2011.04 how to isotope tag a ghost
DESCRIPTION
Instrumenting and measuring indirect threats: lessons from economics applied to the underground.TRANSCRIPT
How to Isotope-Tag a GhostAllison Miller
Thursday, April 28, 2011
Thursday, April 28, 2011
we don't talk about what we see; we see only what we can talk about
Donella Meadows Thinking in Systems: A Primer
Thursday, April 28, 2011
threat trees
p(x)p(y)
p(z)
Thursday, April 28, 2011
Start
Escalation
Impact
Breach
Thursday, April 28, 2011
The Jungle-Gym Effect
Thursday, April 28, 2011
The Porous Attack Surface
Thursday, April 28, 2011
Enter the Ghosts
Thursday, April 28, 2011
an example:
Fraud
Thursday, April 28, 2011
Fraud
Thursday, April 28, 2011
Haunted by an old problem
How do we measure things we can’t observe directly?
Thursday, April 28, 2011
Like what?
Fraud/Crime
Movement of cash
Underground economy
Thursday, April 28, 2011
Direct methods
Samples/Surveys
Intrusive observation
Passive observation
Indirect methods
Gap accounting
Impact indicators
Qualitative modeling
Thursday, April 28, 2011
Crime
Thursday, April 28, 2011
NCVS is the Nation's primary source of information on criminal victimization.
Sample of 76,000 households & ~135,300 persons
Frequency, characteristics and consequences (crimes in the US)
The survey enables BJS to estimate the likelihood of victimization via categories of violent & property crimes for the population as a whole
Population segments: gender, age, ethnicity, geography
http://bjs.ojp.usdoj.gov/index.cfm?ty=dcdetail&iid=245Thursday, April 28, 2011
Thursday, April 28, 2011
0
50
100
150
200
1999 2000 2001 2002 2003 2004 2005 2007 2008
Total property crimeBurglaryTheftMotor vehicle theft
Figure 2. Property crime rates overall fell by 32% from 1999 to 2008
Thursday, April 28, 2011
Financial Crimes Report to the Public: 2009 | 2008 | 2007 | 2006 | 2005
Financial Institution Fraud and Failure Reports: 2006-2007 | 2005 | 2004 | 2003 (pdf) | 2002 (pdf) | 2000-2001 (pdf)
Insurance Fraud: Program Overview and Consumer Information
Mass Marketing Fraud: A Threat Assessment, June 2010
Mass Marketing Fraud: Awareness and Prevention Tips
Mortgage Fraud Reports: 2009 | 2008 | 2007 | 2006
National Money Laundering Strategy (pdf)
Securities Fraud: Awareness and Prevention Tips
http://www.fbi.gov/stats-services/publications
Thursday, April 28, 2011
2010 Internet Crime Report
www.ic3.gov
Partnership between NW3C/BJA and the FBI
Thursday, April 28, 2011
Cybercrime against Businesses, 2005
7,818 businesses in 2005
Data on:
Monetary loss and system downtime
Types of offenders, types of systems affected, vulnerabilities, whether incidents were reported to LE
Highlights:
3,247 businesses incurred loss totaling $867M
Majority of attacks went unreported to LE
http://bjs.ojp.usdoj.gov/index.cfm?ty=pbdetail&iid=769Thursday, April 28, 2011
Cash
Thursday, April 28, 2011
Cash movement
Velocity of money
V=Nominal GDP/Money Supply
Thursday, April 28, 2011
http://research.stlouisfed.org/fred2/categories/32242
Thursday, April 28, 2011
Where’s George?
