The War in Ukraine has caused a sea change in the threatscape, where a highly capable group of threat actors now has a much stronger incentive to use cyber actions to achieve their objectives and support their interests. At IOActive we are adjusting our course of action in response to this change in several areas: in addition to our groundbreaking cybersecurity research, another element to arrive in the upcoming months will see us sharing more and different types of content on our blogs.

Some of this new content will be items we normally share discreetly with our clients in small, verbal briefings or through Information Sharing and Analysis Centers (ISACs). However, we have decided to judiciously publicize more of this information due to the more intense risks the community is facing today.

Original Cybersecurity Research

In accordance with our Responsible Disclosure Policy¹, we’ll be sharing previously unpublished, original cybersecurity research to which product manufacturers were non-responsive after our disclosure steps or where we’re seeing similar vulnerabilities exploited in the wild. For example, due to the exploitation of vulnerabilities in commercial satellite communications (SATCOM) terminals² as presciently foreseen by Ruben Santamarta in two research projects from 2014³ and 2018⁴, as well as by the US National Security Agency (NSA) in a January 2022 Cybersecurity Advisory⁵, we’ll be sharing vulnerabilities in a two-phase approach that we originally reported to a terminal manufacturer more than 3 years ago. You can find that initial post here.⁶

Analytical Threat Intelligence

IOActive normally chooses not to publicly share the products of our threat intelligence analytics, wherein we explore the operational and cybersecurity consequences of our original research findings or assess which threat actors may have the capability and interest to perform or operationalize attacks similar to those found in our research. Given the changed threatscape, however, we feel it’s important to share a retrospective look at the revealed SATCOM vulnerabilities and their utilization in the War in Ukraine; likewise, we will be sharing more analytical perspectives on cybersecurity threats to transportation, as briefly covered in a recent FleetOwner article specific to trucking fleet operations.⁷ While these analytical products are often informal, they can be extremely valuable to organizations of all types.

Strategies and Potential Courses of Action

In addition to providing threat intelligence products from an attacker’s viewpoint, we also advise our clients and share with ISACs strategies to manage their cybersecurity and operational risks, as well as potential courses of action based on our detailed understanding of how attackers operate and succeed. Often these suggestions and advice are made in response to our original cybersecurity research and its corresponding analytical threat.

¹ https://ioactive.com/disclosure-policy/

² https://www.reuters.com/business/aerospace-defense/satellite-firm-viasat-probes-suspected-cyberattack-ukraine-elsewhere-2022-02-28/

³ https://ioactive.com/pdfs/IOActive_SATCOM_Security_WhitePaper.pdf

⁴ IOActive whitepaper | Last Call for SATCOM Security

⁵ https://media.defense.gov/2022/Jan/25/2002927101/-1/-1/0/CSA_PROTECTING_VSAT_COMMUNICATIONS_01252022.PDF

⁶ IOActive blog | Wideye Security Advisory and Current Concerns on SATCOM Security

⁷ https://www.fleetowner.com/technology/article/21235462/are-cybercriminals-waiting-for-the-right-time-to-attack-us-trucks

IOActive has always done its part in preventing the misuse of our work.

IOActive’s mission is to make the world a safer and more secure place. In the past, we’ve worked to innovate in the responsible disclosure process, with the most visible and memorable example being Dan Kaminsky’s research into DNS.^[1] This involved one of the first uses of widespread, multiparty coordinated responsible disclosure, which quickly became the gold standard as referenced in CERT’s Guide to Responsible Disclosure.^[2]

We don’t always talk publicly about our non-technical innovations, since they frequently aren’t as interesting as the groundbreaking cybersecurity research our team delivers. However, a couple recent events have prompted us to speak a bit about some of these less glamorous, but nonetheless extremely important innovations. First, we were deeply saddened by the passing of Dan Kaminsky, and would like to share how we’re building upon his legacy of non-technical innovation in vulnerability research. Second, a significant disclosure covered by global media organizations regarding the misuse of weaponized mobile phone vulnerabilities, packaged with surveillance tools, to target journalists and others for political purposes, rather than for lawful purposes consistent with basic human rights.

What We’re Doing

There are three primary elements to our policies that prevent the misuse of the vulnerabilities we discover.

Responsible Disclosure

IOActive has always had a policy of responsible disclosure. We transparently publish our policy on our website for everyone to see.^[3] Over time, we’ve taken additional innovative steps to enhance this disclosure process.

