How to Isotope-
Tag a Ghost
Allison Miller
Thursday, April 28, 2011

Thursday, April 28, 2011

we don't talk about
what we see;
we see only what we
can talk about
Donella Meadows
Thinking in Systems: A Primer
Thursday, April 28, 2011

threat trees
p(x)
p(y)
p(z)
Thursday, April 28, 2011

Start
Escalation
Impact
Breach
Thursday, April 28, 2011

The Jungle-Gym Effect
Thursday, April 28, 2011

The Porous Attack Surface
Thursday, April 28, 2011

Enter the Ghosts
Thursday, April 28, 2011

an example:
Fraud
Thursday, April 28, 2011

F
r
a
u
d
Thursday, April 28, 2011

Haunted by an old problem
How do we
measure
things we
can’t
observe
directly?
Thursday, April 28, 2011

Like what?
Fraud/Crime
Movement of cash
Underground economy
Thursday, April 28, 2011

Direct methods
Samples/Surveys
Intrusive observation
Passive observation
Indirect methods
Gap accounting
Impact indicators
Qualitative modeling
Thursday, April 28, 2011

Crime
Thursday, April 28, 2011

NCVS is the Nation's
primary source of
information on criminal
victimization.
Sample of 76,000
households & ~135,300
persons
Frequency,
characteristics and
consequences (crimes in
the US)
The survey enables BJS
to estimate the likelihood
of victimization via
categories of violent &
property crimes for the
population as a whole
Population segments:
gender, age, ethnicity,
geography
http://bjs.ojp.usdoj.gov/index.cfm?ty=dcdetail&iid=245
Thursday, April 28, 2011

Thursday, April 28, 2011

0
50
100
150
200
1999 2000 2001 2002 2003 2004 2005 2007 2008
Total property crime
Burglary
Theft
Motor vehicle theft
Figure 2. Property crime rates overall fell by 32% from 1999 to 2008
Thursday, April 28, 2011

Financial Crimes Report to the Public: 2009 | 2008 | 2007 |
2006 | 2005
Financial Institution Fraud and Failure Reports: 2006-2007 |
2005 | 2004 | 2003 (pdf) | 2002 (pdf) | 2000-2001 (pdf)
Insurance Fraud: Program Overview and Consumer Information
Mass Marketing Fraud: A Threat Assessment, June 2010
Mass Marketing Fraud: Awareness and Prevention Tips
Mortgage Fraud Reports: 2009 | 2008 | 2007 | 2006
National Money Laundering Strategy (pdf)
Securities Fraud: Awareness and Prevention Tips
http://www.fbi.gov/stats-services/publications
Thursday, April 28, 2011

2010 Internet Crime
Report
www.ic3.gov
Partnership between
NW3C/BJA and the FBI
Thursday, April 28, 2011

Cybercrime against Businesses,
2005
7,818 businesses in 2005
Data on:
Monetary loss and system
downtime
Types of offenders, types of
systems affected,
vulnerabilities, whether
incidents were reported to LE
Highlights:
3,247 businesses incurred loss
totaling $867M
Majority of attacks went
unreported to LE
http://bjs.ojp.usdoj.gov/index.cfm?ty=pbdetail&iid=769
Thursday, April 28, 2011

Cash
Thursday, April 28, 2011

Cash movement
Velocity of money
V=Nominal GDP/
Money Supply
Thursday, April 28, 2011

http://research.stlouisfed.org/fred2/categories/32242
Thursday, April 28, 2011

Where’s George?
http://www.wheresgeorge.com/
Thursday, April 28, 2011

Shadow
Thursday, April 28, 2011

Method Approach
Direct methods Surveys
Audits
Indirect methods
Via national accounting
Gap between production & expenditure
Via national accounting Gap between official & actual laborVia national accounting
Gap between official & actual income
Monetary statistics
Velocity of M1 (cash/currency)
Monetary statistics
Velocity of major bills
Monetary statistics
Transactions approach
Monetary statistics
Currency demand
Physical input consumption Electricity consumption
Soft modeling Cause/effect (DYMIMIC)
The Shadow Economy: An International Study. Cambridge Press. Schneider & Enste (2002)
Thursday, April 28, 2011

