Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2011.04 How to Isotope Tag a Ghost

468 views

Published on

Instrumenting and measuring indirect threats: lessons from economics applied to the underground.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

2011.04 How to Isotope Tag a Ghost

  1. 1. How to Isotope- Tag a Ghost Allison Miller Thursday, April 28, 2011
  2. 2. Thursday, April 28, 2011
  3. 3. we don't talk about what we see; we see only what we can talk about Donella Meadows Thinking in Systems: A Primer Thursday, April 28, 2011
  4. 4. threat trees p(x) p(y) p(z) Thursday, April 28, 2011
  5. 5. Start Escalation Impact Breach Thursday, April 28, 2011
  6. 6. The Jungle-Gym Effect Thursday, April 28, 2011
  7. 7. The Porous Attack Surface Thursday, April 28, 2011
  8. 8. Enter the Ghosts Thursday, April 28, 2011
  9. 9. an example: Fraud Thursday, April 28, 2011
  10. 10. F r a u d Thursday, April 28, 2011
  11. 11. Haunted by an old problem How do we measure things we can’t observe directly? Thursday, April 28, 2011
  12. 12. Like what? Fraud/Crime Movement of cash Underground economy Thursday, April 28, 2011
  13. 13. Direct methods Samples/Surveys Intrusive observation Passive observation Indirect methods Gap accounting Impact indicators Qualitative modeling Thursday, April 28, 2011
  14. 14. Crime Thursday, April 28, 2011
  15. 15. NCVS is the Nation's primary source of information on criminal victimization. Sample of 76,000 households & ~135,300 persons Frequency, characteristics and consequences (crimes in the US) The survey enables BJS to estimate the likelihood of victimization via categories of violent & property crimes for the population as a whole Population segments: gender, age, ethnicity, geography http://bjs.ojp.usdoj.gov/index.cfm?ty=dcdetail&iid=245 Thursday, April 28, 2011
  16. 16. Thursday, April 28, 2011
  17. 17. 0 50 100 150 200 1999 2000 2001 2002 2003 2004 2005 2007 2008 Total property crime Burglary Theft Motor vehicle theft Figure 2. Property crime rates overall fell by 32% from 1999 to 2008 Thursday, April 28, 2011
  18. 18. Financial Crimes Report to the Public: 2009 | 2008 | 2007 | 2006 | 2005 Financial Institution Fraud and Failure Reports: 2006-2007 | 2005 | 2004 | 2003 (pdf) | 2002 (pdf) | 2000-2001 (pdf) Insurance Fraud: Program Overview and Consumer Information Mass Marketing Fraud: A Threat Assessment, June 2010 Mass Marketing Fraud: Awareness and Prevention Tips Mortgage Fraud Reports: 2009 | 2008 | 2007 | 2006 National Money Laundering Strategy (pdf) Securities Fraud: Awareness and Prevention Tips http://www.fbi.gov/stats-services/publications Thursday, April 28, 2011
  19. 19. 2010 Internet Crime Report www.ic3.gov Partnership between NW3C/BJA and the FBI Thursday, April 28, 2011
  20. 20. Cybercrime against Businesses, 2005 7,818 businesses in 2005 Data on: Monetary loss and system downtime Types of offenders, types of systems affected, vulnerabilities, whether incidents were reported to LE Highlights: 3,247 businesses incurred loss totaling $867M Majority of attacks went unreported to LE http://bjs.ojp.usdoj.gov/index.cfm?ty=pbdetail&iid=769 Thursday, April 28, 2011
  21. 21. Cash Thursday, April 28, 2011
  22. 22. Cash movement Velocity of money V=Nominal GDP/ Money Supply Thursday, April 28, 2011
  23. 23. http://research.stlouisfed.org/fred2/categories/32242 Thursday, April 28, 2011
  24. 24. Where’s George? http://www.wheresgeorge.com/ Thursday, April 28, 2011
  25. 25. Shadow Thursday, April 28, 2011
  26. 26. Method Approach Direct methods Surveys Audits Indirect methods Via national accounting Gap between production & expenditure Via national accounting Gap between official & actual laborVia national accounting Gap between official & actual income Monetary statistics Velocity of M1 (cash/currency) Monetary statistics Velocity of major bills Monetary statistics Transactions approach Monetary statistics Currency demand Physical input consumption Electricity consumption Soft modeling Cause/effect (DYMIMIC) The Shadow Economy: An International Study. Cambridge Press. Schneider & Enste (2002) Thursday, April 28, 2011
