Connect with us

Hi, what are you looking for?


Incident Response

Time to Detect Compromise Improves, While Detection to Containment Worsens: Report

Cost of Malvertising is Minimal; Price of Zero-days is Rising, Researchers Say

Cost of Malvertising is Minimal; Price of Zero-days is Rising, Researchers Say

Throughout 2016, Trustwave investigated hundreds of data breaches in 21 different countries, and conducted thousands of penetration tests across databases, networks and applications. An analysis of key findings from this activity is presented in the 2017 Trustwave Global Security Report published Tuesday (PDF).

The result is a mixed bag. Overall, security defenses have slightly improved, but attacks continue to evolve. Detection is improving. Trustwave says the median time to detect a compromise has decreased from 80.5 days in 2015 to 49 days in 2016. The difference between self-detected and third-party detections is, however, dramatic: just 16 days for self-detected and 65 days for externally detected.

It should surprise no-one that a company that has invested in security technology able to detect intrusions would detect intrusions faster than a company that relies on external detections. Nevertheless, this demonstrates the effectiveness of those controls in reducing the dwell time and reducing the attackers’ window for exfiltration.

Containment, however, has not improved to any similar degree. The duration from intrusion to containment has dropped from 63 days in 2015 to 62 days in 2016; but the time taken from detection to containment has worsened slightly from 2 days to 2.5 days.

According to Trustwave’s figures, North America geographically, and retail vertically, are the most breached sectors. POS breaches rose sharply — particularly in North America, which has been slow to adopt EMV cards — from 22% of breaches in 2015 to 31% in 2016.

Malvertising remained the number one source of traffic to exploit kit landing pages; and the cost of malvertising is remarkably low. Trustwave ran its own experiment running online ads testing for vulnerable versions of Flash. “Researchers,” notes the report, “estimate an attacker could reach approximately 1,000 computers with exploitable vulnerabilities for about $5 — less than $.01 per vulnerable machine — far less than the $80 to $400 per 1,000 computers attackers pay for access to infected machines, depending on geolocation.”

SecurityWeek asked Lawrence Munro, worldwide VP of SpiderLabs at Trustwave, for his two biggest takeaways from this year’s report. What concerns him most is the continuing instance of common vulnerabilities in the majority of applications. “These are not esoteric vulnerabilities,” he said, “but ones that map closely to the OWASP Top 10.” During 2016, Trustwave’s application scanning services found that 99.7% of applications had at least one vulnerability, while the mean number of vulnerabilities was 11 per application. 

Advertisement. Scroll to continue reading.

“Trustwave’s on-demand penetration testing service, uncovered almost 30,000 vulnerabilities in web applications in 2016. Analysts classified 79 percent of them as informational or low-risk vulnerabilities, 11 percent as medium-risk, 7 percent as high-risk and 3 percent as critical, the most severe category.”

Among the critical vulnerabilities, 13.8% involved authentication bypass. 5.7% involved Heartbleed leakage, 5.1% involved vertical privilege escalation, 4.8% was unencrypted sensitive data and 4.2% were SQLi vulnerabilities.

It is worth stressing that Trustwave’s vulnerability scanning was undertaken for customers on commercial applications — and the clear implication is that developers are still not building in security during development before release.

Munro’s second takeaway is the cost of vulnerabilities for sale on the underground market. Trustwave’s researchers discovered an alleged zero-day Windows vulnerability being offered for sale at $95,000. Although not following through with an actual purchase, Trustwave researchers on the underground forums believe this was a genuine zero-day being genuinely sold.

“The offer first appeared on a website,” explains the report, “that serves as an underground marketplace for Russian-speaking cybercriminals to buy and sell coding services, access to exploit kits and botnet resources, and other illegitimate products and services. A user going by the name ‘BuggiCorp’ posted a message on May 11 offering to sell a local privilege escalation (LPE) exploit for the Windows kernel for $95,000.”

In part, the sale offer reads (translated): “[the vulnerability] exists in all OS [versions], starting from Windows 2000. [The] exploit is implemented for all OS architectures (x86 and x64), starting from Windows XP, including Windows Server versions, and up to current variants of Windows 10.”

Trustwave concludes that this was a genuine zero-day being offered for sale, partly because the seller insisted on using the forum’s administrator as an escrow party. “The escrow requirement,” notes the report, “suggests the offer was real: If BuggiCorp could not deliver the exploit as promised, it would not get paid.”

What most intrigued Munro, however, was not the sale of zero-days on the dark web; but the price being demanded. “If zero-days can trade at these figures on the dark web,” he asked, “what does that say about the effectiveness of current bug bounty schemes, which rarely pay out anything like this amount?”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...


Cloud company Rackspace has completed its investigation into the recent ransomware attack and found that the hackers did access some customer resources.