More on: The Economics of Cybercrime and the Law of Malware Probability

The Economics of Cybercrime and the Law of Malware Probability

Sam Curry

Amrit Williams

The Cybercrime Dilemma

• We are dealing with intelligent opponents• The main way to describe media and market attention is FUD• A “War on Cybercrime” doesn’t make sense • A study of the behavior of online criminals does make sense• The purpose of this presentation is to start that dialog and provide a

model for the community to use• As with fighting any intelligent opponent, the goal must be…

– To analyze– To act– To achieve measurable reductions in fraud

• Make it expensive to do in systematic ways• Coordinate better and improve defenses

– To adapt– To repeat the above

• Victory is not found in destroying the opponent, it is found in reducing him (or her).

“from a national security perspective, other than a weapon of mass destruction or a bomb in one of our major cities the threat to our infrastructure, the threat to our intelligence, the threat to

our computer network is the most critical threat we face.”Shawn Henry, Assistant Director of the FBI Cyber Division

FUD

"Last year was the first year that proceeds from cybercrime were greater than

proceeds from the sale of illegal drugs” Valerie McNiven, who advises the US Treasury on

cybercrime

Cybercrime economy is

massive!

FUD

Fear and Loathing in DavosComments from the

Cybersecurity panel at the Davos world economic forum:

– Online theft costs $1 trillion a year, the number of attacks is rising sharply and too many people do not know how to protect themselves, they said.

– 2008 was the year when cyber warfare began. it showed that you can bring down a country within minutes,” one panelist said.

There is an underground economyAsset Going-rate

Pay-out for each unique adware installation

30 cents in the United States, 20 cents in Canada, 10 cents in the UK, 2 cents elsewhere

Malware package, basic version $1,000 – $2,000

Malware package with add-on services Varying prices starting at $20

Exploit kit rental – 1 hour $0.99 to $1

Exploit kit rental – 2.5 hours $1.60 to $2

Exploit kit rental – 5 hours $4, may vary

Undetected copy of a certain information-stealing Trojan

$80, may vary

Distributed Denial of Service attack $100 per day

10,000 compromised PCs 1,000 $

Stolen bank account credentials Varying prices starting at $50

1 million freshly-harvested emails (unverified)

$8 up, depending on quality

Sample data from research on the underground digital economy in 2007

Malware variants are increasing

dramatically

2008: 2753587 unique malware samples*

1998: 177615 unique malware samples

1988: 1738 unique malware samples

Typical Web Threat Mid-2008

Dissecting the Attack

How Does it Work?

User visits legitimate Honda site

Because of the malicious script, the browser loads the

getanewmazda site

Downloaded fileaccesses viruspolice.com

Here is what happens when users visit the compromised Web site:

VISIBLE TO THE USER NOT VISIBLE TO THE USER

The getanewmazda site contains a script

to look for and exploit

vulnerabilities on the system to download

CRYPT.EXE

If no vulnerabilities are found, browser is redirected to

google.com

Changing Threat Environment

Pre-incident, policy-driven security measures

• Implement: Vulnerability and Configuration policies

• Audit: against defined policies

• Eliminate: administrative, user, system, application

exposures

Dam

age

Attack Motivation Hobby-based malware Cyber

vandalism

Financially motivated cyber

crime

Service/resource

Disruption

Significant impact

on business

bottom line

Minor

Annoyance

Worms

Viruses

Botnets

Rootkits

DoS/DDoS Spyware

Targeted malware

Hybrid WormsWeb-application

attacks

Spam

Phishing

Financial Backdoor Trojans

Coordinated attacks

Reactive, ad-hoc security measures

• External Shielding

• Rapid Patching

• Signature Updates

The Law of Malware Probability

Probability

Total

RewardProbability

Total

Risk

Therefore

Probability ∝Total Reward

Total Risk

Or…

PV ∝AV

DV * RV

• When you are dealing with an intelligent opponent and quantifiable gains (reward) and losses (risks), you can apply Game Theory

• You can determine to some level of accuracy the relative probability of a set of attack types with respect to one another

• You can use this information to implement stronger controls against a dynamic and increasingly hostile threat environment

• You can use this outlook to examine the effects of world events and small changes in “State of the Art” or even the introduction of disruptive technologies

Target’s Attractiveness

PV ∝AV

DV * RV

• Attractiveness is related to several factors• Number of victims (unit-less)

i.e. more victims is more attractive

• Value per victimi.e. more money per victim is more attractive

• Rate of infection among victims (this can be measured with a cash analog or as a weighting factor such as “0.3” for a low rate or “1.0” for a high rate)i.e. Cash is King – getting to the victim means getting to the case faster

• Maturity of cash out mechanism is an important factor – related to the criminal “networks” sophistication

Note: for mathematical simplicity, everything should be

measured in a currency (e.g. $ € £ ¥ etc.) – this also has

interesting implications on a geographic basis, especially with cost (q.v.)

AV ∝ #V * VV * RV

# of

victimsAttractiveness

$ of

victimsAttractiveness

Rate of

infectionAttractiveness

Difficulty (raw cost) of a Vector

PV ∝AV

DV * RV

• Attractiveness is related to several factors• Scarcity of Skillset

i.e. Finding and hiring specialists is expensive –that’s bad!

