The Economics of Cybercrime and the
“Law of Malware Probability”
Sam Curry
April, 2009
2
The Cybercrime Dilemma
We are dealing with intelligent opponents
The main way to describe media and market attention is ...
3
“from a national security perspective, other than a weapon of mass
destruction or a bomb in one of our major cities the ...
4
"Last year was the first year that proceeds from
cybercrime were greater than proceeds from
the sale of illegal drugs”
V...
5
Fear and Loathing in Davos
Comments from the Cybersecurity
panel at the Davos world
economic forum:
– Online theft costs...
6
There is an underground economy
Asset Going-rate
Pay-out for each unique adware
installation
30 cents in the United Stat...
7
Malware variants ARE increasing dramatically
1,738
177,615
2,753,587
0
500000
1000000
1500000
2000000
2500000
3000000
19...
8
Changing Threat Environment
Pre-incident, policy-driven security measures
• Implement: Vulnerability and Configuration p...
9
Port-o-potty use over time
Disgust Desperation
• You can measure human ‘port-o-
potty’ behavior
• Most reasonable people...
10
The Law of Malware Probability
Probability
Total
Reward
Probability
Total
Risk
Therefore
Probability ∝
Total Reward
Tot...
11
Target’s Attractiveness
PV ∝
AV
DV * RV
• Attractiveness is related to several factors
• Number of victims (unit-less)
...
12
Difficulty (raw cost) of a Vector
PV ∝
AV
DV * RV
• Attractiveness is related to several factors
• Scarcity of Skillset...
13
“Risk” to the Attacker
PV ∝
AV
DV * RV
• Attractiveness is related to several factors
• Penalty
i.e. Severe penalties d...
14
Example Values for Variables
Factor Value
V
($US)
Number
N
Interconnection
I (number of
nodes directly
reachable)
Diffi...
15
Example of a Comparison
Formula Factors V N I D E T L P ρ
Cyber CrimeTypes 
Wireless Malware 3 6 4 6 5 6 2 5 0.42
PC ...
16
Key Takeaways
This is a measurable, Human behavior
We need to stop thinking in two dangerous ways:
– The sky is not fal...
17
Thank you!
Sam Curry (scurry@rsa.com)
Upcoming SlideShare
Loading in …5
×

The Economics of Cybercrime and the Law of Malware Probability

1,139 views

Published on

Official presentation: RSA's Sam Curry and Amrit Williams explore the behavior of online criminals, and introduce a model for further behavioral study.

See more from Sam at http://blogs.rsa.com/author/curry

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,139
On SlideShare
0
From Embeds
0
Number of Embeds
96
Actions
Shares
0
Downloads
26
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The Economics of Cybercrime and the Law of Malware Probability

