Flipping Malware: A Profit Opportunity for Corporate IT Departments

The one thing that corporate IT departments are not is a profit center. But the trend towards developing offensive exploits and selling them to government agencies could change that tomorrow if CEOs can be convinced to take the opportunity. Up to this point, CEOs and their Boards of Directors have been reluctant to spend too much money on cyber security because, frankly, it could easily become a serious money pit. A typical incident response bill for a breach can easily exceed the mid-six figures. Saudi Aramco and Sony probably paid a hefty multiple of that. Then there's the 5 figure monthly bills for threat intelligence feeds, plus the charges to protect against Denial of Service attacks, AV, IDS, IPS, etc. And the worst part of this money pit is that the company can only hope that their previously compromised network is clean. There's no way to tell for certain because it could still contain un-discovered malware.

The good news, or at least potential good news since no one is doing this yet, is that the undiscovered malware lurking on corporate networks potentially represent tens or hundreds of thousands of dollars in income for the corporation. And since it resides on the corporate network, it becomes the property of that corporation. All of a sudden, something that you've viewed only as a threat and an expense has become a valuable commodity thanks to the trend in selling offensive malware to government agencies.

The U.S. government is a customer for offensive exploits and so are a number of allied governments. In fact, if they aren't already doing this, defense contractors like Lockheed Martin, Raytheon, Northrup Grumman, and many others should already be mining their own networks for undiscovered malware, reverse-engineer what they find, and use it to fill orders by DoD since they've already got the contract vehicles in place.

Some of the more forward-looking DOD contractors who have robust internal Computer Emergency Response Teams (CERT) staffed with engineers who can do reverse-engineering could be in the best position to offer free or low-cost network defense to corporations who want to "flip" the malware found on their network for a nice profit. The best part is that everybody comes out a winner except for the malware writers who may have spent a lot of time and money developing 0-days for targeted attacks (i.e., the creators of Stuxnet, DuQu, Gauss, and Flame). In my scenario, they've merely provided a sellable commodity for free to the targets that they were hoping to exploit.

If you're a C-level executive and you'd like to discuss this idea privately with me, feel free.


  1. Sounds like something, as an outside IT contractor, you could bake into the service agreement, giving you rights to any unauthorized software found.

    I would however want to clear it with the lawyers first. Just because the crooks are unlikely to assert them, that doesn't mean the material isn't copyrighted, if they could prove their work had resold it might induce them to go legit and sue. Which leads into a gray area: the work may have been stolen and you wouldn't want to be put in the sticky situation of selling stolen goods. Here be dragons.

  2. Good point. My non-lawyer guess would be that a corporation could claim rights to any malware found on its network. If the malware owners wanted to sue, I'd say let them. What better proof would a corporation need as to who attacked them than a lawsuit filed by the attacker? :-)


Post a Comment