Classification, Longevity, and Costs of Zero Day Exploits
Offensive cyber security hinges on exploiting vulnerabilities in order to create effects on adversaries’ cyber systems. A commonly shared belief in the field is that an attacker has more of an advantage if the effect uses an unknown vulnerability, also known as a zero day. Given this shared belief, the discovery of zero days, the process of turning them into reliable effects, and their eventual sale and use to either nation-state actors or criminal organizations is the foundation of offensive cyber security operations.
Despite this importance, the world surrounding zero days, primarily their development and their sale, has not garnered much formal research. It can be surmised that this is due to the specialized technical knowledge required to understand this field as well as the national security repercussions of some of the information on zero day capabilities. …show more content…
RAND followed a vulnerability research company, labeled BUSBY, and tracked their inventory of zero days for fourteen years (Ablon & Bogart, 2017). RAND contributed to the field of zero day research by expanding on a typical classification of zero days, measuring the longevity of zero days, and measuring the costs of zero days.
Classification of Zero Day Exploits The first insight made by the researchers is that zero day exploits fall on a broader spectrum that as simply “Alive,” the vulnerability has not been disclosed, and “Dead,” the vulnerability has been disclosed. RAND corporation makes the distinction that the following are proper classifications for a zero day: “Living,” “Immortal,” “Security Patch,” “Killed by BUSBY,” “Publicly Shared,” and “Code Refactor” (Ablon & Bogart, 2017).
Zero Day