Why would an attacker ever want to sit on a zero-day exploit?
up vote
3
down vote
favorite
I am trying to understand why an attacker would want to wait to use a zero-day exploit.
I have read that an attacker does not want to waste the zero-day because they are typically very expensive to obtain in the first place, but it is not clear to me what is meant by “waste” here. Zero-days can be discovered by the community (e.g. security researchers) which would render it useless. In this sense, the zero-day has been wasted by the inaction of the attacker. Is there a risk with using the zero-day exploit too soon? It seems that an attacker would want to minimize the chances of the zero-day being discovered, and thus use it as quickly as possible.
Question: What factors would cause the attacker to wait to use a zero-day exploit?
zero-day
asked 3 hours ago
jonem
1162
New contributor
jonem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
3
down vote
favorite
I am trying to understand why an attacker would want to wait to use a zero-day exploit.
I have read that an attacker does not want to waste the zero-day because they are typically very expensive to obtain in the first place, but it is not clear to me what is meant by “waste” here. Zero-days can be discovered by the community (e.g. security researchers) which would render it useless. In this sense, the zero-day has been wasted by the inaction of the attacker. Is there a risk with using the zero-day exploit too soon? It seems that an attacker would want to minimize the chances of the zero-day being discovered, and thus use it as quickly as possible.
Question: What factors would cause the attacker to wait to use a zero-day exploit?
zero-day
asked 3 hours ago
jonem
1162
New contributor
jonem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
3
down vote
favorite
up vote
3
down vote
favorite
I am trying to understand why an attacker would want to wait to use a zero-day exploit.
I have read that an attacker does not want to waste the zero-day because they are typically very expensive to obtain in the first place, but it is not clear to me what is meant by “waste” here. Zero-days can be discovered by the community (e.g. security researchers) which would render it useless. In this sense, the zero-day has been wasted by the inaction of the attacker. Is there a risk with using the zero-day exploit too soon? It seems that an attacker would want to minimize the chances of the zero-day being discovered, and thus use it as quickly as possible.
Question: What factors would cause the attacker to wait to use a zero-day exploit?
zero-day
asked 3 hours ago
jonem
1162
New contributor
jonem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I am trying to understand why an attacker would want to wait to use a zero-day exploit.
I have read that an attacker does not want to waste the zero-day because they are typically very expensive to obtain in the first place, but it is not clear to me what is meant by “waste” here. Zero-days can be discovered by the community (e.g. security researchers) which would render it useless. In this sense, the zero-day has been wasted by the inaction of the attacker. Is there a risk with using the zero-day exploit too soon? It seems that an attacker would want to minimize the chances of the zero-day being discovered, and thus use it as quickly as possible.
Question: What factors would cause the attacker to wait to use a zero-day exploit?
zero-day
zero-day
asked 3 hours ago
jonem
1162
New contributor
jonem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 3 hours ago
jonem
1162
New contributor
jonem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 3 hours ago
jonem
1162
New contributor
jonem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 3 hours ago
jonem
1162
asked 3 hours ago
jonem
1162
1162
New contributor
jonem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
jonem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
jonem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
up vote
4
down vote
Because the old ways are the best.
Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result?
Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.
answered 1 hour ago
McMatty
2,1251112
add a comment |
up vote
1
down vote
It's more likely that you'll burn a 0day by using it than by sitting on it.
There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.
Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.
There are a few other reasons 0days may be kept for long periods:
Some people simply hoard 0days for the sake of it. This is all too common.
Maybe you borrowed the 0day from someone, in which case burning it would piss them off.
Sometimes a 0day broker is sitting on them while waiting for the right client.
answered 33 mins ago
forest
28k1385101
add a comment |
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
4
down vote
Because the old ways are the best.
Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result?
Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.
answered 1 hour ago
McMatty
2,1251112
add a comment |
up vote
4
down vote
Because the old ways are the best.
Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result?
Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.
answered 1 hour ago
McMatty
2,1251112
add a comment |
up vote
4
down vote
up vote
4
down vote
Because the old ways are the best.
Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result?
Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.
answered 1 hour ago
McMatty
2,1251112
Because the old ways are the best.
Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result?
Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.
answered 1 hour ago
McMatty
2,1251112
answered 1 hour ago
McMatty
2,1251112
answered 1 hour ago
McMatty
2,1251112
answered 1 hour ago
McMatty
2,1251112
2,1251112
add a comment |
add a comment |
up vote
1
down vote
It's more likely that you'll burn a 0day by using it than by sitting on it.
There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.
Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.
There are a few other reasons 0days may be kept for long periods:
Some people simply hoard 0days for the sake of it. This is all too common.
Maybe you borrowed the 0day from someone, in which case burning it would piss them off.
Sometimes a 0day broker is sitting on them while waiting for the right client.
answered 33 mins ago
forest
28k1385101
add a comment |
up vote
1
down vote
It's more likely that you'll burn a 0day by using it than by sitting on it.
There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.
Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.
There are a few other reasons 0days may be kept for long periods:
Some people simply hoard 0days for the sake of it. This is all too common.
Maybe you borrowed the 0day from someone, in which case burning it would piss them off.
Sometimes a 0day broker is sitting on them while waiting for the right client.
answered 33 mins ago
forest
28k1385101
add a comment |
up vote
1
down vote
up vote
1
down vote
It's more likely that you'll burn a 0day by using it than by sitting on it.
There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.
Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.
There are a few other reasons 0days may be kept for long periods:
Some people simply hoard 0days for the sake of it. This is all too common.
Maybe you borrowed the 0day from someone, in which case burning it would piss them off.
Sometimes a 0day broker is sitting on them while waiting for the right client.
answered 33 mins ago
forest
28k1385101
It's more likely that you'll burn a 0day by using it than by sitting on it.
There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.
Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.
There are a few other reasons 0days may be kept for long periods:
Some people simply hoard 0days for the sake of it. This is all too common.
Maybe you borrowed the 0day from someone, in which case burning it would piss them off.
Sometimes a 0day broker is sitting on them while waiting for the right client.
answered 33 mins ago
forest
28k1385101
edited 4 mins ago
answered 33 mins ago
forest
28k1385101
answered 33 mins ago
forest
28k1385101
answered 33 mins ago
forest
28k1385101
28k1385101
add a comment |
add a comment |
jonem is a new contributor. Be nice, and check out our Code of Conduct.
jonem is a new contributor. Be nice, and check out our Code of Conduct.
jonem is a new contributor. Be nice, and check out our Code of Conduct.
jonem is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f198951%2fwhy-would-an-attacker-ever-want-to-sit-on-a-zero-day-exploit%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
