Security Group TU/e

User Tools

Site Tools

Trace:
attackereconomics

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
attackereconomics [2017/10/24 14:53] – [Exploit trading] lallodiattackereconomics [2021/01/10 21:04] (current) – external edit 127.0.0.1
Line 14: Line 14:
   *   How are these markets operating, what makes them sustainable from an economic perspective, and which mechanisms drive technological innovation in traded products?   *   How are these markets operating, what makes them sustainable from an economic perspective, and which mechanisms drive technological innovation in traded products?
   *   How does the risk profile of an exploit change once the exploit is traded in a market? Can we pinpoint economic and technical characteristics that affect the risk of attacks at scale driven by that exploit?   *   How does the risk profile of an exploit change once the exploit is traded in a market? Can we pinpoint economic and technical characteristics that affect the risk of attacks at scale driven by that exploit?
-===== Market selection and infiltration =====+ 
 +==== Market selection and infiltration ====
  
 Criteria for market evaluation. It is important to  rst evaluate whether the selected market is a credible candidate for analysis, or is yet another example of many ‘scam-for-scammers’ underground forums. We performed an analysis of the markets’ economic mechanisms (e.g. addressing information asymmetry, adverse selection, and moral hazard), traded goods, and participation, reported in [[http://www.win.tue.nl/~lallodi/allodi-tetcs-15.pdf|(Allodi et al. TETCS 2016)]]. A summary of selection criteria is reported below: Criteria for market evaluation. It is important to  rst evaluate whether the selected market is a credible candidate for analysis, or is yet another example of many ‘scam-for-scammers’ underground forums. We performed an analysis of the markets’ economic mechanisms (e.g. addressing information asymmetry, adverse selection, and moral hazard), traded goods, and participation, reported in [[http://www.win.tue.nl/~lallodi/allodi-tetcs-15.pdf|(Allodi et al. TETCS 2016)]]. A summary of selection criteria is reported below:
Line 29: Line 30:
 The boxplots report reputation levels in the failed market (left) and working market (right) by user group. User groups map levels of membership in the market and are ordered in the plots by increasing trustworthiness as explicitly specified in the market regulations. It is immediately apparent that reputation mechanism in the failed market failed to provide a sound signalling mechanism for trustworthy users, as //banned// users have on average a higher reputation than //normal// users. The mapping between user trust and reputation level is clearly more meaningful in the working market (plot on the right), for which the reputation mechanism appears to be at least coherent in identifying reputable market players. The boxplots report reputation levels in the failed market (left) and working market (right) by user group. User groups map levels of membership in the market and are ordered in the plots by increasing trustworthiness as explicitly specified in the market regulations. It is immediately apparent that reputation mechanism in the failed market failed to provide a sound signalling mechanism for trustworthy users, as //banned// users have on average a higher reputation than //normal// users. The mapping between user trust and reputation level is clearly more meaningful in the working market (plot on the right), for which the reputation mechanism appears to be at least coherent in identifying reputable market players.
  
-===== Exploit trading =====+==== Exploit trading ====
  
 In the paper [[https://arxiv.org/abs/1708.04866|Economic Factors of Vulnerability Trade and Exploitation]] we provide the first insights into the economy of exploit production and adoption at scale. Through infiltration of a prominent Russian cybercrime market (RuMarket), we provide figures on exploit appearance and pricing, portfolio updates, and relation with odds of exploitation in the wild. In the paper [[https://arxiv.org/abs/1708.04866|Economic Factors of Vulnerability Trade and Exploitation]] we provide the first insights into the economy of exploit production and adoption at scale. Through infiltration of a prominent Russian cybercrime market (RuMarket), we provide figures on exploit appearance and pricing, portfolio updates, and relation with odds of exploitation in the wild.
Line 37: Line 38:
 Further, we find a clear relation between market dynamics and exploitation at scale. Further, we find a clear relation between market dynamics and exploitation at scale.
  
-{{ :imgs:economics:inthewild.png?nolink&450 |}}+{{ :imgs:economics:inthewild.png?nolink&420 |}}
  
 The figure above reports exploit package cost (left) and market activity (right) against presence of exploit at scale. Even by just looking at the descriptive statistics in the boxplot it is apparent that higher prices hinder odds of exploit adoption, and that the opposite is true for market activity. A more formal analysis of these aspects is provided in the [[https://arxiv.org/abs/1708.04866|paper]]. The figure above reports exploit package cost (left) and market activity (right) against presence of exploit at scale. Even by just looking at the descriptive statistics in the boxplot it is apparent that higher prices hinder odds of exploit adoption, and that the opposite is true for market activity. A more formal analysis of these aspects is provided in the [[https://arxiv.org/abs/1708.04866|paper]].
Line 43: Line 44:
 ===== Attacker models ===== ===== Attacker models =====
  
