Re: Faster, smashter. (fwd)

["Matthew Wollenweber" <mjw () cyberwart com>]

Maybe I missed something in the original posting, but my understanding of the cost analysis isn't really similar to a 
market at all. It's more akin to the cost an adversary might pay a talented group of hackers to develop an exploit 
against some piece of a system. So given Immunity's back ground I imagine they're in a decent position to give rough 
estimates on that type of work. Therefore, it's less a market and more a pricing estimate by a reputable vendor. 

I've seen this type of analysis done in government circles, and I believe the actual numbers are less important than 
the relative values inside the analysis. Thereby, you discover which components of your software you need to apply 
additional security measures to relative to the other components. In my experience this type of job occurs on huge 
systems where the easiest attack vectors tend to stand out, and the particular threat the client is worried about is a 
motivated adversary that will do similar analysis when selecting components to target for exploitation. For example, 
the adversary has time and budget to fuzz/re/find-exploits-in X software components and they want to get the most bang 
for their buck. Therefore the defender wants to make sure the components are perceived as sufficiently expensive to 
exploit and that there are no clear weak points.

Yes, much craziness can ensue and the flaws are easy to list. But again, it's similar to what an adversary might do and 
the Immunity folks are in a good spot to estimate cost to exploit various types of software.

--
Matthew Wollenweber
mjw () cybewart com
www.cyberwart.com/blog




-----Original Message-----
From: dailydave-bounces () lists immunitysec com on behalf of sinan.eren () immunitysec com
Sent: Wed 12/10/2008 5:21 PM
To: dailydave () lists immunitysec com
Subject: Re: [Dailydave] Faster, smashter. (fwd)
 

In response to both Jericho and Bees;

I wasn't actually proposing a market place for 0days. My point was 
something like; index futures on products that is built on a model where 
0day is a part of the equation (perhaps think of it as vega).

for example, Exchange 2003 could be tied to an index and each index point 
could be assigned a dollar value. Theoretical value will than be 
calculated by a model and the rest will be left to the market forces to 
settle the premium. Hedgers can than take long or short positions 
(depending on how the model is formed) to offset their IT costs and 
possible damages from intrusions and other liabilities. Speculators can 
also take on counter or similar positions depending on their outlook.

Yes, there is an obvious flaw which is the risk-free arbitrage by anybody 
who holds a 0day against Exchange 2003. But I believe this could be 
acceptable as part of the market at its infancy and since all or most 
arbitrage possibilities gets discounted by markets eventually, this model 
will lead to less outstanding 0day in underground/criminal circles, 
perhaps even more secure software eventually ?


SDL versus the free market ? Which is more efficient ?


Regards,
-sinan
VP of Vulnerability Arbitrage



On Wed, 10 Dec 2008, BEES INC wrote:

> i have postgrad applied finance qualifications and this is not really
> practical. You need an open/free market on 0day before you could start
> writing futures/options contracts. to my knowledge this doesn't exist,
> and is unlikely to exist for a whole bunch of reasons. its more
> profitable for exploit writers and cheaper for buyers to keep the
> other side in the dark on going rates.
>
> i remember they tried something like this in fresno county with the
> sausage and spice prices there. though a little different from
> exploits its similar in that its a fairly small and niche market, and
> the supply was effectively controlled by a cartel, and pricing
> information was dubious at best. needless to say it didn't take off
>
> you would be better off writing insurance and collecting a premiums,
> and if something does happen the payout could go to covering costs of
> patching and recovery. i'm pretty sure ive read of something like this
> being already available.
>
> On Wed, Dec 10, 2008 at 1:19 PM,  <sinan.eren () immunitysec com> wrote:
> > (moderator: retry from subscribed account)
> >
> > I have been thinking about a potential futures market model to hedge the risk
> > of software vulnerabilities. Perhaps a modified Black-Scholes-Merton model that
> > could be tied into Microsoft's exploitability index to determine the premium on
> > the future contract ? Hedgers (companies, govermantal institutions, military
> > etc.) could than purchase these contracts from speculators (these could be us)
> > to tie their risk into a dollar amount. On the other hand researchers can sell
> > these contracts if they feel strongly about a software or inversely, buy these
> > contracts to cash in their 0day when it hits the public domain. We need a fair
> > market place for 0day (outside of the 2 known players whose model benefits no
> > one) and I believe futures market model is the way to go. After all if you can
> > hedge your exposure to weather, why can't you hedge it against 0day ? It is not
> > as crazy as it sounds ....
> >
> > I would appreciate ideas to tie the value of a vulnerability to a premium, any
> > quants who do security as well ?
> >
> > -sinan
> >
> > On Tue, 9 Dec 2008, Dave Aitel wrote:
> >
> > >  -----BEGIN PGP SIGNED MESSAGE-----
> > >  Hash: SHA1
> > >
> > >  One technique we're doing this week with a client is taking an attack
> > >  tree and marking it up with dollar values. I.E. if you wanted to buy
> > >  an 0day in X component, how much would it cost?
> > >
> > >  This then is a simple summation to produce a "how much is it to get
> > >  into the internal network from the internet" which the business can
> > >  use to help them decide yay/nay on the project as a whole depending on
> > >  their own view of the threat and the value of the information they are
> > >  protecting.
> > >
> > >  -dave
> > >
> > >
> > >  Halvar Flake wrote:
> > > >  Hey all,
> > > >
> > > >  It seems that discussions in ITsec are periodic -- the same
> > > >  discussions and same arguments come up again and again.
> > > >
> > > >  1. Of course attackers use new vulnerabilities. It is the nature of
> > > >  offense. Defense is done "to the maximum of current knowledge".
> > > >  Offense, by it's nature, has to expand on the status quo.
> > > >
> > > >  2. How do you simulate an attack with a new vulnerability if you
> > > >  don't have one ?
> > > >
> > > >  Well, military folks do wargames all the time without actually
> > > >  using up the arsenal they have on the shelves. Network attacks
> > > >  should probably be done in a similar manner -- have an umpire, and
> > > >  give the attacking team a few "0day cards". With these cards they
> > > >  get high-probability code execution for a piece of software of
> > > >  their choice.
> > > >
> > > >  The pentest then proceeds like a game, but can be conducted on the
> > > >  real network, too.
> > > >
> > > >  But I am repeating myself ...
> > > >
> > > >  Cheers, Halvar _______________________________________________
> > > >  Dailydave mailing list Dailydave () lists immunitysec com
> > > >  http://lists.immunitysec.com/mailman/listinfo/dailydave
> > >
> > >  -----BEGIN PGP SIGNATURE-----
> > >  Version: GnuPG v1.4.6 (GNU/Linux)
> > >  Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> > >
> > >  iD8DBQFJPoSCtehAhL0gheoRAqofAJ0Yvic/Ro6dRr+xWLavp+DizANyAACfWUXc
> > >  JRFeXEvy4EJeg5gkuXxC2ZU=
> > >  =6PWU
> > >  -----END PGP SIGNATURE-----
> > >
> > >  _______________________________________________
> > >  Dailydave mailing list
> > >  Dailydave () lists immunitysec com
> > >  http://lists.immunitysec.com/mailman/listinfo/dailydave
> >
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave () lists immunitysec com
> > http://lists.immunitysec.com/mailman/listinfo/dailydave
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave