Dubai
Today, there remains a perception within the information security industry that vulnerability researchers are malicious hackers looking to do harm.
While there clearly are malicious people out there, they remain a small minority of the total number of those who actually discover new software vulnerabilities.
Brian Gorenc, director of vulnerability research at Trend Micro, said that in reality, the number of benevolent researchers with the expertise required to discover software vulnerability is a sizeable and growing population.
In this role, Gorenc leads the Zero Day Initiative (ZDI) programme, which represents the world’s largest vendor-agnostic bug bounty programme.
His focus includes analysing and performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. The ZDI works to expose and remediate weaknesses in the world’s most popular software.
“The dissemination of publicly available vulnerability analysis and discovery tools has helped foster this group of security enthusiasts. Also, it is not uncommon for ‘white hat’ security professionals to stumble onto a new flaw while doing their day-to-day security work,” he said.
“As part of our research programme ZDI, we’re looking at vulnerabilities coming in across the world, a lot of research focused on document readers and browser security. And as part of the programme, we buy vulnerability data from researchers and experts, so that we are able to transpire in the next six months before everybody else sees them,” he said.
So, he said that people are shifting to document readers and vulnerability in browsers. Attackers are shifting attack surface and something that “we need to protect the industry”.
To accomplish this, he said that Trend Micro encouraged the reporting of zero-day vulnerabilities and financially rewarding researchers. Those who discover zero-day bugs can submit them to the ZDI programme and receive monetary compensation for doing so. As a researcher discovers and provides additional research, he said that bonuses and rewards can increase through a loyalty programme similar to a frequent flyer programme.
What is a zero-day vulnerability?
It refers to a hole in the software that is unknown to the vendor. This security hole is then exploited by bad guys before the vendor becomes aware and hurries to fix it.
Once the bug is confirmed by the researchers, Gorenc said that teams work to develop filters for the report so that customers remain protected while the bug is being corrected by the vendor.
“The ZDI then discloses the information about the bug to the affected vendor so that they can build and distribute a security patch. Once a patch is ready from the affected vendor, ZDI researchers work collaboratively with the vendor to notify the public of the vulnerability through a joint advisory that provides full credit to the originating researcher, unless the researcher chooses to remain anonymous,” he said.
When you look at what’s going on around the internet, he said that you will see people trying to protect them against advanced attacks, one of the thing that Trend Micro do as part of the programme is to look at the new mitigations being released inside programmes that help such attacks.
“If we look across the board, people are becoming more and more persistent at what they’re trying to do. Looking at the advanced tactics and technologies available now, we are trying to stay ahead of these people [hackers] and trying to make sure that we can stop the attacks that they are going to do,” he said.
Last year, Gorenc said that ZDI disclosed over 660 zero-day vulnerabilities to vendors resulting in patches and zero-day protection to our customers. So that attackers are not able to use these vulnerabilities to break in by attacks to the enterprise.
“This year, we’ll be looking at the user vulnerabilities. We’re partnering with the vendors to actually help make it harder for the attackers to get in,” he said.
In March, Trend Micro ran a contest — PWN2OWN — The Root Of Research — which brings researchers around the world to target and avoid exploits against the hard-attack surfaces and killed 51 zero-day vulnerabilities.
“If you look from our side, we are supplying vulnerability information to Microsoft and Adobe. All of the major vendors are doing a great job in hardening their software. In our programmes last year, we explored most vulnerability in Adobe,” he said.
In 2016, Adobe outpaced Microsoft for the first time in terms of vulnerability discoveries. Among the vulnerabilities disclosed through the ZDI in 2016 were 135 vulnerabilities in Adobe products and 76 in Microsoft’s. 2016 was also the single-biggest year for Apple in terms of vulnerability as 50 vulnerabilities were disclosed as of November, up from 25 the previous year.
