View
1.009
Download
0
Category
Preview:
DESCRIPTION
Official presentation: RSA's Sam Curry and Amrit Williams explore the behavior of online criminals, and introduce a model for further behavioral study. See more from Sam at http://blogs.rsa.com/author/curry
Citation preview
The Economics of Cybercrime and the
“Law of Malware Probability”
Sam Curry
April, 2009
2
The Cybercrime Dilemma
We are dealing with intelligent opponents
The main way to describe media and market attention is FUD
A “War on Cybercrime” doesn’t make sense
A study of the behavior of online criminals does make sense
The purpose of this presentation is to start that dialog and provide a model for the community to use
As with fighting any intelligent opponent, the goal must be…
– To analyze
– To act
– To achieve measurable reductions in fraud
• Make it expensive to do in systematic ways
• Coordinate better and improve defenses
– To adapt
– To repeat the above
Victory is not found in destroying the opponent, it is found in reducing him (or her).
3
“from a national security perspective, other than a weapon of mass destruction or a bomb in one of our major cities the threat to our
infrastructure, the threat to our intelligence, the threat to our computer network is the most critical threat we face.”
Shawn Henry, Assistant Director of the FBI Cyber Division
FUD
4
"Last year was the first year that proceeds from cybercrime were greater than proceeds from
the sale of illegal drugs”
Valerie McNiven, who advises the US Treasury on cybercrime
Cybercrime economy is massive!
FUD
5
Fear and Loathing in Davos
Comments from the Cybersecurity panel at the Davos world economic forum:
– Online theft costs $1 trillion a year, the number of attacks is rising sharply and too many people do not know how to protect themselves, they said.
– 2008 was the year when cyber warfare began. it showed that you can bring down a country within minutes,” one panelist said.
6
There is an underground economy
Asset Going-rate
Pay-out for each unique adware installation
30 cents in the United States, 20 cents in Canada, 10 cents in the UK, 2 cents elsewhere
Malware package, basic version $1,000 – $2,000
Malware package with add-on services Varying prices starting at $20
Exploit kit rental – 1 hour $0.99 to $1
Exploit kit rental – 2.5 hours $1.60 to $2
Exploit kit rental – 5 hours $4, may vary
Undetected copy of a certain information-stealing Trojan
$80, may vary
Distributed Denial of Service attack $100 per day
10,000 compromised PCs 1,000 $
Stolen bank account credentials Varying prices starting at $50
1 million freshly-harvested emails (unverified)
$8 up, depending on quality
Sample data from research on the underground digital economy in 2007
7
Malware variants ARE increasing dramatically
1,738
177,615
2,753,587
0
500000
1000000
1500000
2000000
2500000
3000000
1988 1998 2008
* Source: Trend Micro Malware Research Center
8
Changing Threat Environment
Pre-incident, policy-driven security measures
• Implement: Vulnerability and Configuration policies
• Audit: against defined policies
• Eliminate: administrative, user, system, application
exposures
Dam
age
Attack Motivation Hobby-based malware Cyber
vandalism
Financially motivated cyber
crime
Service/resource
Disruption
Significant impact
on business
bottom line
Minor
Annoyance
Worms
Viruses
Botnets
Rootkits
DoS/DDoS Spyware
Targeted malware
Hybrid WormsWeb-application
attacks
Spam
Phishing
Financial Backdoor Trojans
Coordinated attacks
Reactive, ad-hoc security measures
• External Shielding
• Rapid Patching
• Signature Updates
9
Port-o-potty use over time
Disgust Desperation
• You can measure human ‘port-o-potty’ behavior
• Most reasonable people are disgusted by port-o-potty’s
• However when desperate for relief their level of disgust predictably decreases
• The speed at which disgust decreases and desperation increases is amplified by alcohol
Alcohol
Won’t use Can’t refuse
Predictable
cross-over
point
Predictable
cross-over
point
10
The Law of Malware Probability
Probability
Total
RewardProbability
Total
Risk
Therefore
Probability ∝Total Reward
Total Risk
Or…
PV ∝AV
DV * RV
• When you are dealing with an intelligent opponent and quantifiable gains (reward) and losses (risks), you can apply Game Theory
• You can determine to some level of accuracy the relative probability of a set of attack types with respect to one another
• You can use this information to implement stronger controls against a dynamic and increasingly hostile threat environment
• You can use this outlook to examine the effects of world events and small changes in “State of the Art” or even the introduction of disruptive technologies
11
Target’s Attractiveness
PV ∝AV
DV * RV
• Attractiveness is related to several factors• Number of victims (unit-less)
i.e. more victims is more attractive
• Value per victimi.e. more money per victim is more attractive
• Rate of infection among victims (this can be measured with a cash analog or as a weighting factor such as “0.3” for a low rate or “1.0” for a high rate)i.e. Cash is King – getting to the victim means getting to the case faster
• Maturity of cash out mechanism is an important factor – related to the criminal “networks” sophistication
Note: for mathematical simplicity, everything should be
measured in a currency (e.g. $ € £ ¥ etc.) – this also has
interesting implications on a geographic basis, especially with cost (q.v.)
