3,648 research outputs found
Economic Factors of Vulnerability Trade and Exploitation
Cybercrime markets support the development and diffusion of new attack
technologies, vulnerability exploits, and malware. Whereas the revenue streams
of cyber attackers have been studied multiple times in the literature, no
quantitative account currently exists on the economics of attack acquisition
and deployment. Yet, this understanding is critical to characterize the
production of (traded) exploits, the economy that drives it, and its effects on
the overall attack scenario. In this paper we provide an empirical
investigation of the economics of vulnerability exploitation, and the effects
of market factors on likelihood of exploit. Our data is collected
first-handedly from a prominent Russian cybercrime market where the trading of
the most active attack tools reported by the security industry happens. Our
findings reveal that exploits in the underground are priced similarly or above
vulnerabilities in legitimate bug-hunting programs, and that the refresh cycle
of exploits is slower than currently often assumed. On the other hand,
cybercriminals are becoming faster at introducing selected vulnerabilities, and
the market is in clear expansion both in terms of players, traded exploits, and
exploit pricing. We then evaluate the effects of these market variables on
likelihood of attack realization, and find strong evidence of the correlation
between market activity and exploit deployment. We discuss implications on
vulnerability metrics, economics, and exploit measurement.Comment: 17 pages, 11 figures, 14 table
Towards Realistic Threat Modeling: Attack Commodification, Irrelevant Vulnerabilities, and Unrealistic Assumptions
Current threat models typically consider all possible ways an attacker can
penetrate a system and assign probabilities to each path according to some
metric (e.g. time-to-compromise). In this paper we discuss how this view
hinders the realness of both technical (e.g. attack graphs) and strategic (e.g.
game theory) approaches of current threat modeling, and propose to steer away
by looking more carefully at attack characteristics and attacker environment.
We use a toy threat model for ICS attacks to show how a realistic view of
attack instances can emerge from a simple analysis of attack phases and
attacker limitations.Comment: Proceedings of the 2017 Workshop on Automated Decision Making for
Active Cyber Defens
Adversarial behaviours knowledge area
The technological advancements witnessed by our society in recent decades have brought
improvements in our quality of life, but they have also created a number of opportunities for
attackers to cause harm. Before the Internet revolution, most crime and malicious activity
generally required a victim and a perpetrator to come into physical contact, and this limited
the reach that malicious parties had. Technology has removed the need for physical contact
to perform many types of crime, and now attackers can reach victims anywhere in the world, as long as they are connected to the Internet. This has revolutionised the characteristics of crime and warfare, allowing operations that would not have been possible before. In this document, we provide an overview of the malicious operations that are happening on the Internet today. We first provide a taxonomy of malicious activities based on the attackerâs motivations and capabilities, and then move on to the technological and human elements that adversaries require to run a successful operation. We then discuss a number of frameworks that have been proposed to model malicious operations. Since adversarial behaviours are not a purely technical topic, we draw from research in a number of fields (computer science, criminology, war studies). While doing this, we discuss how these frameworks can be used by researchers and practitioners to develop effective mitigations against malicious online operations.Published versio
Cybercrime Pervasiveness, Consequences, and Sustainable Counter Strategies
As our connectivity and dependency on technology increases, so does our vulnerability.
Technology has provided not only new tools, but also new opportunities
for criminals in the digital world. The abuse of new technologies has been threatening
economic and Jinancial security and actually devastating the lives of affected indivicluals. In Nigeria, cybercrime has recorded mostly foregin-based individuals
and organizations as victims thereby getting Nigeria ranked among
the nations with notorious pemasiveness of high-tech crimes. Indeed, adequately
formulating a strategy to contain the menace of cybercrime presents aformidable
challenge to law enforcement. This paper x-rays noted instances of cybercrime
pervasiveness, its devastating consequences, and up-to-date countermeasures in
Nigeria It develops an enforceable/sustainable framework to determine how critical
infrastructures are put at risk snd how law enforcement should react in responding
to the threats
The Computer Misuse Act 1990 to support vulnerability research? Proposal for a defence for hacking as a strategy in the fight against cybercrime.