http://www.wheresgeorge.com/
Thursday, April 28, 2011
Shadow
Thursday, April 28, 2011
Method Approach
Direct methods Surveys
Audits
Indirect methods
Via national accounting
Gap between production & expenditure
Via national accounting Gap between official & actual laborVia national accounting
Gap between official & actual income
Monetary statistics
Velocity of M1 (cash/currency)
Monetary statisticsVelocity of major bills
Monetary statisticsTransactions approach
Monetary statistics
Currency demand
Physical input consumption Electricity consumption
Soft modeling Cause/effect (DYMIMIC)
The Shadow Economy: An International Study. Cambridge Press. Schneider & Enste (2002)
Thursday, April 28, 2011
Changes over time
0
7.5
15
22.5
30
Belgium Sweden Ireland France Netherlands Germany GB USA
Size of shadow economy as a % of official GNP (cash approach)
Data Source: Schneider & Enste (1998)
197019801994199519961997
Thursday, April 28, 2011
Comparing results
0
7.5
15
22.5
30
Belgium Sweden Ireland France Netherlands Germany GB USA
Size of the shadow economy as % of official GNP
Cash approach (Johnson 1990/93)Cash approach (Schneider 1989/90)Cash approach (Schneider 1990/93)Electricity Consumption (1989/90)
Data Source: Schneider & Enste (1998)
Thursday, April 28, 2011
Method Example
Direct methods
Samples/Surveys Crime surveys
Intrusive observation Tax Audits
Passive observation Bill tracking
Indirect methods
Gap accounting Income vs expenditure
System statistics Velocity of money
Impact indicators Energy consumption
Qualitative modeling DYMIMIC
Thursday, April 28, 2011
Spam & Phishing
Botnets
Virus & Malware
Thursday, April 28, 2011
Spam & Phishing
Botnets Virus & Malware
Transactional
High-volume
Feedback loop
Centralized collection
Widely distributed
Thursday, April 28, 2011
Spam & Phishing
Email ISPs & spam detection
Content segmentation
Metrics on origin, target, intermediaries
Cyclicality, event correlation
Botnets Virus & Malware
Thursday, April 28, 2011
Spam & Phishing
Majority of email is “bad” (~90% Q1‘2010)
Malware taking share from spam
Crafted attacks as well as blitzes
Most campaigns are short (<24 hours)
Botnets Virus & Malware
Thursday, April 28, 2011
AV vendors
Software, devices environments targeted
Mechanism of infection
Payload/impactSpam & Phishing
Botnets
Virus & Malware
Thursday, April 28, 2011
Custom malware
Social networks: Infection mechanism & targets
Drive-bys
Mobile & POS devicesSpam & Phishing
Botnets
Virus & Malware
Thursday, April 28, 2011
ISPs, independent researchers
Mechanisms of communication, control
Profiling & tracking (network, victims, targets)
Feature analysis
Performance (attack metrics)
Spam & Phishing
Botnets
Virus & Malware
Thursday, April 28, 2011
Packet, Flow, Log (app, A/V, spam) analysisMachine learning algorithms for IRC-based C&C botnet traffic (Strayer et al)
Clustering analysis for P2P botnet detection (Zeidanloo et al)
DNS analysis & monitoringChanges in DNS traffic patterns (volume, errors)
Sinkholing (domain name takeovers)
IRC & P2P infiltration
Honeypots Spam & Phishing
Botnets
Virus & Malware
Thursday, April 28, 2011
useful.
Spam & PhishingBotnets Virus &
Malware
Google Postini Services Spam Trend & Analysis (July 2010, >3B email connections/day)
McAfee Quarterly Threats Report, (>20M new malware samples in 2010)
Symantec State of Spam & Phishing, 300M email addresses
Trustwave Global Security Report 2011 (15 billion emails from 2006-10, 220 breach investigations)
ENISA: Botnets: Measurement, Detection, Disinfection and Defence
Thursday, April 28, 2011
Method Example
Direct methods
Samples/Surveys Spam & Phishing, Virus & Malware
Intrusive observation Sinkholing, Audits
Passive observation Honeypots, Flow analysis
Indirect methods
Gap accounting “Cuckoo’s Egg”
System statistics
Impact indicators Breach investigations
Qualitative modeling
Thursday, April 28, 2011
More opportunities for data aggregation
System accounting
Test simple metrics, data sets in experimental models
For existing data-sets: Opportunities to move from transactional to flow-based
Questions?Allison Miller@selenakyle
Thursday, April 28, 2011