Why wait for security threats to emerge when it’s possible to proactively find IT weaknesses? That’s the idea behind proof-of-concept (PoC) exploits: Researchers find and report vulnerabilities rather than waiting for them to emerge in the wild.
According to SecurityWeek, the number of PoC exploits has increased dramatically over the last year, with many shared via the not-so-secure platform of social media. Friendly warning: The gap between experiment and actual exploit is rapidly closing.
Share and Share Alike
The new PoC data comes from research firm Recorded Future, which found 12,000 PoC exploit references shared on the Web since March of last year. That’s an almost 200 percent increase over the previous 12 months.
Twitter was the central vehicle for code sharing, with researchers posting links to code repositories, paste sites and even Deep Web forums. At first glance, this looks like a positive step for InfoSec since more researchers were finding flawed code before hackers got their hands on it.
But as noted by Dark Reading, the rate of exploit detection is quickly outstripping organizations’ ability to monitor or respond. According to Nicholas Espinoza, a senior solutions engineer at Recorded Future, development of exploit code is happening “at such an insane speed there is no one to manage it.”
Worst case? Within a week of detection, cybercriminals pick up the vulnerability on social channels and adapt it for the wild.
Broad Spectrum, Big Problems
There’s virtually no limit on PoC vectors. Those making the rounds on social media included vulnerabilities for Android, DNS, SSH, FTP and OpenSSL, in addition to Web browsers and smartphones. The most popular PoC this year was CVE-2015-7547, which covered a remote code execution in the glibc library.
Other big-ticket PoC exploits were Windows Server vulnerabilities such as CVE-2015-1635 and CVE-2016-0051, a VM escape flaw called VENOM and Android’s Stagefright. Platform, OS and device type don’t matter; if the exploit is made available, people will take notice, and there’s no guarantee they have good intentions.
The Problem With PoC Exploits
Ultimately, that’s the heart of the problem: Once downstream on social media, there’s no way to control PoCs’ final destination. All it takes is one person copying the PasteBin link to another tweet or Facebook post for the code to go further than intended.
Researchers have good intentions when developing proofs of concept; malicious actors do not. It all comes out in the wash, however, on social media. No matter the aim, social posting is akin to releasing this code into the wild — claws and all — and leaving companies to clean up the mess.
With companies already swimming in a sea of potentially dangerous PoC exploits, it’s hard to sort out which are the most pressing and which can safely be ignored — right up until they’re attacked. While organizations can’t stop cybercriminals from sharing exploit data, the good guys can make a better choice: Leverage what cybercriminals post publicly to engineer an effective defense, but keep proofs of concept off social networks until fixes are found and finalized.