Tripwire’s Vulnerability Exposure Research Team (VERT): What you need to know
Each month, at the State of Security, we publish a range of content provided by VERT. Whether it’s a round-up of all the latest cybersecurity news, our Patch Priority Index that helps guide administrators on what they should be patching , a book review, general musings from the team, or most notability our Patch Tuesday round-up. VERT is helping organizations stay abreast of the cybersecurity environment.
VERT has a long history, and has continued to provide actionable information to help keep organizations safe. Since you may not be familiar with the VERT mission, we recently spoke with Tyler Reguly about VERT’s origins, and its accomplishments.
What is VERT, and how did it all start?
Tyler Reguly: VERT is an acronym for the Vulnerability Exposure Research Team. It comes out of the old nCircle days. The Canadian portion of VERT started in about 2003, and there were some people working in our San Francisco office at that time. When I joined in 2006 the entire team was located in Toronto. Eventually, we staffed a US office in Alpharetta, and, eventually, we became a fully remote contributor setup. Throughout the years, we’ve had people spread out all over the globe.
What are some of your standout achievements over the years?
TR: Many of our accomplishments happen outside of public view. For example, we’ve contributed to things like the CVSS, and various OWASP standards. We’ve also had numerous vulnerability discoveries from members of the team. Craig Young was involved in discovering “Zombie Poodle” and several other notable vulnerabilities. VERT also has credits for revealing vulnerabilities from Nvidia, Microsoft, and Apple. It is really nice to see the team’s name as part of the cyber defense community.
We also contribute through speaking, and training opportunities. Collectively, our members have spoken in Japan, Singapore, Australia, Portugal, the UK, Canada, and the US. We’ve provided training at a number of conferences, taught one and two day classes, and had the opportunity to work with various industry groups and provide training to them. As a team, our mission has been one of continued excellence. VERT has been really fortunate to just have an absolutely amazing team of just absolutely brilliant people.
Can you give us a high-level overview of how some of the research comes together during the discovery of a vulnerability?
TR: Every exploration is a little bit different. Sometimes we’re specifically researching something and hoping to find a vulnerability in it. Craig Young was doing a lot of TLS research, which led to his discovery of the TLS Zombie Poodle vulnerability. Other discoveries have been purely accidental, which is fairly common in the cybersecurity community. We accidentally found the NVIDIA vulnerability while writing new detection code for fingerprinting remote desktop systems. The code that we wrote to identify some remote desktop systems was crashing other systems. We did a bit of testing and fine-tuned the code, which eventually revealed a vulnerability within the NVIDIA drivers. They were very responsive, and they patched the problem.
We found a vulnerability that resulted in a Microsoft patch as well. That one came out of writing some fuzzing code in Python to perform some fingerprinting. Research is a mix of accidental discoveries and very focused, very specific work, where we set aside some time to explore something that interests us. Then, it’s really about reaching out to the appropriate contacts, such as the security contact at the company, or an industry body, like a certifying organization, depending on the scope, severity, and impact of the vulnerability.
Sometimes finding who to contact can be the hardest part, harder than finding a vulnerability. Then, even when you find the appropriate contact, getting them to respond or acknowledge the discovery can be just as difficult. It’s been getting better over the years, but, it’s one of those things where you just have to keep trying to contact people until you find the right person, and then coordinate responsible disclosure. We need to discuss what their timeline looks like to fix the problem. What does their announcement look like? Will the announcement be released in tandem with their fix, or afterwards? At that point, the vendor goes off and does their thing, and we have to go and do our own assessment of our announcement. This involves internal coordination, which includes assistance from our marketing partner to help us figure out what are we going to release, what are we going to say, and whether we need a legal team to review it. These are some of internal processes that finalize that research.
There was a notice that came out recently in Germany about a new law that’s in favor of security researchers, to help protect them if they find vulnerabilities. What are some of those big challenges that security researchers across the world are facing right now?
TR: It’s completely variable to some extent. First off, you have legal issues and there’s definitely still a lack of clarity regarding responsible disclosure, but it has gotten better over the years. I can remember the first time I found an issue, and it was just a small issue on a local website, and I wanted to report it. People warned me to either not report it, or to report it anonymously, whereas, now, people report things all the time and get paid for them. We’ve seen a huge shift in the way that researchers are treated and understood over the years.
There’s so much going on, and technology’s changing so rapidly, and it’s such a broad field that I think some of the biggest challenges are sometimes technical, and where do you focus? We talk about cybersecurity, and we talk about what exists, and you hear some terms over and over again. For example, ransomware, command and control, botnet and whatever else it might be. But, the reality is that there are so many different moving pieces of technology involved. The key is finding where you fit. It’s an interesting field, but it has such breadth and depth to it that you have to be careful you don’t drown, trying to learn everything.
What advice would you share with people who want to join the cybersecurity industry, whether they are just teenagers, or if they are already in another profession, and they want to change?
TR: I was thinking about this the other day. I used to teach, and I thought of a simple way for a person to evaluate their mental tolerance for working as a researcher in cybersecurity. Sit down, and try to solve a really hard puzzle. Whether it is a thousand-piece jigsaw, or any other type of puzzle, if you get easily frustrated, then the research part of cybersecurity might have limited offerings for you. So much of what we do is trying to solve puzzles.
However, that’s only one aspect of the profession. You could find yourself doing one of a million different things. You could perform non-technical aspects that are related to cybersecurity, such as evaluating compliance, creating policy, or you might be an excellent writer for many of the cybersecurity offerings out there. It’s not all technical, and there are many folks who work behind the scenes to make it all come together.
Can you tell us more about what happens in the day-to-day life of the people in VERT?
TR: We assist customers by providing all of the content that powers the Tripwire product line. For instance, the information that is reported to a customer through our vulnerability scanner is all a result of the content that we’ve written, and techniques and methods that we’ve developed. On the enterprise side, if you’re working with file integrity monitoring, or security configuration management, we are also involved in how those systems evaluate the environment. We also contribute to the general community by writing blog posts, speaking at conferences, offering trainings through various groups to help educate and inform people, and working with our customers.
Our conversation with Tyler shed some light on what goes on within the busy VERT area. The dedication and commitment of the VERT team members, as well their contributions to the industry, makes them stand out within the cybersecurity community.
We at Fortra appreciate all the work of everyone on our staff, whether they are on the front lines of research, or if they are working in the background all with the same goal of making a positive impact on the cybersecurity industry.