2011.04 how to isotope tag a ghost

How to Isotope-Tag a GhostAllison Miller

Thursday, April 28, 2011

Thursday, April 28, 2011

we don't talk about what we see; we see only what we can talk about

Donella Meadows Thinking in Systems: A Primer

Thursday, April 28, 2011

threat trees

p(x)p(y)

p(z)

Thursday, April 28, 2011

Start

Escalation

Impact

Breach

Thursday, April 28, 2011

The Jungle-Gym Effect

Thursday, April 28, 2011

The Porous Attack Surface

Thursday, April 28, 2011

Enter the Ghosts

Thursday, April 28, 2011

an example:

Fraud

Thursday, April 28, 2011

Fraud

Thursday, April 28, 2011

Haunted by an old problem

How do we measure things we can’t observe directly?

Thursday, April 28, 2011

Like what?

Fraud/Crime

Movement of cash

Underground economy

Thursday, April 28, 2011

Direct methods

Samples/Surveys

Intrusive observation

Passive observation

Indirect methods

Gap accounting

Impact indicators

Qualitative modeling

Thursday, April 28, 2011

Crime

Thursday, April 28, 2011

NCVS is the Nation's primary source of information on criminal victimization.

Sample of 76,000 households & ~135,300 persons

Frequency, characteristics and consequences (crimes in the US)

The survey enables BJS to estimate the likelihood of victimization via categories of violent & property crimes for the population as a whole

Population segments: gender, age, ethnicity, geography

http://bjs.ojp.usdoj.gov/index.cfm?ty=dcdetail&iid=245Thursday, April 28, 2011

Thursday, April 28, 2011

0

50

100

150

200

1999 2000 2001 2002 2003 2004 2005 2007 2008

Total property crimeBurglaryTheftMotor vehicle theft

Figure 2. Property crime rates overall fell by 32% from 1999 to 2008

Thursday, April 28, 2011

Financial Crimes Report to the Public: 2009 | 2008 | 2007 | 2006 | 2005

Financial Institution Fraud and Failure Reports: 2006-2007 | 2005 | 2004 | 2003 (pdf) | 2002 (pdf) | 2000-2001 (pdf)

Insurance Fraud: Program Overview and Consumer Information

Mass Marketing Fraud: A Threat Assessment, June 2010

Mass Marketing Fraud: Awareness and Prevention Tips

Mortgage Fraud Reports: 2009 | 2008 | 2007 | 2006

National Money Laundering Strategy (pdf)

Securities Fraud: Awareness and Prevention Tips

http://www.fbi.gov/stats-services/publications

Thursday, April 28, 2011

2010 Internet Crime Report

www.ic3.gov

Partnership between NW3C/BJA and the FBI

Thursday, April 28, 2011

Cybercrime against Businesses, 2005

7,818 businesses in 2005

Data on:

Monetary loss and system downtime

Types of offenders, types of systems affected, vulnerabilities, whether incidents were reported to LE

Highlights:

3,247 businesses incurred loss totaling $867M

Majority of attacks went unreported to LE

http://bjs.ojp.usdoj.gov/index.cfm?ty=pbdetail&iid=769Thursday, April 28, 2011

Cash

Thursday, April 28, 2011

Cash movement

Velocity of money

V=Nominal GDP/Money Supply

Thursday, April 28, 2011

http://research.stlouisfed.org/fred2/categories/32242

Thursday, April 28, 2011

Where’s George?

http://www.wheresgeorge.com/

Thursday, April 28, 2011

Shadow

Thursday, April 28, 2011

Method Approach

Direct methods Surveys

Audits

Indirect methods

Via national accounting

Gap between production & expenditure

Via national accounting Gap between official & actual laborVia national accounting

Gap between official & actual income

Monetary statistics

Velocity of M1 (cash/currency)

Monetary statisticsVelocity of major bills

Monetary statisticsTransactions approach

Monetary statistics

Currency demand

Physical input consumption Electricity consumption

Soft modeling Cause/effect (DYMIMIC)

