Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
How to Isotope-
Tag a Ghost
Allison Miller
Thursday, April 28, 2011
Thursday, April 28, 2011
we don't talk about
what we see;
we see only what we
can talk about
Donella Meadows
Thinking in Systems: A Primer
Thursday...
threat trees
p(x)
p(y)
p(z)
Thursday, April 28, 2011
Start
Escalation
Impact
Breach
Thursday, April 28, 2011
The Jungle-Gym Effect
Thursday, April 28, 2011
The Porous Attack Surface
Thursday, April 28, 2011
Enter the Ghosts
Thursday, April 28, 2011
an example:
Fraud
Thursday, April 28, 2011
F
r
a
u
d
Thursday, April 28, 2011
Haunted by an old problem
How do we
measure
things we
can’t
observe
directly?
Thursday, April 28, 2011
Like what?
Fraud/Crime
Movement of cash
Underground economy
Thursday, April 28, 2011
Direct methods
Samples/Surveys
Intrusive observation
Passive observation
Indirect methods
Gap accounting
Impact indicators...
Crime
Thursday, April 28, 2011
NCVS is the Nation's
primary source of
information on criminal
victimization.
Sample of 76,000
households & ~135,300
perso...
Thursday, April 28, 2011
0
50
100
150
200
1999 2000 2001 2002 2003 2004 2005 2007 2008
Total property crime
Burglary
Theft
Motor vehicle theft
Figu...
Financial Crimes Report to the Public: 2009 | 2008 | 2007 |
2006 | 2005
Financial Institution Fraud and Failure Reports: 2...
2010 Internet Crime
Report
www.ic3.gov
Partnership between
NW3C/BJA and the FBI
Thursday, April 28, 2011
Cybercrime against Businesses,
2005
7,818 businesses in 2005
Data on:
Monetary loss and system
downtime
Types of offenders...
Cash
Thursday, April 28, 2011
Cash movement
Velocity of money
V=Nominal GDP/
Money Supply
Thursday, April 28, 2011
http://research.stlouisfed.org/fred2/categories/32242
Thursday, April 28, 2011
Where’s George?
http://www.wheresgeorge.com/
Thursday, April 28, 2011
Shadow
Thursday, April 28, 2011
Method Approach
Direct methods Surveys
Audits
Indirect methods
Via national accounting
Gap between production & expenditur...
Changes over time
0
7.5
15
22.5
30
Belgium Sweden Ireland France Netherlands Germany GB USA
Size of shadow economy as a % ...
Comparing results
0
7.5
15
22.5
30
Belgium Sweden Ireland France Netherlands Germany GB USA
Size of the shadow economy as ...
Method Example
Direct methods
Samples/Surveys Crime surveys
Intrusive observation Tax Audits
Passive observation Bill trac...
Spam & Phishing
Botnets
Virus & Malware
Thursday, April 28, 2011
Spam & Phishing
Botnets
Virus &
Malware
Transactional
High-volume
Feedback loop
Centralized collection
Widely distributed
...
Spam & Phishing
Email ISPs & spam detection
Content segmentation
Metrics on origin, target,
intermediaries
Cyclicality, ev...
Spam & Phishing
Majority of email is “bad” (~90%
Q1‘2010)
Malware taking share from spam
Crafted attacks as well as blitze...
AV vendors
Software, devices
environments targeted
Mechanism of infection
Payload/impact
Spam & Phishing
Botnets
Virus & M...
Custom malware
Social networks: Infection
mechanism & targets
Drive-bys
Mobile & POS devices
Spam & Phishing
Botnets
Virus...
ISPs, independent researchers
Mechanisms of communication,
control
Profiling & tracking (network,
victims, targets)
Feature...
Packet, Flow, Log (app, A/V, spam) analysis
Machine learning algorithms for IRC-based C&C botnet traffic
(Strayer et al)
Cl...
useful.
Spam & Phishing
Botnets Virus &
Malware
Google Postini Services Spam Trend & Analysis (July
2010, >3B email connec...
Method Example
Direct methods
Samples/Surveys Spam & Phishing, Virus & Malware
Intrusive observation Sinkholing, Audits
Pa...
More opportunities for data
aggregation
System accounting
Test simple metrics, data
sets in experimental
models
For existi...
Upcoming SlideShare
Loading in …5
×