  1. 1. The Economics of Cybercrime and the “Law of Malware Probability” Sam Curry April, 2009
  2. 2. 2 The Cybercrime Dilemma We are dealing with intelligent opponents The main way to describe media and market attention is FUD A “War on Cybercrime” doesn’t make sense A study of the behavior of online criminals does make sense The purpose of this presentation is to start that dialog and provide a model for the community to use As with fighting any intelligent opponent, the goal must be… – To analyze – To act – To achieve measurable reductions in fraud • Make it expensive to do in systematic ways • Coordinate better and improve defenses – To adapt – To repeat the above Victory is not found in destroying the opponent, it is found in reducing him (or her).
  3. 3. 3 “from a national security perspective, other than a weapon of mass destruction or a bomb in one of our major cities the threat to our infrastructure, the threat to our intelligence, the threat to our computer network is the most critical threat we face.” Shawn Henry, Assistant Director of the FBI Cyber Division FUD
  4. 4. 4 "Last year was the first year that proceeds from cybercrime were greater than proceeds from the sale of illegal drugs” Valerie McNiven, who advises the US Treasury on cybercrime Cybercrime economy is massive! FUD
  5. 5. 5 Fear and Loathing in Davos Comments from the Cybersecurity panel at the Davos world economic forum: – Online theft costs $1 trillion a year, the number of attacks is rising sharply and too many people do not know how to protect themselves, they said. – 2008 was the year when cyber warfare began. it showed that you can bring down a country within minutes,” one panelist said.
  6. 6. 6 There is an underground economy Asset Going-rate Pay-out for each unique adware installation 30 cents in the United States, 20 cents in Canada, 10 cents in the UK, 2 cents elsewhere Malware package, basic version $1,000 – $2,000 Malware package with add-on services Varying prices starting at $20 Exploit kit rental – 1 hour $0.99 to $1 Exploit kit rental – 2.5 hours $1.60 to $2 Exploit kit rental – 5 hours $4, may vary Undetected copy of a certain information-stealing Trojan $80, may vary Distributed Denial of Service attack $100 per day 10,000 compromised PCs 1,000 $ Stolen bank account credentials Varying prices starting at $50 1 million freshly-harvested emails (unverified) $8 up, depending on quality Sample data from research on the underground digital economy in 2007
  7. 7. 7 Malware variants ARE increasing dramatically 1,738 177,615 2,753,587 0 500000 1000000 1500000 2000000 2500000 3000000 1988 1998 2008 * Source: Trend Micro Malware Research Center
  8. 8. 8 Changing Threat Environment Pre-incident, policy-driven security measures • Implement: Vulnerability and Configuration policies • Audit: against defined policies • Eliminate: administrative, user, system, application exposures Damage Attack Motivation Hobby-based malware Cyber vandalism Financially motivated cyber crime Service/resource Disruption Significant impact on business bottom line Minor Annoyance  Worms  Viruses  Botnets  Rootkits  DoS/DDoS  Spyware  Targeted malware  Hybrid Worms  Web-application attacks  Spam  Phishing  Financial Backdoor Trojans  Coordinated attacks Reactive, ad-hoc security measures • External Shielding • Rapid Patching • Signature Updates
  9. 9. 9 Port-o-potty use over time Disgust Desperation • You can measure human ‘port-o- potty’ behavior • Most reasonable people are disgusted by port-o-potty’s • However when desperate for relief their level of disgust predictably decreases • The speed at which disgust decreases and desperation increases is amplified by alcohol Alcohol Won’t use Can’t refuse Predictable cross-over point Predictable cross-over point
  10. 10. 10 The Law of Malware Probability Probability Total Reward Probability Total Risk Therefore Probability ∝ Total Reward Total Risk Or… PV ∝ AV DV * RV • When you are dealing with an intelligent opponent and quantifiable gains (reward) and losses (risks), you can apply Game Theory • You can determine to some level of accuracy the relative probability of a set of attack types with respect to one another • You can use this information to implement stronger controls against a dynamic and increasingly hostile threat environment • You can use this outlook to examine the effects of world events and small changes in “State of the Art” or even the introduction of disruptive technologies