AV ∝ #V * VV * RV
# of
victimsAttractiveness
$ of
victimsAttractiveness
Rate of
infectionAttractiveness
12
Difficulty (raw cost) of a Vector
PV ∝AV
DV * RV
• Attractiveness is related to several factors• Scarcity of Skillset
i.e. Finding and hiring specialists is expensive –that’s bad!
• Time to execute matters – that costsi.e. Cash is King! Fast exploits to build mean $$$
• Cost to “host” or execute (e.g. hardware)i.e. A legacy infrastructure or exploiting others’s resources is good!
• Over time cost always comes down!
• Breakthrough technologies, improvements in infrastructure (especially in the developing world) regional or global advances in programming, increases in a populations skill sets make a big difference, bringing down cost…
Note: for mathematical simplicity, everything should be
measured in a currency (e.g. $ € £ ¥ etc.) – this also has
interesting implications on a geographic basis, especially with cost (q.v.)
DV ∝ SV * TV * HV
Skill
CostDifficulty Probability
Time
CostDifficulty Probability
Host
CostDifficulty Probability
13
“Risk” to the Attacker
PV ∝AV
DV * RV
• Attractiveness is related to several factors• Penalty
i.e. Severe penalties drive down the chance of any vector being used (compare physical robbery with online for instance)
• Chance of being caughti.e. If penalties have a chance of being enforced, they are more effective
• This is where careful collaboration and international efforts can bear fruit
• Crime is fluid and will move to the “best reward for least risk” – meaning no measure will “solve” the attack problem…it will merely move it elsewhere
Note: for mathematical simplicity, everything should be
measured in a currency (e.g. $ € £ ¥ etc.) – this also has
interesting implications on a geographic basis, especially with cost (q.v.)
RV ∝ PV * %CV
PenaltyRisk Probability
Chance
Of being
CaughtRisk Probability
14
Example Values for Variables
Factor Value V
($US)
Number N
Interconnection I (number of
nodes directly
reachable)
Difficulty D (# of
people who
know how
to do it)
Expense E ($US)
Time T
(time
to
hack)
Likelihood L (Chance
of getting
caught)
Penalty P (fine
and/or jail)
0 0 0 0 0 0 0 0% 0
1 1 1 1 10,000,000+ 1 1 hour 0.01% $1
2 10 10 10 1,000,000 10 1 day 0.1% $100
3 100 100 100 500,000 100 1 week 1% $1000
4 1000 1000 1000 250,000 1000 1
month
5% $10,000
5 10 *
104
10 * 104 10 * 10
4 100,000 10 * 10
4 3
months
10% $100,000
6 10 *
105
10 * 105 10 * 10
5 25,000 10 * 10
5 6
months
20% $10,000 +
1 year
7 10 *
106
10 * 106 10 * 10
6 2,500 10 * 10
6 1 year 35% $100,000
+ 1 year
8 10 *
107
10 * 107 10 * 10
7 250 10 * 10
7 18
months
50% $1,000,000
9 10 *
108
10 * 108 10 * 10
8 25 10 * 10
8 2 years 75% More than
1 year
10 10 *
109
10 * 109 10 * 10
9 1 10 * 10
9 3 years 100% More than
1,000,000
and 1 year
0
1
2
3
4
5
6
7
8
9
10
15
Example of a Comparison
Formula Factors V N I D E T L P ρ
Cyber CrimeTypes
Wireless Malware 3 6 4 6 5 6 2 5 0.42
PC Malware (Low) 5 7 5 3 4 4 2 5 1.59
Spam 1 7 1 1 3 3 1 5 0.20
Phishing 5 7 5 6 5 6 1 5 2.06
Mail Fraud 2 7 1 1 3 3 7 8 0.04
16
Key Takeaways
This is a measurable, Human behavior
We need to stop thinking in two dangerous ways:
– The sky is not falling (no FUD)
– There is no panacea
We need to think this way
– Systematically and analytically
– Understand the system and behaviors
• Gains: going after returns
• Losses: costs and risks
This is a market like any other, and it can be studied like any other
Next steps:
– Advance the Law of Malware probability with data
– Look to expand beyond Malware and even beyond “online” only
– Study the “flow” of “investment” in different vectors by the criminals
– Work together to responsibly drive the risk and cost of attack up across the board
Victory here is not the end of malware, which won’t happen.
Victory here to drive the cost to break uniformly higher and to therefore flatten and eventually reduce online crime
Recommended