View
217
Download
3
Category
Tags:
Preview:
Citation preview
© Sam Ransbotham
The Impact of Immediate Disclosure on Attack Diffusion and
Volume
Sam Ransbotham
Boston College
Sabyasachi Mitra
Georgia Institute of Technology
© Sam Ransbotham 2
Security Vulnerabilities and Disclosure
Does immediate disclosure of vulnerabilities affect exploitation attempts?
Specifically, does immediate disclosure affect affect…
Risk: the likelihood of a vulnerability being exploited?
Diffusion: the diffusion of exploitations based on a vulnerability?
Volume: the volume of exploitations based on the vulnerability?
MethodologyStatistical analysis of intrusion detection system attack and NVD data
Key ResultImmediate disclosure accelerates exploitation attempts, slightly increases number of distinct targets but decreases attack volume.
© Sam Ransbotham
Disclosure Process as a R&D Race
Discovery of Vulnerability
Development of Exploit Method
Diffusion of Attacks
Firm is attacked
ATTACK PROCESS
Discovery of Vulnerability
Development of Patch by Vendor
Diffusion of Patch
Firm is patched
Development of Countermeasures
(e.g. detection signatures)
Diffusion of Countermeasures
SECURITY PROCESS
Adapted from Ransbotham, Mitra, Ramsey (forthcoming MIS Quarterly)
? ?
PublicDisclosure?
© Sam Ransbotham
Tension: Immediate disclosure helps and hurts
Attackers- Disclosure provides information- Opens “window of opportunity”- Tells everyone the window is open
Defenders - Can’t close a window you don’t know is open- Disclosure allows countermeasure development- Focuses defender attention- Encourages quick vendor response
4
© Sam Ransbotham 5
Research Environment
Internet(e.g.
customers, vendors, attackers)
Intrusion Detection
System0101010…
Data Stream CorporateNetwork
0101010…
Filtered Data
Security Company
Alert
Database
0101010…
Matched Alert Data
Operator
Signature
Database
Monitor
Signature
Updates
NVD
400+ million alert subset2006-2007, 960 firms
National Vulnerability Database
This paper
matched to
© Sam Ransbotham 7
NVD Example
Begin Date
Disclosure(s)
Alternative Explanations
© Sam Ransbotham 8
Key Control Variables
1. Common Vulnerability Scoring System (CVSS) AssessmentA. Access required: (local, adjacent, remote)
B. Complexity: (low, medium, high)
C. Authentication: (required or not)
D. Impacts: (confidentiality, data integrity, availability of system resources)
E. Type1. Access Validation: incorrect allowance of privileges
2. Input Validation: failure to handle incorrect input
3. Design Error: shortcomings in design of software
4. Exception Error: Insufficient response to unexpected conditions
5. Configuration Error: weak configuration of settings
6. Race Condition: errors due to sequencing of events
2. Patch available
3. Signature available
4. Application affected: Desktop or Server
5. Disclosure through Market (paid) mechanism
6. Age of vulnerability (days since publication)
© Sam Ransbotham
Vulnerability details
10
Immediate Disclosure Non-ImmediateVariable Value Count % Count %Complexity Low 270 50.75% 347 51.87%
Medium 194 36.47% 263 39.31% High 68 12.78% 59 8.82%Confidentiality Impact No 121 22.74% 157 23.47% Yes 411 77.26% 512 76.53%Integrity Impact No 104 19.55% 156 23.32% Yes 428 80.45% 513 76.68%Availability Impact No 106 19.92% 97 14.50% Yes 426 80.08% 572 85.50%Vulnerability Input 184 34.59% 206 30.79%
Design 76 14.29% 111 16.59% Exception 44 8.27% 72 10.76%Market Disclosure No 441 82.89% 600 89.69% Yes 91 17.11% 69 10.31%Server Application No 513 96.43% 651 97.31% Yes 19 3.57% 18 2.69%Contains Signature No 466 87.59% 576 86.10% Yes 66 12.41% 93 13.90%Patch Available No 224 42.11% 320 47.83% Yes 308 57.89% 349 52.17%
© Sam Ransbotham 11
Does immediate disclosure affect attacks?Three ways to analyze this question…
1. Risk: the likelihood of a vulnerability being exploited?• Data summarized by firm, vulnerability, day• Dependent variable is yes/no if attack seen on that day• Using stratified Cox proportional hazard models
2. Diffusion: the diffusion of attacks based on a vulnerability?• Data summarized by vulnerability, day• Dependent variable is the cumulative number of firms attacked by that day• Using nonlinear regression to estimate diffusion curve
3. Volume: the volume of attacks based on the vulnerability?• Data summarized by firm, vulnerability, day• Dependent variable is the count of attacks seen on that day• Using Heckman two-stage regression
© Sam Ransbotham 12
Variable Control Model Test Model
Complexity: Medium -0.215*** -0.188***
Complexity: High 0.227*** 0.227***Confidentiality Impact -0.135*** -0.165***
Integrity Impact 0.288*** 0.298***
Availability Impact 0.296*** 0.339***
Market Disclosure -1.508*** -1.594***
Server Application -0.620*** -0.628***
Patch Available 0.009 -0.001
Signature Available 1.034*** 1.075***
Vulnerability Types indicators indicatorsImmediate Disclosure 0.497***
Cox proportional hazard model of exploitation attempts across 1,152,406 observations of 1201 vulnerabilities in 960 firms; robust standard errors in parentheses; analysis stratified across 960 firms; significance levels: * p<0.05; ** p<0.01; *** p<0.001