 +The observation of the economic background of the attacker calls for new models of attacker decisions. A critical aspect of this is exploit introduction, i.e. when will an attacker decide to update their portfolio and introduce a new attack //at scale//.
 +
 +{{ :imgs:economics:wine.png?nolink&450 |}}
 +
 +The figure above reports the rate at which already-attacked users receive attacks targeting the same vulnerability (red line) or a different vulnerability (black dotted line). The data comes from the [[https://www.symantec.com/about/corporate-profile/technology/university-research|WINE platform]] at Symantec. The trend is measured in days; as shown in the figure, it takes approximately 2 years for an exploit to be substituted //at large// in the wild by a different exploit. This points in the same direction as data collected in the [[http://security1.win.tue.nl/beta/dokuwiki/doku.php?id=attackereconomics#exploit_trading|underground markets]], and suggests that attackers are "lazy" or, in economic terms, //work averse// in that they see additional exploitation work as a overhead in the attack process: as long as an exploit works against a significant fraction of users in the wild, attackers are unlikely to update their portfolio.
 +
 +The paper "[[https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2862299|The Work-Averse Cyber Attacker Model: Theory and Evidence From Two Million Attack Signatures]]" formally defines this attacker model by employing Stokey's Logic of Inaction, whereby an economic actor will decide to //do nothing// until a certain condition is reached.
 +
 +===== References =====
 +
 +  * Luca Allodi. Underground Economics for Vulnerability Risk. Usenix ;login: (2018), Vol 43, no. 1. [[https://www.usenix.org/publications/login/spring2018/allodi|Link to publisher]] {{ :papers:allodi_login_2017.pdf |Preprint}}
 +  * Jukka Ruohonen, Luca Allodi. A bug bounty perspective on the disclosure of web vulnerabilities. Presented at WEIS 2018, Innsbruck, AT. To appear.
 +  * Luca Allodi, Marco Cremonini, Fabio Massacci, Woohyun Shim. The effect of security education and expertise on security assessments: the case of software vulnerabilities. Presented at WEIS 2018, Innsbruck, AT. To appear.
 +  * Luca Allodi. Economic Factors of Vulnerability Trade and Exploitation: empirical evidence from a prominent Russian cybercrime market. To appear in ACM CCS 2017. [[https://arxiv.org/abs/1708.04866|arXiv]]
 +  * Luca Allodi, Fabio Massacci, Julian Williams. The Work-Averse Cyber Attacker Model. Evidence from two million attack signatures. Published in WEIS 2017. [[https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2862299|SSRN]]
 +  * Luca Allodi, Fabio Massacci. Attack potential in Impact and Complexity. To appear in ARES 2017. [[https://dl.acm.org/citation.cfm?id=3098965|ACM library]]
 +  * Luca Allodi, Marco Corradin, Fabio Massacci. Then and Now: On The Maturity of the Cybercrime Markets. The lesson black-hat marketeers learned. IEEE Transactions on Emerging Topics in Computing, 4(1):35–46, Jan 2016. [[http://www.win.tue.nl/~lallodi/allodi-tetcs-15.pdf|PDF]]
 +  * Luca Allodi. The Heavy Tails of Vulnerability Exploitation In the Proceedings of ESSoS 2015. [[http://www.win.tue.nl/~lallodi/allodi-essos-15.pdf|PDF]]
 +  * Luca Allodi. Attacker economics for Internet-scale vulnerability risk assessment (Extended Abstract) Research proposal, in Proceedings of Usenix LEET 2013. [[http://www.win.tue.nl/~lallodi/leet-13.pdf|PDF]]
 +  * Luca Allodi, Vadim Kotov, Fabio Massacci. MalwareLab: Experimentation with Cybercrime Attack Tools. In Proceedings of Usenix CSET 2013. [[http://www.win.tue.nl/~lallodi/cset-13.pdf|PDF]]
 +  * Luca Allodi, Woohyun Shim, Fabio Massacci. Quantitative assessment of risk reduction with cybercrime black market monitoring. Proceedings of IEEE S&P 2013 International Workshop on Cyber Crime. [[http://www.win.tue.nl/~lallodi/allodi-13-iwcc.pdf|PDF]]
 +  * Woohyun Shim, Luca Allodi, Fabio Massacci. Crime Pays If You Are Just an Average Hacker. Proceedings of IEEE/ASE 2012 Cyber Security Conference. [[http://www.win.tue.nl/~lallodi/shim-12-cybersecurity.pdf|PDF]]
attackereconomics.1508849608.txt.gz · Last modified: 2021/01/10 20:59 (external edit)