Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

A Look at the Vulnerability-to-Exploit Supply Chain

Last week, Tenable Research released the report, How Lucrative Are Vulnerabilities? A Closer Look at the Economics of the Exploit Supply Chain, which takes a close look at the vulnerability-to-exploit supply chain and ecosystem.

The journey a software flaw takes – from being discovered and disclosed as a vulnerability to exploit development to ultimately being used in a cyberattack – includes many different travelers and stops. We chose to portray this journey in the form of a simplified vulnerability-to-exploit (V2E) supply chain model, which consists of only four main players:

  1. Producers: Discover vulnerabilities and then develop proof-of-concept exploit code. 
  2. Suppliers: Facilitate the brokering and general availability of exploits and related knowledge to the market. 
  3. Service providers: Integrate exploits into a variety of third-party products and services – from penetration testing frameworks to exploit kits. 
  4. Consumers (e.g., end-user organization conducting a penetration test, criminal gang perpetrating fraud): Use the exploits.

V2E Simplified Supply Chain

The V2E simplified supply chain

To learn more about the model and associated market actors, download the report. In this blog post, we’ll delve into one of the more interesting aspects of the V2E ecosystem.

Three markets of the vulnerability-to-exploit supply chain

While this supply chain model does a great job of breaking down the individual actors, it does hide a significant difference from most other markets. What makes the V2E supply chain so unique is it straddles three very different market segments: the white, gray and black markets. 

  • White market in vulnerabilities and exploits: Primarily composed of cybersecurity vendors and researchers focused on making intelligence widely available. It has driven the price of zero-day exploits into astronomic six-digit figures.
  • Gray market: Composed of nation states and state-sponsored agencies/actors, motivated by national security concerns, that acquire and develop exploits for covert intelligence operations.
  • Black (criminal) market: Exists mainly on the dark web. Black marketers sell capabilities required to weaponize and productize exploits in the form of cybercrime-as-a-service offerings (e.g., offensive operations such as ransomware).

Vulnerability-to-exploit supply chain: One ecosystem, conflicting goals 

These markets are symbiotic and share a single ecosystem, but their objectives are diametrically opposed. The white market seeks to “defend and disclose” while the black market aims to “attack and obfuscate.” Gray market participants carefully balance national security and public security, relying on the latter, but will disclose for the greater good. By the time an exploit moves from vulnerability discovery to being used in an attack, it will have jumped across at least two and sometimes all three of these markets.

V2E Supply Chain Flow

Supply Chain flow, showing the journey through the white, gray and black V2E markets

Vulnerability-to-exploit supply chain: Common start, differing or even parallel paths

Whichever of the three markets, the journey always begins with the discovery of a vulnerability, but then can take divergent and occasionally even parallel paths. The only difference is the white market uses the vulnerability and exploit intelligence to develop and deploy defensive capabilities, rather than pursue criminal objectives like the black market.

Mirrored Legal and Illegal V2E Supply Chain

Mirrored legal and illegal V2E supply chain

Commercialization of the vulnerability-to-exploit supply chain

Both sides of the supply chain, whether defensive or offensive, diverge into commercial offerings. Research shows the black market has professionalized in recent years, with cybercrime-as-a-service offerings catering to a wide variety of criminal activities. Many of these are microservices bundled together to create purpose-designed attack architectures – from victim identification and profiling to persistence and attack obfuscation. Business-to-business services (e.g, money laundering, cryptocoin escrow services) complete an end-to-end ecosystem, making sophisticated offensive cyber capabilities available to anyone with sufficient will and capital. 

While the barriers of entry to develop and weaponize exploits have risen due to this professionalization, the barriers of entry to conduct criminal and offensive cyberoperations in terms of required skill and tooling have been lowered. Criminals can buy together whatever capabilities they require and focus on committing the crime. This may well lead to growth in cybercrime, but it also represents an Achilles heel for smart defenders to target.

Less diversity in vulnerabilities being targeted in the wild

This increase in professionalism has come at the cost of diversity – less diversity in threat actors, especially less diversity in their deployed tools, tactics and procedures. That all equates to less diversity in vulnerabilities being targeted in the wild. Which for end users and the community – with the right intelligence – means more strategic remediation and less work.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training