Changes over time
0
7.5
15
22.5
30
Belgium Sweden Ireland France Netherlands Germany GB USA
Size of shadow economy as a % of official GNP (cash approach)
Data Source: Schneider & Enste (1998)
1970
1980
1994
1995
1996
1997
Thursday, April 28, 2011

Comparing results
0
7.5
15
22.5
30
Belgium Sweden Ireland France Netherlands Germany GB USA
Size of the shadow economy as % of official GNP
Cash approach (Johnson 1990/93)
Cash approach (Schneider 1989/90)
Cash approach (Schneider 1990/93)
Electricity Consumption (1989/90)
Data Source: Schneider & Enste (1998)
Thursday, April 28, 2011

Method Example
Direct methods
Samples/Surveys Crime surveys
Intrusive observation Tax Audits
Passive observation Bill tracking
Indirect methods
Gap accounting Income vs expenditure
System statistics Velocity of money
Impact indicators Energy consumption
Qualitative modeling DYMIMIC
Thursday, April 28, 2011

Spam & Phishing
Botnets
Virus & Malware
Thursday, April 28, 2011

Spam & Phishing
Botnets
Virus &
Malware
Transactional
High-volume
Feedback loop
Centralized collection
Widely distributed
Thursday, April 28, 2011

Spam & Phishing
Email ISPs & spam detection
Content segmentation
Metrics on origin, target,
intermediaries
Cyclicality, event correlation
Botnets
Virus &
Malware
Thursday, April 28, 2011

Spam & Phishing
Majority of email is “bad” (~90%
Q1‘2010)
Malware taking share from spam
Crafted attacks as well as blitzes
Most campaigns are short (<24 hours)
Botnets
Virus &
Malware
Thursday, April 28, 2011

AV vendors
Software, devices
environments targeted
Mechanism of infection
Payload/impact
Spam & Phishing
Botnets
Virus & Malware
Thursday, April 28, 2011

Custom malware
Social networks: Infection
mechanism & targets
Drive-bys
Mobile & POS devices
Spam & Phishing
Botnets
Virus & Malware
Thursday, April 28, 2011

ISPs, independent researchers
Mechanisms of communication,
control
Profiling & tracking (network,
victims, targets)
Feature analysis
Performance (attack metrics)
Spam & Phishing
Botnets
Virus &
Malware
Thursday, April 28, 2011

Packet, Flow, Log (app, A/V, spam) analysis
Machine learning algorithms for IRC-based C&C botnet traffic
(Strayer et al)
Clustering analysis for P2P botnet detection (Zeidanloo et al)
DNS analysis & monitoring
Changes in DNS traffic patterns (volume, errors)
Sinkholing (domain name takeovers)
IRC & P2P infiltration
Honeypots Spam & Phishing
Botnets
Virus &
Malware
Thursday, April 28, 2011

useful.
Spam & Phishing
Botnets Virus &
Malware
Google Postini Services Spam Trend & Analysis (July
2010, >3B email connections/day)
McAfee Quarterly Threats Report, (>20M new malware
samples in 2010)
Symantec State of Spam & Phishing, 300M email
addresses
Trustwave Global Security Report 2011 (15 billion
emails from 2006-10, 220 breach investigations)
ENISA: Botnets: Measurement, Detection, Disinfection
and Defence
Thursday, April 28, 2011

Method Example
Direct methods
Samples/Surveys Spam & Phishing, Virus & Malware
Intrusive observation Sinkholing, Audits
Passive observation Honeypots, Flow analysis
Indirect methods
Gap accounting “Cuckoo’s Egg”
System statistics
Impact indicators Breach investigations
Qualitative modeling
Thursday, April 28, 2011

More opportunities for data
aggregation
System accounting
Test simple metrics, data
sets in experimental
models
For existing data-sets:
Opportunities to move
from transactional to flow-
based
Questions?
Allison Miller
@selenakyle
Thursday, April 28, 2011