Why would an attacker ever want to sit on a zero-day exploit?











up vote
3
down vote

favorite
1












I am trying to understand why an attacker would want to wait to use a zero-day exploit.



I have read that an attacker does not want to waste the zero-day because they are typically very expensive to obtain in the first place, but it is not clear to me what is meant by “waste” here. Zero-days can be discovered by the community (e.g. security researchers) which would render it useless. In this sense, the zero-day has been wasted by the inaction of the attacker. Is there a risk with using the zero-day exploit too soon? It seems that an attacker would want to minimize the chances of the zero-day being discovered, and thus use it as quickly as possible.



Question: What factors would cause the attacker to wait to use a zero-day exploit?










share|improve this question







New contributor




jonem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
























    up vote
    3
    down vote

    favorite
    1












    I am trying to understand why an attacker would want to wait to use a zero-day exploit.



    I have read that an attacker does not want to waste the zero-day because they are typically very expensive to obtain in the first place, but it is not clear to me what is meant by “waste” here. Zero-days can be discovered by the community (e.g. security researchers) which would render it useless. In this sense, the zero-day has been wasted by the inaction of the attacker. Is there a risk with using the zero-day exploit too soon? It seems that an attacker would want to minimize the chances of the zero-day being discovered, and thus use it as quickly as possible.



    Question: What factors would cause the attacker to wait to use a zero-day exploit?










    share|improve this question







    New contributor




    jonem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.






















      up vote
      3
      down vote

      favorite
      1









      up vote
      3
      down vote

      favorite
      1






      1





      I am trying to understand why an attacker would want to wait to use a zero-day exploit.



      I have read that an attacker does not want to waste the zero-day because they are typically very expensive to obtain in the first place, but it is not clear to me what is meant by “waste” here. Zero-days can be discovered by the community (e.g. security researchers) which would render it useless. In this sense, the zero-day has been wasted by the inaction of the attacker. Is there a risk with using the zero-day exploit too soon? It seems that an attacker would want to minimize the chances of the zero-day being discovered, and thus use it as quickly as possible.



      Question: What factors would cause the attacker to wait to use a zero-day exploit?










      share|improve this question







      New contributor




      jonem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      I am trying to understand why an attacker would want to wait to use a zero-day exploit.



      I have read that an attacker does not want to waste the zero-day because they are typically very expensive to obtain in the first place, but it is not clear to me what is meant by “waste” here. Zero-days can be discovered by the community (e.g. security researchers) which would render it useless. In this sense, the zero-day has been wasted by the inaction of the attacker. Is there a risk with using the zero-day exploit too soon? It seems that an attacker would want to minimize the chances of the zero-day being discovered, and thus use it as quickly as possible.



      Question: What factors would cause the attacker to wait to use a zero-day exploit?







      zero-day






      share|improve this question







      New contributor




      jonem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question







      New contributor




      jonem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question






      New contributor




      jonem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 3 hours ago









      jonem

      1162




      1162




      New contributor




      jonem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      jonem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      jonem is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          4
          down vote













          Because the old ways are the best.
          Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result?
          Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.






          share|improve this answer




























            up vote
            1
            down vote













            It's more likely that you'll burn a 0day by using it than by sitting on it.



            There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.



            Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.



            There are a few other reasons 0days may be kept for long periods:




            1. Some people simply hoard 0days for the sake of it. This is all too common.


            2. Maybe you borrowed the 0day from someone, in which case burning it would piss them off.


            3. Sometimes a 0day broker is sitting on them while waiting for the right client.







            share|improve this answer























              Your Answer








              StackExchange.ready(function() {
              var channelOptions = {
              tags: "".split(" "),
              id: "162"
              };
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function() {
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled) {
              StackExchange.using("snippets", function() {
              createEditor();
              });
              }
              else {
              createEditor();
              }
              });

              function createEditor() {
              StackExchange.prepareEditor({
              heartbeatType: 'answer',
              convertImagesToLinks: false,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: null,
              bindNavPrevention: true,
              postfix: "",
              imageUploader: {
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              },
              noCode: true, onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              });


