Abstract for: The lifecycle of zero-day vulnerabilities; knowledge driven escalation between attacker and defender

Ablon and Bogart (2017) published research about the lifecycle of a zero-day vulnerability based on a 14-year dataset with 207 vulnerabilities. In our research we were able to replicate these results to a large extend by using a knowledge driven escalation model that focusses on the attacker – defender interaction. Our research indicate the life cycle of the zero-day is shorter and more time is needed to build an exploit kit. When we run simulations over this longer time period taking into account ongoing and growing software usage, a more concerning outcome can be observed. The defender is seriously lacking behind the attacker. For instance, the unknown zero-days by the defender seems to be about 70% instead of 44% compared to the report. Much more defender efforts are needed to limit this effect. Policy options are gathering threat intelligence, improve defenders’ learnings, limit the attacker to find zero-days, and limit the attacker to build exploit kits. Future research is needed to see how this knowledge driven escalation model is impacted by the defenders’ prevention and response strategies; actual severity and usage of zero-days by the attacker; and acting on the basis of sound business cases for both attacker and defender.