  11. 11. 11 Target’s Attractiveness PV ∝ AV DV * RV • Attractiveness is related to several factors • Number of victims (unit-less) i.e. more victims is more attractive • Value per victim i.e. more money per victim is more attractive • Rate of infection among victims (this can be measured with a cash analog or as a weighting factor such as “0.3” for a low rate or “1.0” for a high rate) i.e. Cash is King – getting to the victim means getting to the case faster • Maturity of cash out mechanism is an important factor – related to the criminal “networks” sophistication Note: for mathematical simplicity, everything should be measured in a currency (e.g. $ € £ ¥ etc.) – this also has interesting implications on a geographic basis, especially with cost (q.v.) AV ∝ #V * VV * RV # of victims Attractiveness $ of victims Attractiveness Rate of infection Attractiveness
  12. 12. 12 Difficulty (raw cost) of a Vector PV ∝ AV DV * RV • Attractiveness is related to several factors • Scarcity of Skillset i.e. Finding and hiring specialists is expensive – that’s bad! • Time to execute matters – that costs i.e. Cash is King! Fast exploits to build mean $$$ • Cost to “host” or execute (e.g. hardware) i.e. A legacy infrastructure or exploiting others’s resources is good! • Over time cost always comes down! • Breakthrough technologies, improvements in infrastructure (especially in the developing world) regional or global advances in programming, increases in a populations skill sets make a big difference, bringing down cost… Note: for mathematical simplicity, everything should be measured in a currency (e.g. $ € £ ¥ etc.) – this also has interesting implications on a geographic basis, especially with cost (q.v.) DV ∝ SV * TV * HV Skill Cost Difficulty Probability Time Cost Difficulty Probability Host Cost Difficulty Probability
  13. 13. 13 “Risk” to the Attacker PV ∝ AV DV * RV • Attractiveness is related to several factors • Penalty i.e. Severe penalties drive down the chance of any vector being used (compare physical robbery with online for instance) • Chance of being caught i.e. If penalties have a chance of being enforced, they are more effective • This is where careful collaboration and international efforts can bear fruit • Crime is fluid and will move to the “best reward for least risk” – meaning no measure will “solve” the attack problem…it will merely move it elsewhere Note: for mathematical simplicity, everything should be measured in a currency (e.g. $ € £ ¥ etc.) – this also has interesting implications on a geographic basis, especially with cost (q.v.) RV ∝ PV * %CV Penalty Risk Probability Chance Of being Caught Risk Probability
  14. 14. 14 Example Values for Variables Factor Value V ($US) Number N Interconnection I (number of nodes directly reachable) Difficulty D (# of people who know how to do it) Expense E ($US) Time T (time to hack) Likelihood L (Chance of getting caught) Penalty P (fine and/or jail) 0 0 0 0 0 0 0 0% 0 1 1 1 1 10,000,000+ 1 1 hour 0.01% $1 2 10 10 10 1,000,000 10 1 day 0.1% $100 3 100 100 100 500,000 100 1 week 1% $1000 4 1000 1000 1000 250,000 1000 1 month 5% $10,000 5 10 * 104 10 * 104 10 * 104 100,000 10 * 104 3 months 10% $100,000 6 10 * 105 10 * 105 10 * 105 25,000 10 * 105 6 months 20% $10,000 + 1 year 7 10 * 106 10 * 106 10 * 106 2,500 10 * 106 1 year 35% $100,000 + 1 year 8 10 * 107 10 * 107 10 * 107 250 10 * 107 18 months 50% $1,000,000 9 10 * 108 10 * 108 10 * 108 25 10 * 108 2 years 75% More than 1 year 10 10 * 109 10 * 109 10 * 109 1 10 * 109 3 years 100% More than 1,000,000 and 1 year 0 1 2 3 4 5 6 7 8 9 10
  15. 15. 15 Example of a Comparison Formula Factors V N I D E T L P ρ Cyber CrimeTypes  Wireless Malware 3 6 4 6 5 6 2 5 0.42 PC Malware (Low) 5 7 5 3 4 4 2 5 1.59 Spam 1 7 1 1 3 3 1 5 0.20 Phishing 5 7 5 6 5 6 1 5 2.06 Mail Fraud 2 7 1 1 3 3 7 8 0.04
  16. 16. 16 Key Takeaways This is a measurable, Human behavior We need to stop thinking in two dangerous ways: – The sky is not falling (no FUD) – There is no panacea We need to think this way – Systematically and analytically – Understand the system and behaviors • Gains: going after returns • Losses: costs and risks This is a market like any other, and it can be studied like any other Next steps: – Advance the Law of Malware probability with data – Look to expand beyond Malware and even beyond “online” only – Study the “flow” of “investment” in different vectors by the criminals – Work together to responsibly drive the risk and cost of attack up across the board Victory here is not the end of malware, which won’t happen. Victory here to drive the cost to break uniformly higher and to therefore flatten and eventually reduce online crime
  17. 17. 17 Thank you! Sam Curry (scurry@rsa.com)

×