Exploit Brokers and Offensive Cyber Operations

Matthias Dellago; Andrew C. Simpson; Daniel W. Woods

Exploit Brokers and Offensive Cyber Operations

Matthias Dellago, Andrew C. Simpson, Daniel W. Woods

Research output: Contribution to journal › Article › peer-review

Abstract

A necessary step in conducting offensive cyber operations is developing or acquiring an exploit, i.e., a means for taking advantage of a software vulnerability or security deficiency. While these can be developed within government agencies, they can also be procured from private actors. Studying these private markets present an opportunity to understand offensive cyber operations, especially as markets break from the secretive culture of intelligence agencies. This article provides novel evidence of such opportunities by collecting data in the form of the prices quoted by an exploit broker who claims to sell to governments. We find exploit price inflation of 44% per annum, and higher prices for exploits targeting mobile devices relative to desktop devices. Exploits requiring additional capabilities like physical access to the device are quoted at a discount, and no-click remote access vulnerabilities carry a heavy premium. The broker does not quote prices for any exploits that specifically target industrial control systems or IoT devices. We conclude by discussing how these results inform the future of offensive cyber.

Original language	English
Pages (from-to)	31-48
Number of pages	17
Journal	The Cyber Defense Review
Volume	7
Issue number	3
Publication status	Published - 16 Aug 2022

Access to Document

Exploit Broker_DELLAGO_DOA18082022_AFVAccepted author manuscript, 891 KBLicence: Creative Commons: Attribution (CC-BY)

https://www.jstor.org/stable/48682321Licence: All Rights Reserved

Cite this

@article{c566081470ed4212b36e90e53bfd1a18,

title = "Exploit Brokers and Offensive Cyber Operations",

abstract = "A necessary step in conducting offensive cyber operations is developing or acquiring an exploit, i.e., a means for taking advantage of a software vulnerability or security deficiency. While these can be developed within government agencies, they can also be procured from private actors. Studying these private markets present an opportunity to understand offensive cyber operations, especially as markets break from the secretive culture of intelligence agencies. This article provides novel evidence of such opportunities by collecting data in the form of the prices quoted by an exploit broker who claims to sell to governments. We find exploit price inflation of 44% per annum, and higher prices for exploits targeting mobile devices relative to desktop devices. Exploits requiring additional capabilities like physical access to the device are quoted at a discount, and no-click remote access vulnerabilities carry a heavy premium. The broker does not quote prices for any exploits that specifically target industrial control systems or IoT devices. We conclude by discussing how these results inform the future of offensive cyber.",

author = "Matthias Dellago and Simpson, {Andrew C.} and Woods, {Daniel W.}",

year = "2022",

month = aug,

day = "16",

language = "English",

volume = "7",

pages = "31--48",

journal = "The Cyber Defense Review",

publisher = "Army Cyber Institute",

number = "3",

}

TY - JOUR

T1 - Exploit Brokers and Offensive Cyber Operations

AU - Dellago, Matthias

AU - Simpson, Andrew C.

AU - Woods, Daniel W.

PY - 2022/8/16

Y1 - 2022/8/16

N2 - A necessary step in conducting offensive cyber operations is developing or acquiring an exploit, i.e., a means for taking advantage of a software vulnerability or security deficiency. While these can be developed within government agencies, they can also be procured from private actors. Studying these private markets present an opportunity to understand offensive cyber operations, especially as markets break from the secretive culture of intelligence agencies. This article provides novel evidence of such opportunities by collecting data in the form of the prices quoted by an exploit broker who claims to sell to governments. We find exploit price inflation of 44% per annum, and higher prices for exploits targeting mobile devices relative to desktop devices. Exploits requiring additional capabilities like physical access to the device are quoted at a discount, and no-click remote access vulnerabilities carry a heavy premium. The broker does not quote prices for any exploits that specifically target industrial control systems or IoT devices. We conclude by discussing how these results inform the future of offensive cyber.

AB - A necessary step in conducting offensive cyber operations is developing or acquiring an exploit, i.e., a means for taking advantage of a software vulnerability or security deficiency. While these can be developed within government agencies, they can also be procured from private actors. Studying these private markets present an opportunity to understand offensive cyber operations, especially as markets break from the secretive culture of intelligence agencies. This article provides novel evidence of such opportunities by collecting data in the form of the prices quoted by an exploit broker who claims to sell to governments. We find exploit price inflation of 44% per annum, and higher prices for exploits targeting mobile devices relative to desktop devices. Exploits requiring additional capabilities like physical access to the device are quoted at a discount, and no-click remote access vulnerabilities carry a heavy premium. The broker does not quote prices for any exploits that specifically target industrial control systems or IoT devices. We conclude by discussing how these results inform the future of offensive cyber.

M3 - Article

VL - 7

SP - 31

EP - 48

JO - The Cyber Defense Review

JF - The Cyber Defense Review

IS - 3

ER -

Exploit Brokers and Offensive Cyber Operations

Abstract

Access to Document

Fingerprint

Cite this