• Time to execute matters – that costsi.e. Cash is King! Fast exploits to build mean $$$

• Cost to “host” or execute (e.g. hardware)i.e. A legacy infrastructure or exploiting others’s resources is good!

• Over time cost always comes down!

• Breakthrough technologies, improvements in infrastructure (especially in the developing world) regional or global advances in programming, increases in a populations skill sets make a big difference, bringing down cost…




DV ∝ SV * TV * HV

Skill

CostDifficulty Probability

Time


Host


“Risk” to the Attacker

PV ∝AV

DV * RV

• Attractiveness is related to several factors• Penalty

i.e. Severe penalties drive down the chance of any vector being used (compare physical robbery with online for instance)

• Chance of being caughti.e. If penalties have a chance of being enforced, they are more effective

• This is where careful collaboration and international efforts can bear fruit

• Crime is fluid and will move to the “best reward for least risk” – meaning no measure will “solve” the attack problem…it will merely move it elsewhere




RV ∝ PV * %CV

PenaltyRisk Probability

Chance

Of being

CaughtRisk Probability

Example Values for Variables

Factor Value V

($US)

Number N

Interconnection I (number of

nodes directly

reachable)

Difficulty D (# of

people who

know how

to do it)

Expense E ($US)

Time T

(time

to

hack)

Likelihood L (Chance

of getting

caught)

Penalty P (fine

and/or jail)

0 0 0 0 0 0 0 0% 0

1 1 1 1 10,000,000+ 1 1 hour 0.01% $1

2 10 10 10 1,000,000 10 1 day 0.1% $100

3 100 100 100 500,000 100 1 week 1% $1000

4 1000 1000 1000 250,000 1000 1

month

5% $10,000

5 10 *

104

10 * 104 10 * 10

4 100,000 10 * 10

4 3

months

10% $100,000

6 10 *

105

10 * 105 10 * 10

5 25,000 10 * 10

5 6

months

20% $10,000 +

1 year

7 10 *

106

10 * 106 10 * 10

6 2,500 10 * 10

6 1 year 35% $100,000

+ 1 year

8 10 *

107

10 * 107 10 * 10

7 250 10 * 10

7 18

months

50% $1,000,000

9 10 *

108

10 * 108 10 * 10

8 25 10 * 10

8 2 years 75% More than

1 year

10 10 *

109

10 * 109 10 * 10

9 1 10 * 10


1,000,000

and 1 year

Factor Value V

($US)

Number N

Interconnection I (number of

nodes directly

reachable)

Difficulty D (# of

people who

know how

to do it)

Expense E ($US)

Time T

(time

to

hack)

Likelihood L (Chance

of getting

caught)

Penalty P (fine

and/or jail)

0 0 0 0 0 0 0 0% 0

1 1 1 1 10,000,000+ 1 1 hour 0.01% $1

2 10 10 10 1,000,000 10 1 day 0.1% $100

3 100 100 100 500,000 100 1 week 1% $1000

4 1000 1000 1000 250,000 1000 1

month

5% $10,000

5 10 *

104

10 * 104 10 * 10

4 100,000 10 * 10

4 3

months

10% $100,000

6 10 *

105

10 * 105 10 * 10

5 25,000 10 * 10

5 6

months

20% $10,000 +

1 year

7 10 *

106

10 * 106 10 * 10

6 2,500 10 * 10

6 1 year 35% $100,000

+ 1 year

8 10 *

107

10 * 107 10 * 10

7 250 10 * 10

7 18

months

50% $1,000,000

9 10 *

108

10 * 108 10 * 10

8 25 10 * 10


1 year

10 10 *

109

10 * 109 10 * 10

9 1 10 * 10


1,000,000

and 1 year

0

1

2

3

4

5

6

7

8

9

10

Example of a Comparison

Formula Factors V N I D E T L P ρ

Cyber CrimeTypes

Wireless Malware 3 6 4 6 5 6 2 5 0.42

PC Malware (Low) 5 7 5 3 4 4 2 5 1.59

Spam 1 7 1 1 3 3 1 5 0.20

Phishing 5 7 5 6 5 6 1 5 2.06

Mail Fraud 2 7 1 1 3 3 7 8 0.04

Key Takeaways

• This is a measurable, Human behavior• We need to stop thinking in two dangerous ways:

– The sky is not falling (no FUD)– There is no panacea

• We need to think this way– Systematically and analytically– Understand the system and behaviors

• Gains: going after returns• Losses: costs and risks

• This is a market like any other, and it can be studied like any other• Next steps:

– Advance the Law of Malware probability with data– Look to expand beyond Malware and even beyond “online” only– Study the “flow” of “investment” in different vectors by the criminals– Work together to responsibly drive the risk and cost of attack up across the board

• Victory here is not the end of malware, which won’t happen.• Victory here to drive the cost to break uniformly higher and to therefore flatten

and eventually reduce online crime

More on: The Economics of Cybercrime and the Law of Malware Probability

Technology

malware package

unique malware samples

malware variants

cybercrime cybercrime

critical threat

relative probability

cybercrime doesnt

cybercrime dilemma