Despite the recent push towards security by design, most softwares and hardwares on the market still include numerous vulnerabilities, i.e. flaws or weaknesses whose discovery and exploitation by criminal hackers compromise the security of the networked and information systems, affecting millions of users, as acknowledged by the 2016 UK Government in its Cybersecurity Strategy.
Conversely, when security researchers find and timely disclose vulnerabilities to vendors who supply the IT products or who provide a service dependent on the IT products, they increase the opportunities for vendors to remove the vulnerabilities and close the security gap. They thus significantly contribute to the fight against cybercrime and, more widely, to the management of the digital security risk.
However, in 2015, the European Network and Information Security Agency concluded that the threat of prosecution under EU and US computer misuse legislations âcan have a chilling effectâ, with security researchers âdiscentivise[d]â to find vulnerabilities.
Taking stock of these significant, but substantially understudied, criminal law challenges that these security researchers face in the UK when working independently, without the vendorsâ prior authorisation, this paper proposes a new defence to the offences under the Computer Misuse Act, an innovative solution to be built in light of both the scientific literature on vulnerability research and the exemption proposals envisaged prior to the Computer Misuse Act 1990. This paper argues that a defence would allow security researchers, if prosecuted, to demonstrate that contrary to criminal hackers, they acted in the public interest and proportionally
CIVIIC: Cybercrime in Virginia: Impacts on Industry and Citizens Final Report
[First paragraph] Victimization from cybercrime is a major concern in Virginia, the US, and the world. As individuals and businesses spend more time online, it becomes increasingly important to understand cybercrime and how to protect against it. Such an understanding is dependent on valid and reliable baseline data that identifies the specific nature, extent, and outcomes of cybercrime activity. A better understanding of cybercrime activity is needed to target and prevent it more effectively, minimize its consequences, and provide support for both individual and corporate victims. Before that can occur, however, better baseline data are required, and this project was designed to provide those data for the Commonwealth of Virginia. The purpose of this study was to describe the experiences of Virginia residents and businesses around cybercrime, identify the specific vulnerabilities that are exploited, and discover the consequences of victimization
Harnessing Large Language Models to Simulate Realistic Human Responses to Social Engineering Attacks: A Case Study
The research publication, âGenerative Agents: Interactive Simulacra of Human Behavior,â by Stanford and Google in 2023 established that large language models (LLMs) such as GPT-4 can generate interactive agents with credible and emergent human-like behaviors. However, their application in simulating human responses in cybersecurity scenarios, particularly in social engineering attacks, remains unexplored. In addressing that gap, this study explores the potential of LLMs, specifically the Open AI GPT-4 model, to simulate a broad spectrum of human responses to social engineering attacks that exploit human social behaviors, framing our primary research question: How does the simulated behavior of human targets, based on the Big Five personality traits, responds to social engineering attacks? . This study aims to provide valuable insights for organizations and researchers striving to systematically analyze human behavior and identify prevalent human qualities, as defined by the Big Five personality traits, that are susceptible to social engineering attacks, specifically phishing emails. Also, it intends to offer recommendations for the cybersecurity industry and policymakers on mitigating these risks. The findings indicate that LLMs can provide realistic simulations of human responses to social engineering attacks, highlighting certain personality traits as more susceptible
Software Vulnerability Disclosure in Europe: Technology, Policies and Legal Challenges. Report of a CEPS Task Force. CEPS Task Force Reports 28 June 2018
This report puts forward the analysis and recommendations for the design and implementation of a forward-looking policy on software vulnerability disclosure (SVD) in Europe. It is the result of extensive deliberations among the members of a Task Force formed by CEPS in September 2017, including industry experts, representatives of EU and international institutions, academics, civil society organisations and practitioners.
Drawing on current best practices throughout Europe, the US and Japan, the Task Force explored ways to formulate practical guidelines for governments and businesses to harmonise the process of handling SVD throughout Europe. These discussions led to policy recommendations addressed to member states and the EU institutions for the development of an effective policy framework for introducing coordinated vulnerability disclosure (CVD) and government disclosure decision processes (GDDP) in Europe
- âŠ