17
The Economics of Cybercrime and the “Law of Malware Probability” Sam Curry April, 2009

The Economics of Cybercrime and the Law of Malware Probability

Embed Size (px)

DESCRIPTION

Official presentation: RSA's Sam Curry and Amrit Williams explore the behavior of online criminals, and introduce a model for further behavioral study. See more from Sam at http://blogs.rsa.com/author/curry

Citation preview

Page 1: The Economics of Cybercrime and the Law of Malware Probability

The Economics of Cybercrime and the

“Law of Malware Probability”

Sam Curry

April, 2009

Page 2: The Economics of Cybercrime and the Law of Malware Probability

2

The Cybercrime Dilemma

We are dealing with intelligent opponents

The main way to describe media and market attention is FUD

A “War on Cybercrime” doesn’t make sense

A study of the behavior of online criminals does make sense

The purpose of this presentation is to start that dialog and provide a model for the community to use

As with fighting any intelligent opponent, the goal must be…

– To analyze

– To act

– To achieve measurable reductions in fraud

• Make it expensive to do in systematic ways

• Coordinate better and improve defenses

– To adapt

– To repeat the above

Victory is not found in destroying the opponent, it is found in reducing him (or her).

Page 3: The Economics of Cybercrime and the Law of Malware Probability

3

“from a national security perspective, other than a weapon of mass destruction or a bomb in one of our major cities the threat to our

infrastructure, the threat to our intelligence, the threat to our computer network is the most critical threat we face.”

Shawn Henry, Assistant Director of the FBI Cyber Division

FUD

Page 4: The Economics of Cybercrime and the Law of Malware Probability

4

"Last year was the first year that proceeds from cybercrime were greater than proceeds from

the sale of illegal drugs”

Valerie McNiven, who advises the US Treasury on cybercrime

Cybercrime economy is massive!

FUD

Page 5: The Economics of Cybercrime and the Law of Malware Probability

5

Fear and Loathing in Davos

Comments from the Cybersecurity panel at the Davos world economic forum:

– Online theft costs $1 trillion a year, the number of attacks is rising sharply and too many people do not know how to protect themselves, they said.

– 2008 was the year when cyber warfare began. it showed that you can bring down a country within minutes,” one panelist said.

Page 6: The Economics of Cybercrime and the Law of Malware Probability

6

There is an underground economy

Asset Going-rate

Pay-out for each unique adware installation

30 cents in the United States, 20 cents in Canada, 10 cents in the UK, 2 cents elsewhere

Malware package, basic version $1,000 – $2,000

Malware package with add-on services Varying prices starting at $20

Exploit kit rental – 1 hour $0.99 to $1

Exploit kit rental – 2.5 hours $1.60 to $2

Exploit kit rental – 5 hours $4, may vary

Undetected copy of a certain information-stealing Trojan

$80, may vary

Distributed Denial of Service attack $100 per day

10,000 compromised PCs 1,000 $

Stolen bank account credentials Varying prices starting at $50

1 million freshly-harvested emails (unverified)

$8 up, depending on quality

Sample data from research on the underground digital economy in 2007

Page 7: The Economics of Cybercrime and the Law of Malware Probability

7

Malware variants ARE increasing dramatically

1,738

177,615

2,753,587

0

500000

1000000

1500000

2000000

2500000

3000000

1988 1998 2008

* Source: Trend Micro Malware Research Center

Page 8: The Economics of Cybercrime and the Law of Malware Probability

8

Changing Threat Environment

Pre-incident, policy-driven security measures

• Implement: Vulnerability and Configuration policies

• Audit: against defined policies

• Eliminate: administrative, user, system, application

exposures

Dam

age

Attack Motivation Hobby-based malware Cyber

vandalism

Financially motivated cyber

crime

Service/resource

Disruption

Significant impact

on business

bottom line

Minor

Annoyance

Worms

Viruses

Botnets

Rootkits

DoS/DDoS Spyware

Targeted malware

Hybrid WormsWeb-application

attacks

Spam

Phishing

Financial Backdoor Trojans

Coordinated attacks

Reactive, ad-hoc security measures

• External Shielding

• Rapid Patching

• Signature Updates

Page 9: The Economics of Cybercrime and the Law of Malware Probability

9

Port-o-potty use over time

Disgust Desperation

• You can measure human ‘port-o-potty’ behavior

• Most reasonable people are disgusted by port-o-potty’s

• However when desperate for relief their level of disgust predictably decreases

• The speed at which disgust decreases and desperation increases is amplified by alcohol

Alcohol

Won’t use Can’t refuse

Predictable

cross-over

point

Predictable

cross-over

point

Page 10: The Economics of Cybercrime and the Law of Malware Probability

10

The Law of Malware Probability

Probability

Total

RewardProbability

Total

Risk

Therefore

Probability ∝Total Reward

Total Risk

Or…

PV ∝AV

DV * RV

• When you are dealing with an intelligent opponent and quantifiable gains (reward) and losses (risks), you can apply Game Theory

• You can determine to some level of accuracy the relative probability of a set of attack types with respect to one another

• You can use this information to implement stronger controls against a dynamic and increasingly hostile threat environment

• You can use this outlook to examine the effects of world events and small changes in “State of the Art” or even the introduction of disruptive technologies

Page 11: The Economics of Cybercrime and the Law of Malware Probability

11

Target’s Attractiveness

PV ∝AV

DV * RV

• Attractiveness is related to several factors• Number of victims (unit-less)

i.e. more victims is more attractive

• Value per victimi.e. more money per victim is more attractive

• Rate of infection among victims (this can be measured with a cash analog or as a weighting factor such as “0.3” for a low rate or “1.0” for a high rate)i.e. Cash is King – getting to the victim means getting to the case faster

• Maturity of cash out mechanism is an important factor – related to the criminal “networks” sophistication

Note: for mathematical simplicity, everything should be

measured in a currency (e.g. $ € £ ¥ etc.) – this also has

interesting implications on a geographic basis, especially with cost (q.v.)

