There’s no way to oversell the importance of data and intelligence sharing to those defenders tasked with understanding threats and vulnerabilities to mitigate IT risks. But that is often easier said than done, hampered by non-disclosure agreements, secrecy, money and wily attackers who seem to stay a step ahead.
But the Desired Effect Marketplace, emerging from stealth just in time for this week’s RSA show in San Francisco, may finally offer an opportunity for those defenders that sidesteps many of the challenges they typically face and gives defenders, researchers and vendors a platform for sharing real-time information on zero-day vulnerabilities. Desired Effect is designed as an ethical platform that allows researchers to sell exploits to buyers whose founders say are vetted. The exploited intellectual property is then available for purchase. Or for the more budget-constrained, the marketplace offers a crowdsourced option.
Desired Effect is the brainchild of former NSA security pro Evan Dornbush, who over the years has surveyed the vast landscape of shows like RSA and realized that researchers were “nowhere to be found. They were left out.” I’d like to hear from you all if that assessment matches your own. Or perhaps researchers are overshadowed by more corporate interests, which is, I believe, what Dornbush is saying when he notes that “In an ecosystem where seemingly everyone is making copious amounts of money, vulnerability researchers are disproportionately underrepresented, not able to participate in the market commensurate with the impact they bring.”
He points out that the “entire industry—every single penny in the $3T marketplace — exists because of the vulnerability research community,” the unsung heroes. “All of it. Built on the backs of that one kid who decides not to believe the hype,” he wrote. “The small team that says ‘we’re going to take this apart and see how it works,’ doing research for the love of curiosity.”
With Desired Effect, they get their due, or at least that’s the plan. Independent researchers have a place to showcase their discoveries and be compensated for them. The folks at Desired Effect are giving researchers the leeway to set their own terms to share their contributions—they set price, IP assignment, buyer demographics and whether they want to be publicly recognized for their findings.
That last bit is more important than you might think. Researchers are often hamstrung by NDAs from sharing their discoveries publicly. This keeps necessary information out of the hands of those who need it most to get a jump on bad actors. And, if researchers choose to share on underground forums as is often the case, it can deliver that valuable information to those most likely to use it for malicious intent—the bad actors themselves.
A World of Cutting-Edge Research
Desired Effect, if it operates as billed, opens up a world of cutting-edge research to defenders, including zero-day vulnerability data and tailored exploit products. That access comes through an early warning cyber threat intelligence feed.
The marketplace’s creators are also banking on defenders sharing product vulnerabilities with vendors so that they can be addressed more quickly. Vendors can subscribe to Desired Effect as well.
This ethical platform couldn’t come soon enough, considering the findings of the recently published Verizon DBIR, which sees adversarial use of software exploits is up 35% from last year. “Attackers continually hit organizations that don’t even know where their weaknesses are,” Dorbush stressed to me. “Desired Effect provides defenders, for the first time, with the ability to engage the vulnerability research community and have the earliest possible awareness of their existing risk.”
While Desired Effect did not share the names of beta customers that put the platform through its paces and which included at least one big four accounting firm, a cryptocurrency exchange and $200 billion-plus bank holding company, it did offer feedback from one user: “The pain of threat intel is that it’s damn near impossible to make operational. When you get something from Desired Effect, you know it’s actionable, not academic.”
And one investor cited in the marketplace’s unveiling praised Desired Effect for letting “organizations understand pre-emergent threats—reframing these cybersecurity categories.”
If all goes to plan, it seems the only group that doesn’t benefit is attackers. And that’s the way it should be.
