Security researchers recently discovered a new, advanced form of malware that is so sophisticated, it is believed only a nation state could have developed it. Known as “Project Sauron”, the malware went undetected for five years until Kaspersky Labs discovered it in one of their client’s networks last September. Since then, they’ve found it at well over 30 other organizations, including those in Russia, Iran, and Rwanda. Symantec has also noted the malware to have existed in the network of an airline in China, and an embassy in Belgium.
The “Project Sauron” malware is referred to as an advanced persistent threat (APT). Although APTs only make up 20% of cyberattacks, their depth, duration, and impact dwarf their relative rarity. APTs often leverage a zero-day exploit or vulnerability to install themselves in the network, at which point they do everything possible to stay undetected while stealing an organization’s most sensitive data. And APTs aren’t limited to targeting other countries. The Carbanak and Eurograbber APTs, for example, targeted financial institutions, and targeted money rather than data.
Flame, Red October, Deep Panda, and now Project Sauron, all have one thing in common: they went undetected for years. Given the sophistication of these attacks combined with the vast resource cache available to the perpetrators raises the obvious question: Is there anything organizations can do to protect themselves from APTs?
While APTs tend to have a narrow target, there is a new wave of technology that’s soon to permeate throughout our lives with the potential to exponentially increase the attack surface for cyber criminals: the Internet of Things (IoT). The Internet of Things refers to a new generation of devices connected to the Internet including jet engine sensors, home thermostats, and even pacemakers.
It’s projected that over 20 billion IoT devices will come online in the next 4 years. With this expected deluge of Internet connected devices, rapid discovery and communication of vulnerabilities will be paramount. Once again, the obvious question should be raised: How can we protect ourselves from future cyberattacks that exploit IoT adoption when we’re already struggling to protect against attacks in today’s systems?
Enter Bug Bounty Programs
While cybersecurity vendors continue to struggle with detecting APTs in a timely manner, there is another trend emerging in parallel. Software, technology firms, and even government agencies are increasingly launching their own bug bounty programs to crowd-source detection of zero-day exploits in their products. Discovering software vulnerabilities and fixing them makes it more challenging for cyber attackers to exploit systems.
Bug bounty programs aren’t new. Netscape launched the first bug bounty program in 1995 to find bugs in its Netscape Navigator browser. Today, however, we’re seeing a steady maturation of these programs as technology vendors race to identify vulnerabilities. Bug bounties are one of the most promising ways to level the cybersecurity playing field by using the talents and resources of the cybersecurity research community to prevent threats before criminal organizations and states with deep pockets and near limitless resources can develop them.
Security vendors like Kaspersky Labs have recognized the need for a new model of cybersecurity, announcing the launch of their Kaspersky Lab Bug Bounty Program earlier this month during the Blackhat event.
Other organizations that have launched bug bounty programs includes Google, Facebook, Microsoft (and its cloud service Office 365), Apple, AT&T, eBay, Dropbox, GM, Intel, Sony, Fiat Chrysler, Tesla Motors, and even the US Department of Defense, just to name a few.
Not everyone is on board with bug bounties, however. Oracle CSO, Mary Ann Davidson, made some bold claims regarding bug bounties and reverse engineering Oracle’s code a year ago when she stated “There are a lot of data breaches that would be prevented by [applying relevant security patches], as unsexy as it is, instead of hyperventilating that the Big Bad Advanced Persistent Threat using a zero-day is out to get me!” While Davidson makes a strong point that identifying vulnerabilities is not helpful if customers fail to patch affected systems, bug bounties clearly have a place in cybersecurity helping vendors find vulnerable systems.
The Future of Bug Bounties
Despite the increasing adoption of bug bounty programs, they still have a long way to go. When Apple announced its bug bounty program, analysts were quick to point out some key differences between their program and what Google, Facebook, and Microsoft have done.
Unlike the free-for-all approach that the latter three companies have taken, Apple’s is an invite-only program, which has certain distinct advantages. A public bounty program can result in a deluge of vulnerabilities being reported, which often results in false positives.
According to the 2016 State of Bug Bounty Report, from the bug bounty platform company Bugcrowd, 45.38% of all bug submissions are invalid, while another 36.23% are duplicate, underscoring the importance of starting out with private bug bounties.
The same report, however, showed that 63% of its customers considered bug bounty results to be better or on par with traditional methods. Despite these results, only 6% of companies on the Forbes 2000 list have a bug bounty program, indicating that many more organizations could benefit from crowdsourcing the identification of technology vulnerabilities.