AV ∝ #V * VV * RV

# of

victimsAttractiveness

$ of

victimsAttractiveness

Rate of

infectionAttractiveness

Page 12: The Economics of Cybercrime and the Law of Malware Probability

12

Difficulty (raw cost) of a Vector

PV ∝AV

DV * RV

• Attractiveness is related to several factors• Scarcity of Skillset

i.e. Finding and hiring specialists is expensive –that’s bad!

• Time to execute matters – that costsi.e. Cash is King! Fast exploits to build mean $$$

• Cost to “host” or execute (e.g. hardware)i.e. A legacy infrastructure or exploiting others’s resources is good!

• Over time cost always comes down!

• Breakthrough technologies, improvements in infrastructure (especially in the developing world) regional or global advances in programming, increases in a populations skill sets make a big difference, bringing down cost…

Note: for mathematical simplicity, everything should be

measured in a currency (e.g. $ € £ ¥ etc.) – this also has

interesting implications on a geographic basis, especially with cost (q.v.)

DV ∝ SV * TV * HV

Skill

CostDifficulty Probability

Time

CostDifficulty Probability

Host

CostDifficulty Probability

Page 13: The Economics of Cybercrime and the Law of Malware Probability

13

“Risk” to the Attacker

PV ∝AV

DV * RV

• Attractiveness is related to several factors• Penalty

i.e. Severe penalties drive down the chance of any vector being used (compare physical robbery with online for instance)

• Chance of being caughti.e. If penalties have a chance of being enforced, they are more effective

• This is where careful collaboration and international efforts can bear fruit

• Crime is fluid and will move to the “best reward for least risk” – meaning no measure will “solve” the attack problem…it will merely move it elsewhere

Note: for mathematical simplicity, everything should be

measured in a currency (e.g. $ € £ ¥ etc.) – this also has

interesting implications on a geographic basis, especially with cost (q.v.)

RV ∝ PV * %CV

PenaltyRisk Probability

Chance

Of being

CaughtRisk Probability

Page 14: The Economics of Cybercrime and the Law of Malware Probability

14

Example Values for Variables

Factor Value V

($US)

Number N

Interconnection I (number of

nodes directly

reachable)

Difficulty D (# of

people who

know how

to do it)

Expense E ($US)

Time T

(time

to

hack)

Likelihood L (Chance

of getting

caught)

Penalty P (fine

and/or jail)

0 0 0 0 0 0 0 0% 0

1 1 1 1 10,000,000+ 1 1 hour 0.01% $1

2 10 10 10 1,000,000 10 1 day 0.1% $100

3 100 100 100 500,000 100 1 week 1% $1000

4 1000 1000 1000 250,000 1000 1

month

5% $10,000

5 10 *

104

10 * 104 10 * 10

4 100,000 10 * 10

4 3

months

10% $100,000

6 10 *

105

10 * 105 10 * 10

5 25,000 10 * 10

5 6

months

20% $10,000 +

1 year

7 10 *

106

10 * 106 10 * 10

6 2,500 10 * 10

6 1 year 35% $100,000

+ 1 year

8 10 *

107

10 * 107 10 * 10

7 250 10 * 10

7 18

months

50% $1,000,000

9 10 *

108

10 * 108 10 * 10

8 25 10 * 10

8 2 years 75% More than

1 year

10 10 *

109

10 * 109 10 * 10

9 1 10 * 10

9 3 years 100% More than

1,000,000

and 1 year

0

1

2

3

4

5

6

7

8

9

10

Page 15: The Economics of Cybercrime and the Law of Malware Probability

15

Example of a Comparison

Formula Factors V N I D E T L P ρ

Cyber CrimeTypes

Wireless Malware 3 6 4 6 5 6 2 5 0.42

PC Malware (Low) 5 7 5 3 4 4 2 5 1.59

Spam 1 7 1 1 3 3 1 5 0.20

Phishing 5 7 5 6 5 6 1 5 2.06

Mail Fraud 2 7 1 1 3 3 7 8 0.04

Page 16: The Economics of Cybercrime and the Law of Malware Probability

16

Key Takeaways

This is a measurable, Human behavior

We need to stop thinking in two dangerous ways:

– The sky is not falling (no FUD)

– There is no panacea

We need to think this way

– Systematically and analytically

– Understand the system and behaviors

• Gains: going after returns

• Losses: costs and risks

This is a market like any other, and it can be studied like any other

Next steps:

– Advance the Law of Malware probability with data

– Look to expand beyond Malware and even beyond “online” only

– Study the “flow” of “investment” in different vectors by the criminals

– Work together to responsibly drive the risk and cost of attack up across the board

Victory here is not the end of malware, which won’t happen.

Victory here to drive the cost to break uniformly higher and to therefore flatten and eventually reduce online crime

Page 17: The Economics of Cybercrime and the Law of Malware Probability

17

Thank you!

Sam Curry ([email protected])