Rethinking the ROI of 0-Day Attacks for Hackers

Rethinking the ROI of 0-Day Attacks for Hackers

Rami Sass, CEO of WhiteSource

Based on a simple ROI perspective, companies need to worry less about 0-Day attacks and more about covering the basics like vulnerabilities the open source components in their applications.

Cyber crime is big business. The need to implement strong security for organizations has fast moved from a line item on the budget to a top priority, due in no small part to the number of high profile hacking cases that have hit corporates over the past few years.

A joint study from the Ponemon Institute and Accenture reported that the average cost of a malware attack in 2017 reached a price tag of $2.4 million. With a 27.4% net increase in the number of annual security breaches, we can assume that hackers will continue to impact our businesses, bottom line. This has led to an average of $11.7 million rise in spending.

The question is though, are these resources being properly allocated to best address the highest priority threats?

While the impact on our business and how to protect ourselves is clearly the first priority, it would be helpful to think about how hackers think about their own costs of doing business.

Hackers are themselves business people, looking for the best ROI for their efforts. They are looking for the exploits that will allow them to get into the maximum number of targets with the least amount of work on their part.

Looking at the cybersecurity market, one could be forgiven for believing that their greatest threat comes from 0-days that turn your perimeter to dust. What drives the hype for these kinds of hacks is the fear of the unknown that cannot be defended against.

How are Hackers Thinking About Their ROI?

However these kinds of attacks can be very expensive and time consuming to carry out, with the juice often hard to justify the squeeze. Hackers prefer to use known vulnerabilities, using others’ work for their own gain.

One of their favorite targets is the reusable open source components which comprise between 60-80% of the code base in modern applications.

When vulnerabilities are discovered in an open source component, it is generally reported to a security advisory or database where the information on the ‘’what’’ and the ‘’how’’ to carry out the attack is available to all including hackers.

Popular open source projects can be used by millions of developers for a multitude of products. If one of these projects contains a known vulnerability, then it can be used to target thousands of potential victims, with hackers pinging applications with the exploit until they find one that has been too slow to patch.

Hackers know that most organizations simply aren’t managing their open source security, and that using known vulnerabilities will in most cases give them easy wins.

So instead of pouring over proprietary code for months in search of a 0-day for a singular target that could be eliminated tomorrow, they receive free intelligence for attacks that can likely be used over, and over again. Sounds like pretty good ROI to me.

Threat Modeling Risks to Your Data

Make your data harder for hackers to get their hands on by removing the easy ways into your applications.

Implement fully automated technologies like Software Composition Analysis which give you visibility into which open source components you are using in your products, enforce strong policies across your organization by shifting left security, and generate alerts when new vulnerabilities are discovered that have a real impact on your products.

Even as the threat of 0-days will always be out there, proper threat mitigation requires security professionals to think about where their widest threat surfaces are, and how they can use technology to reduce their risk, making hacking a significantly more expensive endeavor for the red team.


Come and meet WhiteSource at stand K40 at Infosecurity Europe, June 5-7th, Olympia, London.

Leave a Comment

Your email address will not be published. Required fields are marked *