In addition to researching exclusive zero-day vulnerabilities, Exodus Intelligence also offers a feed comprised of threats that have been publicly disclosed by outside organizations or the vendors themselves. These vulnerabilities are investigated, documented, and exploited for distribution to customers. Subscribers of this offering gain access to an arsenal of vetted, reliable exploits and corresponding documentation enabling them to ensure their defensive measures have been implemented properly.
A given package delivered through any of the aforementioned subscriptions consists of an XML file with metadata for integration into third-party SIEM products, a detailed report on the vulnerability, network packet captures of malicious and benign traffic, and working exploit code in the form of a Metasploit module.
The written report itself is typically 15 to 30 pages in PDF form covering all aspects of the vulnerability, including:
- Affected products, versions, supported architectures, and hashes of binary files
- Target market share, common usage, and typical deployment configurations
- Technical information on the vulnerable components and enumeration of attack vectors
- Disassembly and/or source code walkthroughs showing the flaw in the code
- Detailed information on attack vectors and corresponding malicious network traffic
- Guidance on how to detect an attack in progress as well as artifacts left behind in the case of a successful compromise
- An explanation of the complete exploitation process, including bypassing mitigations
- Insight into the requirements, reliability, difficulty, and likelihood of an attacker successfully exploiting the issue
- Guidance on reducing or eliminating susceptibility to the flaw in place of an official patch from the affected vendor
The included network packet captures in PCAP form demonstrate both malicious attempts to exploit the issue and benign traffic intended to ensure a customer’s defenses do not produce false positives.
Finally, each Exodus Intelligence vulnerability report is accompanied by exploit code that demonstrates the impact of the vulnerability. These are working exploits and not simply proof of concept code. Typically, the exploit code is distributed in the form of a Metasploit module to allow for easy integration and testing.