The Lottery You Don’t Want to Win: Introducing the RunSafe Pwn Index™

Financial instruments have given enterprises good tools and processes by which to manage their risk, but there is absolutely no limit to the amount of threat intelligence that security teams can benefit from having at their disposal. To help enterprise security teams reduce risk even more, today we announced the release of the RunSafe Pwn Index™, a proprietary score and methodology to track the average price of cyber exploits targeting enterprise and government agency software assets.

Released every quarter moving forward, the RunSafe Pwn Index will help businesses put the hocus-pocus of cyber exploitation into a financial context for proper risk-based decision making. Instead of framing exposure around the vulnerabilities that make national headlines, the RunSafe Pwn Index will bring awareness to both the amount commanded by and the sheer volume of exploits that trade every quarter, targeting servers, laptops, mobile devices, and embedded systems. These exploits run the gamut and include memory corruption, commend injection, cross-site scripting, code execution, denial of service – it goes on and on.

Tracking Hacker Economics

As Deloitte’s “Black-market ecosystem” report makes clear and accessible, cyber operations targeting an enterprise have a cost to the hacker on a monthly basis. Much like any other economy, the Black-market ecosystem is broken up into the many disciplines and skills that are required to execute attacks and extract value, while avoiding identification and capture. This ecosystem utilizes remote server infrastructure (bullet-proof hosts), network service providers (anonymizing VPNs), and webpage hosting with demand-based scalability, fault-tolerance, and load-balancing.

Just like the getaway car in a bank robbery needs gas (or charged batteries), this black-market ecosystem is propped up by low-cost access to bits of software that allow attackers to get unauthorized behavior on systems they don’t own. These small programs, known by names like malware, RATs, ransomware, keyloggers, and malvertisements, are the silent workhorses that generate the economic value for the illicit cybercrime economy. If all of a sudden, these programs stopped working, it would be like putting sugar in the gas tank of the black-market economy.

Attacker-Directed vs. Developer Intended Functions

Many malicious programs misuse legitimate programs to achieve their illicit intent. The RunSafe Pwn Index prices an organization’s exposure to several classes of illicit misuse. Once tricked into performing attacker-directed functions (as opposed to developer intended), the attacker can add backdoors and make their presence on the system much harder to detect or remove. For example, the mean time to identify a data center attack was an astounding 201 days, according to the 2018 Cost of a Data Breach Study (benchmark research sponsored by IBM Security, conducted by the Ponemon Institute). For enterprise security teams, The RunSafe Pwn Index will give a sense of the cost to an attacker of acquiring a program, and targeting arbitrary infrastructure, that achieves this exact scenario.

Interpreting the Pwn Index as a Leading Indicator

The Pwn Index speaks to two audiences.  First, the enterprise CISOs that have customer data, financial data, or intellectual property of value that could be worth targeting by the black-market ecosystem. Second, OEM product managers that sell into the aforementioned enterprises, whose equipment might be used in facilitating access to those enterprises.

Grafting financial language onto the exploit market provides other insights besides the average cost of exploits.

  • Trend analysis: The RunSafe Pwn Index will track, over time, shifts in pricing. Increases in pricing will suggest that technology and/or talent are coming together to drive down supply.
  • Liquidity and the bid-ask spread: While zero-days trade in a structurally opaque market, there are indicators of transaction-level supply and demand.
  • Factors which the market has “priced in”:
    • The RunSafe Pwn Index has already priced in best practices, such as software testing and code reviews. Unfortunately, that means that even with state-of-the-art static and dynamic analysis, third-party testing, and expert code reviews, vulnerabilities still slip in at a rate exceeding 0.08 vulnerabilities per 1000 source lines of code. Products are being created so quickly and with such a large body of reused code that testing isn’t keeping up.
    • The RunSafe Pwn Index has also incorporated the ability of existing security infrastructure to stop the exploit from working. If existing IT perimeter infrastructure and processes could stop these exploits, the prices would go up. The supply of exploits that can slip past existing protections would get choked off, because more sophisticated hackers would be required to develop them.

Instead of grimly waiting to see if you win the Pwn lottery, and a latent risk in a device or software has been weaponized against you, RunSafe Security’s Alkemist would help drive the cost of Pwnership up dramatically. Ask hardware and software vendors if they’ve mitigated the exploitation risk in their systems, before they are added to your infrastructure. As an OEM, make sure the firmware, operating system, and applications in your device don’t increase the risk exposure for your customers.

In Partnership with CyberScoop, RunSafe’s Pwn Index™ provides a window into the current economic motivations of attackers, empowering security teams to proactively prepare defenses for trending exploits. To read CyberScoop’s first article, click here. Moving forward, the news outlet will exclusively release the Index’s conclusions during the last month of each quarter.