Do you need 0days? What about oxygen?

I always enjoy it when people say that you don't need 0days to gather cyber intelligence as a nation state, such as in today's SearchSecurity article about the BlackHat discussion on the VEP.

Technically, you don't need covert intelligence at all. Open Source information can be just as good in many cases. But then, there are also cases (and I'm struggling to avoid bombast here) where covert collection is desired. And from a military standpoint, there are many cases where hidden pre-placement on an enemy network is desired.

The answer to "Do you need 0days" is "Yes."

Intelligence and military work is quite different from penetration testing work. This should go without saying, but let's delve a bit into the "how" to see why exactly 0days are so useful.

First of all, in penetration testing you rarely sit on a target network for months or years collecting data like you do in intelligence. And you rarely need that data to be "untampered with". I.E. We don't want our signals intelligence collection to be double-agents feeding us false data. Implants in general have received a lot less attention in the public penetration testing sphere than in the intelligence sphere. FLAME is still generations ahead of what a typical penetration testing company would use. I say this, because our "Somewhat similar to FLAME" framework INNUENDO is in that market space, and the people who buy it are typically large banks looking to emulate nation state threats, not small and midsize penetration testing companies.

The thing is this: Using a non-0day exploit means IDS systems can silently catch you, and then burn and turn your implant network against you. This is a non-trivial risk. Human lives are OFTEN ON THE LINE and when they are not, billion dollar SIGINT programs are.

In intelligence, you need to overcome every network visibility and management tool the defender has, and the defender only has to detect you once. Also in many cases you simply cannot fail when doing intelligence operations in the cyber domain. In penetration testing you can get away with writing a report that says "You have no unpatched vulnerabilities on your system." This is, most of the time, what the customer really wants!

In intelligence work you have a much higher bar. Get in, get out, be undetected, for years at a time, and the consequences for failure are unimaginable. This is where 0days fit in, as part of a mature intelligence capability that takes into account the real risk structure of the world of mirrors.