  27. 27. Changes over time 0 7.5 15 22.5 30 Belgium Sweden Ireland France Netherlands Germany GB USA Size of shadow economy as a % of official GNP (cash approach) Data Source: Schneider & Enste (1998) 1970 1980 1994 1995 1996 1997 Thursday, April 28, 2011
  28. 28. Comparing results 0 7.5 15 22.5 30 Belgium Sweden Ireland France Netherlands Germany GB USA Size of the shadow economy as % of official GNP Cash approach (Johnson 1990/93) Cash approach (Schneider 1989/90) Cash approach (Schneider 1990/93) Electricity Consumption (1989/90) Data Source: Schneider & Enste (1998) Thursday, April 28, 2011
  29. 29. Method Example Direct methods Samples/Surveys Crime surveys Intrusive observation Tax Audits Passive observation Bill tracking Indirect methods Gap accounting Income vs expenditure System statistics Velocity of money Impact indicators Energy consumption Qualitative modeling DYMIMIC Thursday, April 28, 2011
  30. 30. Spam & Phishing Botnets Virus & Malware Thursday, April 28, 2011
  31. 31. Spam & Phishing Botnets Virus & Malware Transactional High-volume Feedback loop Centralized collection Widely distributed Thursday, April 28, 2011
  32. 32. Spam & Phishing Email ISPs & spam detection Content segmentation Metrics on origin, target, intermediaries Cyclicality, event correlation Botnets Virus & Malware Thursday, April 28, 2011
  33. 33. Spam & Phishing Majority of email is “bad” (~90% Q1‘2010) Malware taking share from spam Crafted attacks as well as blitzes Most campaigns are short (<24 hours) Botnets Virus & Malware Thursday, April 28, 2011
  34. 34. AV vendors Software, devices environments targeted Mechanism of infection Payload/impact Spam & Phishing Botnets Virus & Malware Thursday, April 28, 2011
  35. 35. Custom malware Social networks: Infection mechanism & targets Drive-bys Mobile & POS devices Spam & Phishing Botnets Virus & Malware Thursday, April 28, 2011
  36. 36. ISPs, independent researchers Mechanisms of communication, control Profiling & tracking (network, victims, targets) Feature analysis Performance (attack metrics) Spam & Phishing Botnets Virus & Malware Thursday, April 28, 2011
  37. 37. Packet, Flow, Log (app, A/V, spam) analysis Machine learning algorithms for IRC-based C&C botnet traffic (Strayer et al) Clustering analysis for P2P botnet detection (Zeidanloo et al) DNS analysis & monitoring Changes in DNS traffic patterns (volume, errors) Sinkholing (domain name takeovers) IRC & P2P infiltration Honeypots Spam & Phishing Botnets Virus & Malware Thursday, April 28, 2011
  38. 38. useful. Spam & Phishing Botnets Virus & Malware Google Postini Services Spam Trend & Analysis (July 2010, >3B email connections/day) McAfee Quarterly Threats Report, (>20M new malware samples in 2010) Symantec State of Spam & Phishing, 300M email addresses Trustwave Global Security Report 2011 (15 billion emails from 2006-10, 220 breach investigations) ENISA: Botnets: Measurement, Detection, Disinfection and Defence Thursday, April 28, 2011
  39. 39. Method Example Direct methods Samples/Surveys Spam & Phishing, Virus & Malware Intrusive observation Sinkholing, Audits Passive observation Honeypots, Flow analysis Indirect methods Gap accounting “Cuckoo’s Egg” System statistics Impact indicators Breach investigations Qualitative modeling Thursday, April 28, 2011
  40. 40. More opportunities for data aggregation System accounting Test simple metrics, data sets in experimental models For existing data-sets: Opportunities to move from transactional to flow- based Questions? Allison Miller @selenakyle Thursday, April 28, 2011

×