• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content

Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

More on: The Economics of Cybercrime and the Law of Malware Probability

on

  • 890 views

RSA's Sam Curry and Amrit Williams explore the behavior of online criminals, and introduce a model for further behavioral study.

RSA's Sam Curry and Amrit Williams explore the behavior of online criminals, and introduce a model for further behavioral study.

See more from Sam at http://blogs.rsa.com/author/curry

Statistics

Views

Total Views
890
Views on SlideShare
751
Embed Views
139

Actions

Likes
0
Downloads
4
Comments
0

3 Embeds 139

http://websecurity.com.ua 137
http://translate.googleusercontent.com 1
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    More on: The Economics of Cybercrime and the Law of Malware Probability More on: The Economics of Cybercrime and the Law of Malware Probability Presentation Transcript

    • The Economics of Cybercrime and the Law of Malware Probability Sam Curry Amrit Williams
    • The Cybercrime Dilemma • We are dealing with intelligent opponents • The main way to describe media and market attention is FUD • A “War on Cybercrime” doesn’t make sense • A study of the behavior of online criminals does make sense • The purpose of this presentation is to start that dialog and provide a model for the community to use • As with fighting any intelligent opponent, the goal must be… – To analyze – To act – To achieve measurable reductions in fraud • Make it expensive to do in systematic ways • Coordinate better and improve defenses – To adapt – To repeat the above • Victory is not found in destroying the opponent, it is found in reducing him (or her).
    • FUD “from a national security perspective, other than a weapon of mass destruction or a bomb in one of our major cities the threat to our infrastructure, the threat to our intelligence, the threat to our computer network is the most critical threat we face.” Shawn Henry, Assistant Director of the FBI Cyber Division
    • Cybercrime economy is massive! FUD "Last year was the first year that proceeds from cybercrime were greater than proceeds from the sale of illegal drugs” Valerie McNiven, who advises the US Treasury on cybercrime
    • Fear and Loathing in Davos Comments from the Cybersecurity panel at the Davos world economic forum: – Online theft costs $1 trillion a year, the number of attacks is rising sharply and too many people do not know how to protect themselves, they said. – 2008 was the year when cyber warfare began. it showed that you can bring down a country within minutes,” one panelist said.
    • There is an underground economy Asset Going-rate Pay-out for each unique adware 30 cents in the United States, 20 installation cents in Canada, 10 cents in the UK, 2 cents elsewhere Malware package, basic version $1,000 – $2,000 Malware package with add-on services Varying prices starting at $20 Exploit kit rental – 1 hour $0.99 to $1 Exploit kit rental – 2.5 hours $1.60 to $2 Exploit kit rental – 5 hours $4, may vary Undetected copy of a certain $80, may vary information-stealing Trojan Distributed Denial of Service attack $100 per day 10,000 compromised PCs 1,000 $ Stolen bank account credentials Varying prices starting at $50 1 million freshly-harvested emails $8 up, depending on quality (unverified) Sample data from research on the underground digital economy in 2007
    • Malware variants are increasing dramatically 1988: 1738 unique malware samples 1998: 177615 unique malware samples 2008: 2753587 unique malware samples*
    • Typical Web Threat Mid-2008
    • Dissecting the Attack
    • How Does it Work? Here is what happens when users visit the compromised Web site: The getanewmazda User visits legitimate Because of the malicious site contains a script Honda site script, the browser loads the to look for and getanewmazda site exploit vulnerabilities on the system to download CRYPT.EXE Downloaded file If no vulnerabilities are found, accesses viruspolice.com browser is redirected to google.com VISIBLE TO THE USER NOT VISIBLE TO THE USER
    • Changing Threat Environment Significant impact on business  Targeted malware bottom line  Hybrid Worms  Coordinated attacks  Web-application  Rootkits attacks Damage  Financial Backdoor Trojans Service/resource  Botnets Disruption  DoS/DDoS  Worms  Spyware  Spam  Viruses  Phishing Minor Annoyance Hobby-based malware Cyber Financially motivated cyber vandalism Attack Motivation crime Reactive, ad-hoc security measures Pre-incident, policy-driven security measures • External Shielding • Implement: Vulnerability and Configuration policies • Rapid Patching • Audit: against defined policies • Signature Updates • Eliminate: administrative, user, system, application exposures