              }
              });






              jonem is a new contributor. Be nice, and check out our Code of Conduct.










              draft saved

              draft discarded


















              StackExchange.ready(
              function () {
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f198951%2fwhy-would-an-attacker-ever-want-to-sit-on-a-zero-day-exploit%23new-answer', 'question_page');
              }
              );

              Post as a guest















              Required, but never shown

























              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes








              up vote
              4
              down vote













              Because the old ways are the best.
              Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result?
              Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.






              share|improve this answer

























                up vote
                4
                down vote













                Because the old ways are the best.
                Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result?
                Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.






                share|improve this answer























                  up vote
                  4
                  down vote










                  up vote
                  4
                  down vote









                  Because the old ways are the best.
                  Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result?
                  Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.






                  share|improve this answer












                  Because the old ways are the best.
                  Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result?
                  Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered 1 hour ago









                  McMatty

                  2,1251112




                  2,1251112
























                      up vote
                      1
                      down vote













                      It's more likely that you'll burn a 0day by using it than by sitting on it.



                      There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.



                      Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.



                      There are a few other reasons 0days may be kept for long periods:




                      1. Some people simply hoard 0days for the sake of it. This is all too common.


                      2. Maybe you borrowed the 0day from someone, in which case burning it would piss them off.


                      3. Sometimes a 0day broker is sitting on them while waiting for the right client.







                      share|improve this answer



























                        up vote
                        1
                        down vote













                        It's more likely that you'll burn a 0day by using it than by sitting on it.



                        There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.



                        Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.



                        There are a few other reasons 0days may be kept for long periods:




                        1. Some people simply hoard 0days for the sake of it. This is all too common.


                        2. Maybe you borrowed the 0day from someone, in which case burning it would piss them off.


                        3. Sometimes a 0day broker is sitting on them while waiting for the right client.







                        share|improve this answer

























                          up vote
                          1
                          down vote










                          up vote
                          1
                          down vote









                          It's more likely that you'll burn a 0day by using it than by sitting on it.



                          There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.



                          Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.



                          There are a few other reasons 0days may be kept for long periods:




                          1. Some people simply hoard 0days for the sake of it. This is all too common.


                          2. Maybe you borrowed the 0day from someone, in which case burning it would piss them off.


                          3. Sometimes a 0day broker is sitting on them while waiting for the right client.







                          share|improve this answer














                          It's more likely that you'll burn a 0day by using it than by sitting on it.



                          There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.



                          Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.



                          There are a few other reasons 0days may be kept for long periods:




                          1. Some people simply hoard 0days for the sake of it. This is all too common.


                          2. Maybe you borrowed the 0day from someone, in which case burning it would piss them off.


                          3. Sometimes a 0day broker is sitting on them while waiting for the right client.








                          share|improve this answer














                          share|improve this answer



                          share|improve this answer








                          edited 2 mins ago

























                          answered 31 mins ago









                          forest

                          28k1385101




                          28k1385101






















                              jonem is a new contributor. Be nice, and check out our Code of Conduct.










                              draft saved

                              draft discarded


















                              jonem is a new contributor. Be nice, and check out our Code of Conduct.













                              jonem is a new contributor. Be nice, and check out our Code of Conduct.












                              jonem is a new contributor. Be nice, and check out our Code of Conduct.
















                              Thanks for contributing an answer to Information Security Stack Exchange!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid



                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.


                              To learn more, see our tips on writing great answers.





                              Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                              Please pay close attention to the following guidance:


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid



                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.


                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function () {
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f198951%2fwhy-would-an-attacker-ever-want-to-sit-on-a-zero-day-exploit%23new-answer', 'question_page');
                              }
                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              Popular posts from this blog

                              Bundesstraße 106

                              Verónica Boquete

                              Ida-Boy-Ed-Garten