The Shadow Economy: An International Study. Cambridge Press. Schneider & Enste (2002)

Thursday, April 28, 2011

Changes over time

0

7.5

15

22.5

30

Belgium Sweden Ireland France Netherlands Germany GB USA

Size of shadow economy as a % of official GNP (cash approach)

Data Source: Schneider & Enste (1998)

197019801994199519961997

Thursday, April 28, 2011

Comparing results

0

7.5

15

22.5

30

Belgium Sweden Ireland France Netherlands Germany GB USA

Size of the shadow economy as % of official GNP

Cash approach (Johnson 1990/93)Cash approach (Schneider 1989/90)Cash approach (Schneider 1990/93)Electricity Consumption (1989/90)

Data Source: Schneider & Enste (1998)

Thursday, April 28, 2011

Method Example

Direct methods

Samples/Surveys Crime surveys

Intrusive observation Tax Audits

Passive observation Bill tracking

Indirect methods

Gap accounting Income vs expenditure

System statistics Velocity of money

Impact indicators Energy consumption

Qualitative modeling DYMIMIC

Thursday, April 28, 2011

Spam & Phishing

Botnets

Virus & Malware

Thursday, April 28, 2011

Spam & Phishing

Botnets Virus & Malware

Transactional

High-volume

Feedback loop

Centralized collection

Widely distributed

Thursday, April 28, 2011

Spam & Phishing

Email ISPs & spam detection

Content segmentation

Metrics on origin, target, intermediaries

Cyclicality, event correlation

Botnets Virus & Malware

Thursday, April 28, 2011

Spam & Phishing

Majority of email is “bad” (~90% Q1‘2010)

Malware taking share from spam

Crafted attacks as well as blitzes

Most campaigns are short (<24 hours)

Botnets Virus & Malware

Thursday, April 28, 2011

AV vendors

Software, devices environments targeted

Mechanism of infection

Payload/impactSpam & Phishing

Botnets

Virus & Malware

Thursday, April 28, 2011

Custom malware

Social networks: Infection mechanism & targets

Drive-bys

Mobile & POS devicesSpam & Phishing

Botnets

Virus & Malware

Thursday, April 28, 2011

ISPs, independent researchers

Mechanisms of communication, control

Profiling & tracking (network, victims, targets)

Feature analysis

Performance (attack metrics)

Spam & Phishing

Botnets

Virus & Malware

Thursday, April 28, 2011

Packet, Flow, Log (app, A/V, spam) analysisMachine learning algorithms for IRC-based C&C botnet traffic (Strayer et al)

Clustering analysis for P2P botnet detection (Zeidanloo et al)

DNS analysis & monitoringChanges in DNS traffic patterns (volume, errors)

Sinkholing (domain name takeovers)

IRC & P2P infiltration

Honeypots Spam & Phishing

Botnets

Virus & Malware

Thursday, April 28, 2011

useful.

Spam & PhishingBotnets Virus &

Malware

Google Postini Services Spam Trend & Analysis (July 2010, >3B email connections/day)

McAfee Quarterly Threats Report, (>20M new malware samples in 2010)

Symantec State of Spam & Phishing, 300M email addresses

Trustwave Global Security Report 2011 (15 billion emails from 2006-10, 220 breach investigations)

ENISA: Botnets: Measurement, Detection, Disinfection and Defence

Thursday, April 28, 2011

Method Example

Direct methods

Samples/Surveys Spam & Phishing, Virus & Malware

Intrusive observation Sinkholing, Audits

Passive observation Honeypots, Flow analysis

Indirect methods

Gap accounting “Cuckoo’s Egg”

System statistics

Impact indicators Breach investigations

Qualitative modeling

Thursday, April 28, 2011

More opportunities for data aggregation

System accounting

Test simple metrics, data sets in experimental models

For existing data-sets: Opportunities to move from transactional to flow-based

Questions?Allison Miller@selenakyle

Thursday, April 28, 2011