Many corporations rely on extensive penetration testing to assess the security of their computer networks. In a penetration test, a red team is hired to expose major flaws in the firm's security infrastructure. Recently, however, the market for exploit kits has continued to evolve and what was once a rather hard-to-penetrate and exclusive market—whose buyers were primarily western governments—has now become more accessible to a much wider population. Specifically, the darknet or other overlay network portions of the Internet accessible through anonymization protocols (such as Tor and i2p) have become populated with a variety of markets specializing in such products. In particular, 2015 saw the introduction of darknet markets specializing in zero-day exploit kits—exploits designed to leverage previously undiscovered vulnerabilities. These exploit kits are difficult and time-consuming to develop—and often are sold at premium prices. A survey of 8 marketplaces shows the price ranges of exploit kits for common software in Table 1—these prices range from 0.0126-8.4 Bit-coin (2.88-1919.06 U.S. dollars at the time of this writing).
The widespread availability of zero-day exploits in the darknet represents a potential game changer for penetration testers—specifically posing the following questions:                What exploits will an attacker likely purchase if he targets my organization?        What software used in the organization pose the biggest risk to new threats?        
Unfortunately, the high cost of a variety of exploits available through the darknet may preclude a penetration tester from obtaining such exploits at a reasonable price to perform an effective penetration testing that accurately accesses the security of a computer network being tested. While criminal activity on the darknet has been extensively studied over the past decade for issues such as drug trade and terrorism, the markets for exploits existing on the darknet are much less well-understood.
TABLE 1Example of Products offered on Darknet MarketsProductPrice in BTCPrice in $*GovRAT (Source Code + 1 Code Signing2.000$456.92Certificate Included)0 day Wordpress MU Remote Shell1.500$342.69A5/1 Encryption Rainbow Tables1.500$342.69Unlimited Code Signing Certificate1.200$274.16Ready-made Linux botnet 600 SERVERS1.200$274.16FUD version of Adobe Flash <=16.0.0.2871414.68$600.00(CVE 2015-0311)*Price in U.S. Dollar as of Sep. 1, 2015 [1 BTC = $228.46]
There has been related work on malicious hacker forums which did not focus on the purchase and sale of specific items. Markets of malicious products relevant to cyber security have been previously studied, but none of these works gathered data on specific exploits (or other products) from either the darkweb or open Internet; nor did they examine the markets through the lens of security games.
In recent years, “security games” where attacker-defender models are used to inform the actions of defenders in military, law-enforcement, and homeland security applications have gained much traction. With regard to cyber-security, there have been many contributions including intrusion detection, attack graph based games, and honey-pot placement. However, there does not appear to be a game theoretic approach to host-based defense where the activities of the attacker are informed from an “un-conventional” source (information not directly related to the defender's system)—specifically information from darknet markets in this case. Further, the very recent emergence of darknet markets specializing in zero-day exploits allow for the integration of information that was previously unknown.
Corresponding reference characters indicate corresponding elements among the view of the drawings. The headings used in the figures do not limit the scope of the claims.