26 research outputs found
Economic Factors of Vulnerability Trade and Exploitation
Cybercrime markets support the development and diffusion of new attack
technologies, vulnerability exploits, and malware. Whereas the revenue streams
of cyber attackers have been studied multiple times in the literature, no
quantitative account currently exists on the economics of attack acquisition
and deployment. Yet, this understanding is critical to characterize the
production of (traded) exploits, the economy that drives it, and its effects on
the overall attack scenario. In this paper we provide an empirical
investigation of the economics of vulnerability exploitation, and the effects
of market factors on likelihood of exploit. Our data is collected
first-handedly from a prominent Russian cybercrime market where the trading of
the most active attack tools reported by the security industry happens. Our
findings reveal that exploits in the underground are priced similarly or above
vulnerabilities in legitimate bug-hunting programs, and that the refresh cycle
of exploits is slower than currently often assumed. On the other hand,
cybercriminals are becoming faster at introducing selected vulnerabilities, and
the market is in clear expansion both in terms of players, traded exploits, and
exploit pricing. We then evaluate the effects of these market variables on
likelihood of attack realization, and find strong evidence of the correlation
between market activity and exploit deployment. We discuss implications on
vulnerability metrics, economics, and exploit measurement.Comment: 17 pages, 11 figures, 14 table
Towards Realistic Threat Modeling: Attack Commodification, Irrelevant Vulnerabilities, and Unrealistic Assumptions
Current threat models typically consider all possible ways an attacker can
penetrate a system and assign probabilities to each path according to some
metric (e.g. time-to-compromise). In this paper we discuss how this view
hinders the realness of both technical (e.g. attack graphs) and strategic (e.g.
game theory) approaches of current threat modeling, and propose to steer away
by looking more carefully at attack characteristics and attacker environment.
We use a toy threat model for ICS attacks to show how a realistic view of
attack instances can emerge from a simple analysis of attack phases and
attacker limitations.Comment: Proceedings of the 2017 Workshop on Automated Decision Making for
Active Cyber Defens
Don’t shoot the messenger! A criminological and computer science perspective on coordinated vulnerability disclosure
In the computer science field coordinated vulnerability disclosure is a well-known practice for finding flaws in IT-systems and patching them. In this practice, a white-hat hacker who finds a vulnerability in an IT-system reports that vulnerability to the system’s owner. The owner will then resolve the problem, after which the vulnerability will be disclosed publicly. This practice generally does not focus on potential offenders or black-hat hackers who would likely exploit the vulnerability instead of reporting it. In this paper, we take an interdisciplinary approach and review the current coordinated vulnerability disclosure practice from both a computer science and criminological perspective. We discuss current issues in this practice that could influence the decision to use coordinated vulnerability disclosure versus exploiting a vulnerability. Based on different motives, a rational choice or cost–benefit analyses of the possible reactions after finding a vulnerability will be discussed. Subsequently, implications for practice and future research suggestions are included
Is the Road to Hell Paved with Good Intentions? A Criminological and Criminal Law Analysis of Prospective Regulation for Ethical Hacking in Italy and the EU
The article aims to contribute to the current research on regulatory frameworks and best practices for ethical hacking, from the perspective of criminology and criminal law, providing insights into the Italian legal system that may also inform EU-wide regulations in this domain. The research employs a multidisciplinary approach by: (i) conducting a historical and criminological analysis of the contemporary “renaissance” of ethical hacking, which includes analyzing the rules of engagement in BBPs and the key factors influencing hackers’ choices between responsible disclosure and malicious exploitation of vulnerabilities; (ii) addressing the prevailing uncertainty about the legal qualification of ethical hacking, by assessing the criminal regime that might still be applicable to “well-intentioned” computer intrusions in Italy; (iii) providing a comparative perspective on EU legal systems that have decriminalized or otherwise incentivized ethical hacking practices as pivotal tools for enhancing a holistic notion of cybersecurity
Characterizing eve: Analysing cybercrime actors in a large underground forum
Underground forums contain many thousands of active users, but the vast majority will be involved, at most, in minor levels of deviance. The number who engage in serious criminal activity is small. That being said, underground forums have played a significant role in several recent high-profile cybercrime activities. In this work we apply data science approaches to understand criminal pathways and characterize key actors related to illegal activity in one of the largest and longest- running underground forums. We combine the results of a logistic regression model with k-means clustering and social network analysis, verifying the findings using topic analysis. We identify variables relating to forum activity that predict the likelihood a user will become an actor of interest to law enforcement, and would therefore benefit the most from intervention. This work provides the first step towards identifying ways to deter the involvement of young people away from a career in cybercrime.Alan Turing Institut
A Bug Bounty Perspective on the Disclosure of Web Vulnerabilities
Bug bounties have become increasingly popular in recent years. This paper
discusses bug bounties by framing these theoretically against so-called
platform economy. Empirically the interest is on the disclosure of web
vulnerabilities through the Open Bug Bounty (OBB) platform between 2015 and
late 2017. According to the empirical results based on a dataset covering
nearly 160 thousand web vulnerabilities, (i) OBB has been successful as a
community-based platform for the dissemination of web vulnerabilities. The
platform has also attracted many productive hackers, (ii) but there exists a
large productivity gap, which likely relates to (iii) a knowledge gap and the
use of automated tools for web vulnerability discovery. While the platform (iv)
has been exceptionally fast to evaluate new vulnerability submissions, (v) the
patching times of the web vulnerabilities disseminated have been long. With
these empirical results and the accompanying theoretical discussion, the paper
contributes to the small but rapidly growing amount of research on bug
bounties. In addition, the paper makes a practical contribution by discussing
the business models behind bug bounties from the viewpoints of platforms,
ecosystems, and vulnerability markets.Comment: 17th Annual Workshop on the Economics of Information Security,
Innsbruck, https://weis2018.econinfosec.org
A methodology for large-scale identification of related accounts in underground forums
Underground forums allow users to interact with communities focused on illicit activities. They serve as an entry point for actors interested in deviant and criminal topics. Due to the pseudo-anonymity provided, they have become improvised marketplaces for trading illegal products and services, including those used to conduct cyberattacks. Thus, these forums are an important data source for threat intelligence analysts and law enforcement. The use of multiple accounts is forbidden in most forums since these are mostly used for malicious purposes. Still, this is a common practice. Being able to identify an actor or gang behind multiple accounts allows for proper attribution in online investigations, and also to design intervention mechanisms for illegal activities. Existing solutions for multi-account detection either require ground truth data to conduct supervised classification or use manual approaches. In this work, we propose a methodology for the large-scale identification of related accounts in underground forums. These accounts are similar according to the distinctive content posted, and thus are likely to belong to the same actor or group. The methodology applies to various domains and leverages distinctive artefacts and personal information left online by the users. We provide experimental results on a large dataset comprising more than 1.1M user accounts from 15 different forums. We show how this methodology, combined with existing approaches commonly used in social media forensics, can assist with and improve online investigations.This work was partially supported by CERN openlab, the CERN Doctoral Student Programme, the Spanish grants ODIO (PID2019-111429RB-C21 and PID2019-111429RB) and the Region of Madrid grant CYNAMON-CM (P2018/TCS-4566), co-financed by European Structural Funds ESF and FEDER, and Excellence Program EPUC3M1