Increased risk of
exploitation attempt
1. Does immediate disclosure affect exploitation risk?
© Sam Ransbotham 13
2. Does immediate disclosure affect diffusion?
Delay (D)
Rate (R)
cumulativepenetration
Penetration (P)
© Sam Ransbotham 14
VariablePenetration
(P) Rate (R) Delay (D)
Complexity: Medium 174.27*** 0.57*** 136.68***
Complexity: High 42.09*** 0.57*** 20.65***
Confidentiality Impact -32.48*** 0.19*** 135.88***
Integrity Impact 11.74*** 0.39*** 91.90***
Availability Impact -11.13*** -0.78***-156.51***
Server Application -3.05* -0.10*** 27.30***
Patch Available -19.94*** -0.60***-140.87***
Market Disclosure -57.46*** -1.15*** 278.74***
Signature Available 123.24*** 1.42***-141.58***
Vulnerability Types indicatorsindicators indicators
Immediate Disclosure 3.69*** -0.09*** -5.77**
Nonlinear regression on the cumulative number of affected firms; 132,768 daily observations of vulnerabilities exploited in at least one of 960 firms. Robust standard errors in parentheses; significance levels: *p<0.05; **p<0.01; ***p<0.001
2. Does immediate disclosure affect diffusion?
?
© Sam Ransbotham 15
2. Does immediate disclosure affect diffusion?
Acceleration
Increased Penetration (?)
© Sam Ransbotham 16
Variable Stage 1 Stage 2
Complexity: Medium 0.100*** -0.050***
Complexity: High 0.280*** -0.037***
Confidentiality Impact 0.015*** 0.031***
Integrity Impact 0.501*** -0.083***
Availability Impact -0.253*** -0.005
Vulnerability Types indicators indicators
Firm effects indicators indicators
Monthly indicatorsPublish month Alert month
Age (in days, log) -0.210***
Server Application -0.325*** 0.130***
Market Disclosure -0.050*** -0.098***
Patch Available -0.432** -0.019***
Signature Available 0.738*** 0.166***
Immediate Disclosure -0.067*** 0.148***Heckman two stage regression; n = 1,302,931; 709,090 uncensored; 1201vulnerabilities;
standard errors in parentheses; significance levels: * p<0.05; **p<0.01; ***p<0.001
Stage 1: uncensored if exploit attempt for the vulnerability is observed in the sample
Stage 2: natural log of the number of exploitation attempts
increases volume
3. Does immediate disclosure affect volume of alerts?
© Sam Ransbotham 17
Immediate Disclosure can increase the risk, accelerate the diffusion and but decrease volume of attack attempts for vulnerabilities.
Adds to the scarce empirical research (most analytical)• Not single firm (hundreds)• Extended time period (two years)• Real attacks (not honeypot)
Opens window for attackers• But defenders are reacting quickly to close window• Attackers seem to abandon attacks quickly as well
Main Result
© Sam Ransbotham 18
Implications• Immediate disclosure affects both actions on window--- closing
and opening• Forces defenders to react quickly
• May not be socially optimal; prioritization skewed?• Limited disclosure?• Unclear if results hold for extreme case (all immediate disclosure)
• Limited resource budget of defenders; attackers less limited• Using “workload index” to help understand this
Limitations• Working to further clarify first disclosure; results are conservative• High volume of noisy data: IDS and NVD
Going forward
Recommended