Economic Factors of Vulnerability Trade and Exploitation

Cybercrime markets support the development and diffusion of new attack technologies, vulnerability exploits, and malware. Whereas the revenue streams of cyber attackers have been studied multiple times in the literature, no quantitative account currently exists on the economics of attack acquisition and deployment. Yet, this understanding is critical to characterize the production of (traded) exploits, the economy that drives it, and its effects on the overall attack scenario. In this paper we provide an empirical investigation of the economics of vulnerability exploitation, and the effects of market factors on likelihood of exploit. Our data is collected first-handedly from a prominent Russian cybercrime market where the trading of the most active attack tools reported by the security industry happens. Our findings reveal that exploits in the underground are priced similarly or above vulnerabilities in legitimate bug-hunting programs, and that the refresh cycle of exploits is slower than currently often assumed. On the other hand, cybercriminals are becoming faster at introducing selected vulnerabilities, and the market is in clear expansion both in terms of players, traded exploits, and exploit pricing. We then evaluate the effects of these market variables on likelihood of attack realization, and find strong evidence of the correlation between market activity and exploit deployment. We discuss implications on vulnerability metrics, economics, and exploit measurement.Comment: 17 pages, 11 figures, 14 table

Essays in Applied and Computational Game Theory

University of Minnesota Ph.D. dissertation.June 2019. Major: Economics. Advisor: Jan Werner. 1 computer file (PDF); viii, 123 pages.This dissertation considers computational and applied aspects of cooperative and non-cooperative game theory. The first chapter discusses a novel applied game theory approach within the field of vulnerability disclosure policy. I introduce a three-player game between software vendors, software users, and a hacker in which software vendors attempt to protect software users by releasing updates, i.e. disclosing a vulnerability, and the hacker is attempting to exploit vulnerabilities in the software package to attack the software users. The software users must determine whether the protection offered by the update outweighs the cost of installing the update. Following the model set up, I describe why low-type software users, software users that do not get much value out of the software and are thus not very damaged by an attack, prefer Non-Disclosure, and Disclosure can only be an optimal policy in cases when the cost to the hacker of searching for a zero-day vulnerability is small. Many economic problems are inherently non-linear, so in the second chapter we introduce the MGBA, the Modular Groebner Basis Approach, which is a solution technique from Algebraic Geometry that can be used to ``triangularize'' polynomial systems. The MGBA is a computational tool that overcomes the typical computational problems of intermediate coefficient swell and solving for lucky primes that can limit the ability to compute Groebner bases. The Groebner basis is an all-solution computational technique that can be applied to many fields in economics. This chapter focuses on applying the MGBA to Bertrand games with multiple equilibria and a manifold approach to solving dynamic programming problems. Advances in computational power and techniques have greatly benefited both economic theory, in allowing economists to solve more realistic models, and data analysis, such as machine learning. However, the field of cooperative game theory has fallen behind. Therefore, in the final chapter, I introduce the compression value, a computationally efficient approximation technique for the non-transferable utility (NTU) Shapley value. This algorithm gives a reasonable approximation of the NTU Shapley value if the initial guess of Pareto weights is near the actual solution

Predicting Exploitation of Disclosed Software Vulnerabilities Using Open-source Data

Each year, thousands of software vulnerabilities are discovered and reported to the public. Unpatched known vulnerabilities are a significant security risk. It is imperative that software vendors quickly provide patches once vulnerabilities are known and users quickly install those patches as soon as they are available. However, most vulnerabilities are never actually exploited. Since writing, testing, and installing software patches can involve considerable resources, it would be desirable to prioritize the remediation of vulnerabilities that are likely to be exploited. Several published research studies have reported moderate success in applying machine learning techniques to the task of predicting whether a vulnerability will be exploited. These approaches typically use features derived from vulnerability databases (such as the summary text describing the vulnerability) or social media posts that mention the vulnerability by name. However, these prior studies share multiple methodological shortcomings that inflate predictive power of these approaches. We replicate key portions of the prior work, compare their approaches, and show how selection of training and test data critically affect the estimated performance of predictive models. The results of this study point to important methodological considerations that should be taken into account so that results reflect real-world utility

Time-series cross-sectional environmental performance and disclosure relationship:specific evidence from a less-developed country

This paper relies on ‘vulnerability and exploitability’ framework to submit new insights into legitimacy theory and voluntary disclosure theory using specific empirical evidence from the Nigerian oil and gas industry. The study connects the voluntary and legitimizing disclosure behaviors, regarding carbon emission due to gas flaring, of dominant companies in the Nigerian upstream petroleum sector to the vulnerability and exploitability of Nigeria as a less developed country. The hypothesized relations between gas flaring-related environmental performance and two forms of its disclosure (volume and substance) are estimated and tested using Prais-Winsten regression with Panel Corrected Standard Errors (PCSE). While the paper uses Data Envelopment Analysis (DEA) to measure gas flaring-related carbon performance, the two forms of gas flaring-related disclosures are measured using content analysis. We document significant positive and negative association between gas flaring-related carbon emission performance, on one hand, and the volumetric disclosure and disclosure substance on the other hand. These results imply that while the positive relation confirms the vulnerable nature of Nigeria as a less developed country, the negative relation is linked to the country’s exploitability. It is also empirically established that environmental performance is one of the key factors responsible for the undulating trend in the volume of environmental disclosures by large corporations operating in less-developed countries

Multi-Layer Cyber-Physical Security and Resilience for Smart Grid

The smart grid is a large-scale complex system that integrates communication technologies with the physical layer operation of the energy systems. Security and resilience mechanisms by design are important to provide guarantee operations for the system. This chapter provides a layered perspective of the smart grid security and discusses game and decision theory as a tool to model the interactions among system components and the interaction between attackers and the system. We discuss game-theoretic applications and challenges in the design of cross-layer robust and resilient controller, secure network routing protocol at the data communication and networking layers, and the challenges of the information security at the management layer of the grid. The chapter will discuss the future directions of using game-theoretic tools in addressing multi-layer security issues in the smart grid.Comment: 16 page

Security Risk Management - Approaches and Methodology

In today’s economic context, organizations are looking for ways to improve their business, to keep head of the competition and grow revenue. To stay competitive and consolidate their position on the market, the companies must use all the information they have and process their information for better support of their missions. For this reason managers have to take into consideration risks that can affect the organization and they have to minimize their impact on the organization. Risk management helps managers to better control the business practices and improve the business process.Risk Management, Security, Methodology