In 2011, our friend Josh Corman codified “HD Moore’s Law”:
Casual Attacker power grows at the rate of Metasploit
For those who don’t know, Metasploit, created by HD Moore, is a free penetration testing framework (it is now owned by Rapid7, who also sells a commercial version). Metasploit allows an attacker to rapidly combine an exploit with a payload and initiate attacks, dramatically reducing the complexity compared to hand-coding an attack yourself. Unlike other commercial tools such as Immunity Canvas and Core Impact, Metasploit has a large community, and when new vulnerabilities or exploits become public they are typically converted into Metasploit modules extremely quickly (sometimes within hours). Once a module is published, anyone using Metasploit can leverage that attack.
But Metasploit isn’t the only automated attack tool. Criminals have their own toolsets and markets, some of which advertise inclusion of 0-day vulnerabilities (for a price) and include better support than most of the security tools on the market. Being profitable, they fund their own research teams or acquire new exploits on the open market.
Some software vendors have started talking about this in public, as Microsoft outlined in their RSA talk on their response to Flame. Brad Arkin from Adobe has also talked about this and presented hard data on their patch times and public disclosures and exploits. In the article Microsoft didn’t call out Metasploit or the criminal attack tools, but the inference is clear.
- There is no longer a window to patch when a vulnerability or exploit is discovered, in public or private.*
If it isn’t public, it has already been used in attacks or – thanks to changes in the exploit market – sold to someone who intends to use it in attacks. If it is public, it will be included in attack tools (good and bad) faster than most vendors can create and distribute a patch, or most users can deploy even if the patch is available. Some vulnerabilities are still reported privately to vendors, but we can no longer assume this is the norm, especially for some of the most serious vulnerabilities with high market value.
Cloud computing also affects this in both good and bad ways, but the core principle is the same. If a cloud service is a target they have nearly no time to patch, but when they do they can patch for all users at once (for public clouds).
To be clear, I don’t consider Metasploit or other penetration testing tools ‘bad’. They are extremely important for security professionals to understand and use, but that doesn’t mean they can’t be misused.