2011.04 How to Isotope Tag a Ghost

453 views

Published on

Instrumenting and measuring indirect threats: lessons from economics applied to the underground.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

2011.04 How to Isotope Tag a Ghost

  1. 1. How to Isotope- Tag a Ghost Allison Miller Thursday, April 28, 2011
  2. 2. Thursday, April 28, 2011
  3. 3. we don't talk about what we see; we see only what we can talk about Donella Meadows Thinking in Systems: A Primer Thursday, April 28, 2011
  4. 4. threat trees p(x) p(y) p(z) Thursday, April 28, 2011
  5. 5. Start Escalation Impact Breach Thursday, April 28, 2011
  6. 6. The Jungle-Gym Effect Thursday, April 28, 2011
  7. 7. The Porous Attack Surface Thursday, April 28, 2011
  8. 8. Enter the Ghosts Thursday, April 28, 2011
  9. 9. an example: Fraud Thursday, April 28, 2011
  10. 10. F r a u d Thursday, April 28, 2011
  11. 11. Haunted by an old problem How do we measure things we can’t observe directly? Thursday, April 28, 2011
  12. 12. Like what? Fraud/Crime Movement of cash Underground economy Thursday, April 28, 2011
  13. 13. Direct methods Samples/Surveys Intrusive observation Passive observation Indirect methods Gap accounting Impact indicators Qualitative modeling Thursday, April 28, 2011
  14. 14. Crime Thursday, April 28, 2011
  15. 15. NCVS is the Nation's primary source of information on criminal victimization. Sample of 76,000 households & ~135,300 persons Frequency, characteristics and consequences (crimes in the US) The survey enables BJS to estimate the likelihood of victimization via categories of violent & property crimes for the population as a whole Population segments: gender, age, ethnicity, geography http://bjs.ojp.usdoj.gov/index.cfm?ty=dcdetail&iid=245 Thursday, April 28, 2011
  16. 16. Thursday, April 28, 2011
  17. 17. 0 50 100 150 200 1999 2000 2001 2002 2003 2004 2005 2007 2008 Total property crime Burglary Theft Motor vehicle theft Figure 2. Property crime rates overall fell by 32% from 1999 to 2008 Thursday, April 28, 2011
  18. 18. Financial Crimes Report to the Public: 2009 | 2008 | 2007 | 2006 | 2005 Financial Institution Fraud and Failure Reports: 2006-2007 | 2005 | 2004 | 2003 (pdf) | 2002 (pdf) | 2000-2001 (pdf) Insurance Fraud: Program Overview and Consumer Information Mass Marketing Fraud: A Threat Assessment, June 2010 Mass Marketing Fraud: Awareness and Prevention Tips Mortgage Fraud Reports: 2009 | 2008 | 2007 | 2006 National Money Laundering Strategy (pdf) Securities Fraud: Awareness and Prevention Tips http://www.fbi.gov/stats-services/publications Thursday, April 28, 2011
  19. 19. 2010 Internet Crime Report www.ic3.gov Partnership between NW3C/BJA and the FBI Thursday, April 28, 2011
  20. 20. Cybercrime against Businesses, 2005 7,818 businesses in 2005 Data on: Monetary loss and system downtime Types of offenders, types of systems affected, vulnerabilities, whether incidents were reported to LE Highlights: 3,247 businesses incurred loss totaling $867M Majority of attacks went unreported to LE http://bjs.ojp.usdoj.gov/index.cfm?ty=pbdetail&iid=769 Thursday, April 28, 2011
  21. 21. Cash Thursday, April 28, 2011
  22. 22. Cash movement Velocity of money V=Nominal GDP/ Money Supply Thursday, April 28, 2011
  23. 23. http://research.stlouisfed.org/fred2/categories/32242 Thursday, April 28, 2011
  24. 24. Where’s George? http://www.wheresgeorge.com/ Thursday, April 28, 2011
  25. 25. Shadow Thursday, April 28, 2011
  26. 26. Method Approach Direct methods Surveys Audits Indirect methods Via national accounting Gap between production & expenditure Via national accounting Gap between official & actual laborVia national accounting Gap between official & actual income Monetary statistics Velocity of M1 (cash/currency) Monetary statistics Velocity of major bills Monetary statistics Transactions approach Monetary statistics Currency demand Physical input consumption Electricity consumption Soft modeling Cause/effect (DYMIMIC) The Shadow Economy: An International Study. Cambridge Press. Schneider & Enste (2002) Thursday, April 28, 2011
