnerabilities as soon as they become known is vital but it's not just Zero-Day exploits that security teams need to worry about. For cyber criminals, buying a proven exploit off the shelf on the Dark Web has the advantage of something known to be effective, where all the hard work has already been done for the buyer.

Indeed, researchers at Trend Micro have found that 22% of exploits for sale in underground forums are more than three years old, emphasising the importance that organisations should place on patching vulnerabilities that pose the greatest risk to their organisation, not just the latest ones.

A new report Trend Micro reveals a decline in the market for Zero-Day over the past two year, driven in part by the  the rise of Access-as-a-Service, the new force in the exploit market. Access-as-a-Service has the advantages of an exploit, but all the hard work has already been done for the buyer, with underground prices starting at $1,000.  

The lifespan of a vulnerability or exploit does not depend on when a patch becomes available to stop it. In fact, older exploits are cheaper and therefore may be more popular with criminals shopping in underground forums and virtual patching remains the best way to mitigate the risks of known and unknown threats to your organisation.

The report reveals several risks of legacy exploits and vulnerabilities, including:

  • The oldest exploit sold in the underground was for CVE-2012-0158, a Microsoft RCE.
  • CVE-2016-5195, known as the Dirty Cow exploit, is still ongoing after five years.
  • 47% of cyber criminals looked to target Microsoft products in the past two years.

These trends are combining to create greater risk for organizations. With nearly 50 new CVEs released per day in 2020, the pressure on security teams to prioritize and deploy timely patches has never been greater, and it’s showing. 

Today, the time to patch averages nearly 51 days for organizations patching a new vulnerability. To cover that gap in security protection, virtual patching is key. It is based on intrusion prevention technology and offers a hassle-free way to shield vulnerable or end-of-life systems from known and unknown threats indefinitely. Applying all available vulnerability patches can be a nearly impossible task for any organisation. It is simply unrealistic for organisations to have their systems be completely invulnerable. Virtual patching is one way for organisations to buy additional time needed for security teams to implement the necessary updates, making it a crucial aspect of patch management. 

While several patch prioritisation approaches exist for vulnerability management, organisations should  factor into the equation the exploits that cyber criminals actually wish to use and can purchase, rather than simply patching vulnerabilities based on severity. 

Since vendors and manufacturers need time to come up with and deploy the necessary patches and upgrades upon the disclosure of a vulnerability, these temporary fixes give them time for permanent solutions, as well as help avoid unnecessary downtime for organisations to implement patches at their own pace. This is especially important when it comes to zero-day vulnerabilities since virtual patches protect systems and networks by serving as an additional security layer from both known and unknown exploits. 

Trend Micro's researchers saw the price of an exploit continually drop over time until it eventually fell to zero, making the exploit progressively more accessible to more cyber criminals as time passed and allowing more malicious actors to incorporate the exploit for the vulnerability into their cyber criminal business models. 

The longevity of a valuable exploit is longer than you might reasonably expect and this is vital information for anyone who manages their organisation’s patch management program, since addressing yesterday’s popular vulnerability can often be more important than addressing today’s critical one. 

Trend Micro:      Trend Micro:   

You Might Also Read:
 

Avoiding Arrest: Cyber Criminals Share Dark Web Secrets:

 

« Microsoft Buys RiskIQ
IISS: Cyber Capabilities & National Power Rankings »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

Retail & Hospitality Information Sharing & Analysis Center (RH-ISAC)

Retail & Hospitality Information Sharing & Analysis Center (RH-ISAC)

Retail & Hospitality ISAC operates as a central hub for sharing sector-specific cyber security information and intelligence.

Applied Engineering Solutions (aeSolutions)

Applied Engineering Solutions (aeSolutions)

aeSolutions offers performance-based process safety engineering and automation solutions. Services include industrial cybersecurity.

Foresite

Foresite

Foresite is a global service provider, delivering a range of managed security and consulting solutions.

Rwanda Information Society Authority (RISA)

Rwanda Information Society Authority (RISA)

RISA is at the forefront of all ICT project implementation, research, infrastructure and innovation within the ICT sector in Rwanda.

Egyptian Supreme Cybersecurity Council (ESCC)

Egyptian Supreme Cybersecurity Council (ESCC)

ESCC is responsible for developing a national strategy to face and respond to the cyber threats and attacks and to oversee its implementation and update.

TechRate

TechRate

Techrate is an analytics agency focused on blockchain technology and engineering. Or expertise includes security and technical audits of projects.

Andreessen Horowitz (a16z)

Andreessen Horowitz (a16z)

Andreessen Horowitz (known as "a16z") is a venture capital firm in Silicon Valley, California that backs bold entrepreneurs building the future through technology.

Accelerator Frankfurt

Accelerator Frankfurt

Accelerator Frankfurt is an independent go-to-market program focused on Fintech, Cybersecurity and Digital B2B startups.

Point Predictive

Point Predictive

Point Predictive build Predictive Models using Artificial Intelligence and Machine Learning techniques that help our customers stop fraud and early payment default (EPD).

Amidas Hong Kong

Amidas Hong Kong

Amidas is your trusted companion on the road to Digital Transformation. We provide a full range of Information Technology Solutions and Professional Services to Enterprise customers.

US Digital Corps

US Digital Corps

The U.S. Digital Corps is a new two-year fellowship for early-career technologists where you will work every day to make a difference in critical impact areas including cybersecurity.

SharkStriker

SharkStriker

SharkStriker is a US based managed security services provider with SOCs and offices across the globe.

RankedRight

RankedRight

RankedRight empowers security teams to take immediate action on their most critical risks.

Iconium Software

Iconium Software

DataLenz by Iconium offers continuous and real-time tracking of your data assets delivering you the tools you need to successfully reach and maintain your target security standards.

mxHERO

mxHERO

mxHERO reduces the risks inherent with ransom and cyber-security threats specific to email.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.