OSINT—or open source intelligence—is a wondrous thing. As security professionals know, this nearly endless sea of information provides both opportunities and drawbacks. Threat intelligence vendors, though, harness the vastness of the web to unearth tidbits of information, often scattered in disparate locations and formats, and use it to correlate then analyze data which helps uncover cyber threats and trends.
One concerning trend is the rapid increase of shared proof-of-concept (POC) exploits across the web and, particularly interesting, open social media platforms like Twitter. According to a blog post by threat intelligence firm Recorded Future, the company conducted research on “where POCs are developed, discussed, and shared” across the web. Test POC exploits are typical for the security industry; security researchers and practitioners develop them as a means of finding vulnerabilities in software and applications before the threat actors do, and threat actors write them (needless to say) to exploit vulnerabilities for more nefarious purposes.
Both groups are prone to sharing findings in online forums and social media. White hats share to help or convince a company to develop a patch, to demonstrate lessons learned to other researchers or QAs, or even show off their technical prowess. The black hats, on the other hand, want to spread the word so they can monetize the exploit or provide direction on how others can attack a particular target.
To understand the activity among bug hunters as a whole, Recorded Future reached back to a 2014 dataset collected, normalized, organized, and analyzed in their intelligence platform to compare the past twelve months’ references to the previous twelve months. From March 2015 to present, the firm found approximately 12,000 references to shared POCs, which is an increase of nearly 200% over the previous period. The distribution is growing, but why?
Nicholas Espinoza, senior solutions engineer with Recorded Future’s Federal Team and author of the post, say he’s not certain why an uptick in posts has occurred but speculates that, perhaps, it could be the technologies affected—Android, GNU, C Library, virtual machines—that are more interesting and valuable to researchers and threat actors. These technologies have been around for a while, though, as has Twitter, which surfaced as the primary method of distribution. From Twitter, users are pointing their findings to other sources, including code repositories, paste sites, deep web forums, and other social media, which may account for greater distribution of a single POC post. How many of these posts are net-new versus repetitions about the same POC? Espinoza clarified that only about 2,000 of the tweets were retweets, which means that 10,000 new posts occurred across the board (N.B. not all posts originated or were shared on Twitter).
Raising even more questions about the burst of activity, the research found just under 200 unique vulnerabilities in this dataset—in other words, a new vulnerability almost every two days—with a new POC linked to it. The top tier of sharers were professional researchers and competition participants (e.g., CTFs) rather than threat actors, which begs the question again: Why?
Before reading the post, I would have guessed that most of the sharing comes from malicious hackers. Assuming responsible disclosure has already taken place, why are white hats so noisy about their work? The “echo effect,” as Espinoza writes, is pretty large considering the number of vulnerabilities found. Is the fascination among the “good guys” prompted by interest in better/quicker/easier discovery of vulnerabilities and exploits? Are more people worried about the growing threat landscape and using these posts as a way to enhance their own threat intelligence collection? Are companies using the lessons learned to tighten up development processes? Or is this a simple matter of rubber-necking?
It’s hard to tell by the research posted. For me, the blog brought up more questions than it answered, but it’s certainly a topic worth exploring. Most security professionals struggle to find enough time in the day as it is; time spent looking into or sharing information about a vulnerability or exploit, presumably, means there is value to the security program or the individuals’ skill sets. Is this true, or are shared exploits just the bright, shiny object in the room?