  27. 27. Changes over time 0 7.5 15 22.5 30 Belgium Sweden Ireland France Netherlands Germany GB USA Size of shadow economy as a % of official GNP (cash approach) Data Source: Schneider & Enste (1998) 1970 1980 1994 1995 1996 1997 Thursday, April 28, 2011
  28. 28. Comparing results 0 7.5 15 22.5 30 Belgium Sweden Ireland France Netherlands Germany GB USA Size of the shadow economy as % of official GNP Cash approach (Johnson 1990/93) Cash approach (Schneider 1989/90) Cash approach (Schneider 1990/93) Electricity Consumption (1989/90) Data Source: Schneider & Enste (1998) Thursday, April 28, 2011
  29. 29. Method Example Direct methods Samples/Surveys Crime surveys Intrusive observation Tax Audits Passive observation Bill tracking Indirect methods Gap accounting Income vs expenditure System statistics Velocity of money Impact indicators Energy consumption Qualitative modeling DYMIMIC Thursday, April 28, 2011
  30. 30. Spam & Phishing Botnets Virus & Malware Thursday, April 28, 2011
  31. 31. Spam & Phishing Botnets Virus & Malware Transactional High-volume Feedback loop Centralized collection Widely distributed Thursday, April 28, 2011
  32. 32. Spam & Phishing Email ISPs & spam detection Content segmentation Metrics on origin, target, intermediaries Cyclicality, event correlation Botnets Virus & Malware Thursday, April 28, 2011
  33. 33. Spam & Phishing Majority of email is “bad” (~90% Q1‘2010) Malware taking share from spam Crafted attacks as well as blitzes Most campaigns are short (<24 hours) Botnets Virus & Malware Thursday, April 28, 2011
  34. 34. AV vendors Software, devices environments targeted Mechanism of infection Payload/impact Spam & Phishing Botnets Virus & Malware Thursday, April 28, 2011
  35. 35. Custom malware Social networks: Infection mechanism & targets Drive-bys Mobile & POS devices Spam & Phishing Botnets Virus & Malware Thursday, April 28, 2011
  36. 36. ISPs, independent researchers Mechanisms of communication, control Profiling & tracking (network, victims, targets) Feature analysis Performance (attack metrics) Spam & Phishing Botnets Virus & Malware Thursday, April 28, 2011
  37. 37. Packet, Flow, Log (app, A/V, spam) analysis Machine learning algorithms for IRC-based C&C botnet traffic (Strayer et al) Clustering analysis for P2P botnet detection (Zeidanloo et al) DNS analysis & monitoring Changes in DNS traffic patterns (volume, errors) Sinkholing (domain name takeovers) IRC & P2P infiltration Honeypots Spam & Phishing Botnets Virus & Malware Thursday, April 28, 2011
  38. 38. useful. Spam & Phishing Botnets Virus & Malware Google Postini Services Spam Trend & Analysis (July 2010, >3B email connections/day) McAfee Quarterly Threats Report, (>20M new malware samples in 2010) Symantec State of Spam & Phishing, 300M email addresses Trustwave Global Security Report 2011 (15 billion emails from 2006-10, 220 breach investigations) ENISA: Botnets: Measurement, Detection, Disinfection and Defence Thursday, April 28, 2011
  39. 39. Method Example Direct methods Samples/Surveys Spam & Phishing, Virus & Malware Intrusive observation Sinkholing, Audits Passive observation Honeypots, Flow analysis Indirect methods Gap accounting “Cuckoo’s Egg” System statistics Impact indicators Breach investigations Qualitative modeling Thursday, April 28, 2011
  40. 40. More opportunities for data aggregation System accounting Test simple metrics, data sets in experimental models For existing data-sets: Opportunities to move from transactional to flow- based Questions? Allison Miller @selenakyle Thursday, April 28, 2011

×