We’ve built upon Dan’s innovation in responsible disclosure by sharing our research with impacted industries through multinational Information Sharing and Analysis Centers (ISACs).^[4] Likewise, we’ve worked to confidentially disclose more of our pre-release research to our clients when it may impact them. As our consultants and researchers find new and innovative ways to break things, we’ll find new and innovative ways to disclose their work and associated consequences, with the goal of facilitating the best outcomes for all stakeholders.

Policy on the Sale of Vulnerabilities

IOActive is very clear on this simple policy, both publicly and with our clients: we do not sell vulnerabilities.

A well-developed market for vulnerabilities has existed for some time.^[5] Unfortunately, other cybersecurity firms do sell vulnerabilities, and may not have the necessary ethical compartmentalization and required policies in place to safeguard the security and other interests of their clients and the public at large.

While we support the bug bounty concept, which can help reduce the likelihood of vulnerability sales and support the independent research community, as a commercial service bug bounties do not adequately address concerns such as personnel vetting or testing of resources only available when onsite at a client.

Contractual Responsible Disclosure Requirement

As a standard practice in our commercial work, we require the ability to report vulnerabilities we discover in third-party products externally only to the affected manufacturers, in addition to the client, to ensure that an identified defect can be properly corrected. IOActive offers to coordinate this disclosure process to the manufacturers on behalf of our clients.

This normally leads to a virtuous cycle of improved security for everyone through our commercial work. Any vulnerability discovery benefits not only the client, but the entire ecosystem, both of whom in turn benefit from the vulnerability discovery work we do for other clients.

Every person reading this post has benefited from better security in the products and services they and their organizations use every day, due to the combination of our fantastic consultants and clients who support doing the right thing for the ecosystem.

Fundamentally, when a vulnerability is corrected, that risk is retired for everyone who updates to the secure version and prevents the weaponization of the vulnerability. When those fixes are pushed out through an automated update process, the benefits accrue without any active effort on the part of end users or system maintainers.

How to Help

Make it Easy to Receive Disclosures

As a prolific vulnerability discloser, we see a wide spectrum of maturity in receiving and handling vulnerability disclosures. We must often resort to creative and time-intensive efforts to locate a contact who will respond to our attempts to disclose a vulnerability. Occasionally, we run into a dead end and are unable to make productive contact with organizations.

Here’s a short list of actions that will help make it easy to collect vulnerability information your organization really needs:

Run a Vulnerability Disclosure Program. A vulnerability disclosure management program provides bidirectional, secure communication between the discloser and the impacted organization in a formal, operationalized manner. You can run such a program with internal resources or outsource it to a commercial firm providing managed vulnerability disclosure program services.
Be Easy to Find. It should be simple and effortless for a researcher to find details on the disclosure process for any organization. A good test is to search for “<Your Organization Name> Vulnerability Disclosure” or “<Your Organization Name> Vulnerability Report” in a search engine. Ideally, your public disclosure page should appear in the first page or two of results.

Cesar Cerrudo, CTO of IOActive Labs, has a more in-depth post discussing how to get the best outcomes from working with researchers during the vulnerability disclosure process in his post, 10 Laws of Disclosure.^[6]

Working with Security Firms

When you’re selecting a security firm for vulnerability discovery work, you should know what they will do with any vulnerabilities they find. Here are a few core questions for which any firm should have detailed, clear answers:

Does the company have a responsible disclosure policy?
What is the company’s policy regarding the sale of vulnerabilities?
Does the company require responsible disclosure of the vulnerabilities it discovers during client work?
How does the company handle third-party responsible disclosure for its clients?

Participate in the Discussion

The global norms around the sale and weaponization of cybersecurity vulnerabilities, as well as their integration into surveillance tools, are being established today. More constructive, thoughtful public debate today can prevent the current deleterious conduct from becoming a standard of global behavior with its associated dystopic outcomes through inattention and inaction.

References

[1] https://www.cnet.com/tech/services-and-software/security-bites-107-dan-kaminsky-talks-about-responsible-vulnerability-disclosure/
[2] https://resources.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_503340.pdf
[3] https://ioactive.com/disclosure-policy/
[4] https://www.nationalisacs.org/
[5] https://www.rand.org/content/dam/rand/pubs/research_reports/RR600/RR610/RAND_RR610.pdf
[6] https://ioactive.com/10-laws-of-disclosure/

Tag: disclosure

Responding to a Changing Threatscape: Sharing More