    • The Law of Malware Probability • When you are dealing with an intelligent opponent and quantifiable gains (reward) Total Probability and losses (risks), you can apply Game Reward Theory Total Probability • You can determine to some level of Risk accuracy the relative probability of a set of attack types with respect to one Therefore another Total Reward • You can use this information to Probability ∝ implement stronger controls against a Total Risk dynamic and increasingly hostile threat environment Or… • You can use this outlook to examine the AV effects of world events and small changes PV ∝ in “State of the Art” or even the DV * RV introduction of disruptive technologies
    • Target’s Attractiveness • Attractiveness is related to several factors AV • Number of victims (unit-less) PV ∝ i.e. more victims is more attractive DV * RV • Value per victim i.e. more money per victim is more attractive • Rate of infection among victims (this can be # of Attractiveness measured with a cash analog or as a victims weighting factor such as “0.3” for a low rate or “1.0” for a high rate) $ of Attractiveness i.e. Cash is King – getting to the victim means getting to the case faster victims • Maturity of cash out mechanism is an important Rate of factor – related to the criminal “networks” Attractiveness infection sophistication Note: for mathematical simplicity, everything should be measured in a currency (e.g. $ € £ ¥ etc.) – this also has AV ∝ #V * VV * RV interesting implications on a geographic basis, especially with cost (q.v.)
    • Difficulty (raw cost) of a Vector • Attractiveness is related to several factors • Scarcity of Skillset AV i.e. Finding and hiring specialists is expensive – PV ∝ that’s bad! DV * RV • Time to execute matters – that costs i.e. Cash is King! Fast exploits to build mean $$$ • Cost to “host” or execute (e.g. hardware) Skill Probability Difficulty i.e. A legacy infrastructure or exploiting others’s Cost resources is good! • Over time cost always comes down! Time Difficulty Probability Cost • Breakthrough technologies, improvements in infrastructure (especially in the developing world) Host Difficulty Probability regional or global advances in programming, Cost increases in a populations skill sets make a big difference, bringing down cost… Note: for mathematical simplicity, everything should be DV ∝ SV * TV * HV measured in a currency (e.g. $ € £ ¥ etc.) – this also has interesting implications on a geographic basis, especially with cost (q.v.)
    • “Risk” to the Attacker • Attractiveness is related to several factors • Penalty AV i.e. Severe penalties drive down the chance of PV ∝ any vector being used (compare physical robbery DV * RV with online for instance) • Chance of being caught i.e. If penalties have a chance of being enforced, they are more effective Penalty Risk Probability • This is where careful collaboration and international efforts can bear fruit Chance Of being Risk Probability • Crime is fluid and will move to the “best reward Caught for least risk” – meaning no measure will “solve” the attack problem…it will merely move it elsewhere Note: for mathematical simplicity, everything should be RV ∝ PV * %CV measured in a currency (e.g. $ € £ ¥ etc.) – this also has interesting implications on a geographic basis, especially with cost (q.v.)
    • Example Values for Variables Factor Value Number Interconnection Difficulty Expense Time Likelihood Penalty V N I (number of D (# of E ($US) T L (Chance P (fine ($US) nodes directly people who (time of getting and/or jail) reachable) know how to caught) to do it) hack) 00 0 0 0 0 0 0 0% 0 11 1 1 1 10,000,000+ 1 1 hour 0.01% $1 22 10 10 10 1,000,000 10 1 day 0.1% $100 33 100 100 100 500,000 100 1 week 1% $1000 44 1000 1000 1000 250,000 1000 1 5% $10,000 month 55 10 * 10 * 104 10 * 104 100,000 10 * 104 3 10% $100,000 104 months 66 10 * 10 * 105 10 * 105 25,000 10 * 105 6 20% $10,000 + 105 months 1 year 77 10 * 10 * 106 10 * 106 2,500 10 * 106 1 year 35% $100,000 106 + 1 year 88 10 * 10 * 107 10 * 107 250 10 * 107 18 50% $1,000,000 107 months 99 10 * 10 * 108 10 * 108 25 10 * 108 2 years 75% More than 108 1 year 10 10 10 * 10 * 109 10 * 109 1 10 * 109 3 years 100% More than 109 1,000,000 and 1 year
    • Example of a Comparison Formula Factors V N I D E T L P ρ Cyber CrimeTypes  Wireless Malware 3 6 4 6 5 6 2 5 0.42 PC Malware (Low) 5 7 5 3 4 4 2 5 1.59 Spam 1 7 1 1 3 3 1 5 0.20 Phishing 5 7 5 6 5 6 1 5 2.06 Mail Fraud 2 7 1 1 3 3 7 8 0.04
    • Key Takeaways • This is a measurable, Human behavior • We need to stop thinking in two dangerous ways: – The sky is not falling (no FUD) – There is no panacea • We need to think this way – Systematically and analytically – Understand the system and behaviors • Gains: going after returns • Losses: costs and risks • This is a market like any other, and it can be studied like any other • Next steps: – Advance the Law of Malware probability with data – Look to expand beyond Malware and even beyond “online” only – Study the “flow” of “investment” in different vectors by the criminals – Work together to responsibly drive the risk and cost of attack up across the board • Victory here is not the end of malware, which won’t happen. • Victory here to drive the cost to break uniformly higher and to therefore flatten and eventually reduce online crime