a day in the life of a vulnerability researcher · a day in the life of a vulnerability researcher...

A Day in the Life of a Vulnerability Researcher

Vincent LeeVulnerability Researcher

2 Copyright 2017 Trend Micro Inc.2

Who am I?

•Vulnerability Researcher @ ZDI

•BASc Computer Engineering

•Twitter: @trendytofu

What is ZDI?and what do we do?

4 Copyright 2017 Trend Micro Inc.4

World’s largest vendor agnostic bug bounty program

ZERO DAY INITIATIVE

5 Copyright 2017 Trend Micro Inc.

How it works

Trend Micro Customers Protected Ahead of Patch

Other Network Security Vendor’s Customers at Risk

Vulnerability submitted to the

ZDI program

Vendor Notified

Digital Vaccine®

Filter Created

Vendor Response Window

Vulnerability is Patched or Remains

Unfixed

Public Disclosure

Copyright 2018 Trend Micro Inc.6

Law EnforcementIndustry

Coordinated disclosure

Consumers Business Government

Public/Private Partnerships

Alerts, blogs, news, reports, guidance

Free tools

Insights to improve Trend Micro’s core technology and products

Trend Micro Research

24X7 response, security updates, IPS rules…

Threats Vulnerabilities & Exploits

Cybercriminal Undergrounds

IoT OT / IIoTAI &Machine Learning

Future Threat Landscape

Targeted Attacks

Healthcare

Copyright 2017 Trend Micro Inc.

Targeted Incentive Program

Copyright 2017 Trend Micro Inc.

Pwn2Own Organizer

TheExploitEconomy


Evolving Marketplace

SECURITY RESEARCHERS and HACKERS have a multitude of options available to sell their BUGS

White Market Grey Market Black Market


Marketplace

White Market

Security Vendors

Bug Bounty Programs

Gray Market

Exploit Brokers

Exploit Shops

Exploit Intelligence Marketplace


Economy in Action

ResearchersFinds Bugs

Bug BountyProgram

Report to Vendor

Sell Report$1K - $25K

Signatures

Exploit Writer

$10K - $100K

Vuln Broker

Government

$10K - $1000K

$10K - $1000K

UsedAgainst??

Bot HerderBotnet Creator Compromises PCs

Sells Exploit Rents Botnet

Spammer DDoS Extortion Credential Harvesting

Smart Criminal Make One Big Purchase

Sells Stolen Creds

Dumb Criminal Buys Beer & Chips

Re-Sells Stolen Creds


Economy in Action


Bug BountyProgram

Report to Vendor

Sell Report$1K - $25K

Signatures

Completely Legal*


Economy in Action


Vuln Broker

Government

$10K - $1000K

$10K - $1000K

UsedAgainst??

Mostly Legal*


Economy in Action


Exploit Writer

$10K - $100K

Bot HerderBotnet Creator Compromises PCs

Sells Exploit Rents Botnet

Spammer DDoS Extortion Credential Harvesting

Smart Criminal Make One Big Purchase

Sells Stolen Creds

Dumb Criminal Buys Beer & Chips

Re-Sells Stolen Creds

Definitely Not Legal*

16 Copyright 2017 Trend Micro Inc. 16

Responsibilities


•Review report•Acquire/install/configure product•Run PoC and debug•Reverse engineering to find out root cause, and determine exploitability •Offer•Detection guidance

Triage process in a nutshell

ZDI-19-508CVE-2019-7824


ZDI-19-508

Pwn2Own


Pwn2Own

•CanSecWest - Vancouver(March)

•PacSec – Tokyo (November)


Pwn2Own


Research


Research

https://www.zerodayinitiative.com/blog/


Find us at these conferences


Plugging In

https://www.zerodayinitiative.com

@thezdi

PGP https://www.zerodayinitiative.com/documents/zdi-pgp-key.ascFingerprint: 743F 60DB 46EA C4A0 1F7D B545 8088 FEDF 9A5F D228

QuestionsThank you for your time and attention

a day in the life of a vulnerability researcher · a day in the life of a vulnerability researcher...

Documents