Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Josh Corman
David Etue
Agenda
Context
Why ROI and ROSI have failed us
Adversary ROI
Categorizing Threat Actors
Application in the Real World
Context
http://commons.wikimedia.org/wiki/File:Fdr_sidefront.jpg
http://blog.cognitivedissidents.com/2011/10/24/a-replaceability-continuum/
Misplaced Focus
Problems:
Attack surface is approaching infinity (not a real
number)
Risk Mitigated can be both subjective and objective
Lacks accuracy (see @djbphaedrus Accuracy vs.
Precision)
9
Examples of Failures...
12
Adversary ROI
Proposed State?
Threat
Vulnerability
Consequence
What is a Threat?
A Threat is an Actor
with a Capability
and a Motive
Attacker
Adoption
Early Adopters
Early Majority
Late Majority
Laggards
Technology
Solution
Available
Attacker
Adoption
Early Adopters
Declared
Best
Practice
Added to
Compliance
Regulations
Defender
Adoption
Early Majority
Late Majority
Laggards
Attacker Gains
Information Classification
Public
Sensitive
Highly Replicable
Sensitive
Irreplaceable
Adversary ROI =
(
X
Attack Value
of
] - theCost
Attack
Probability
of Success
Deterrence
(% Chance of Getting Caught x Cost of Getting Caught)
Measures
OR
Categorizing
Threat Actors
23
Competitors
Organized
Crime
Script
Kiddies
Terrorists
Hactivists
Insiders
Auditors
Motivations
Financial
Industrial
Military
Ideological
Political
Prestige
Cyber
Infrastructure
Core Business
Processes
Target Assets
Credit Card #s
Web Properties
Intellectual
Property
PII / Identity
Impacts
Reputational
Personal
Confidentiality
Integrity
Availability
Methods
MetaSploit
DoS
Phishing
Rootkit
SQLi
Auth
Exfiltration
Malware
Physical
Competitors
Organized
Crime
Script
Kiddies
Terrorists
Hactivists
Insiders
Auditors
Motivations
Financial
Industrial
Military
Ideological
Political
Prestige
Cyber
Infrastructure
Core Business
Processes
Target Assets
Credit Card #s
Web Properties
Intellectual
Property
PII / Identity
Impacts
Reputational
Personal
Confidentiality
Integrity
Availability
Methods
MetaSploit
DoS
Phishing
Rootkit
SQLi
Auth
Exfiltration
Malware
Physical
Profit, Prestige
CCN/Fungible
Confidentially,
Reputation
MetaSploit, SQLi,
Phishing
26
Organized Crime
Organized Crime
Profit
Fungible, Banking
Confidentially
Malware, Botnets,
Rootkits
27
State/Espionage
Industrial/Military
Confidentially,
Reputation
Intellectual Property Trade
Secrets Infrastructure
Custom Malware,
SpearPhishing, Physical, ++
Ideological and/or
LULZ
Web Properties, Individuals,
Policy
Availability, Confidentiality,
Reputation, Personal
Auditors
Auditor QSA
Profit
Credit Card #s
Distraction, Fines
CheckList
30
Casual
Attacker
Chaotic Actor
Org Crime
State
APT/APA
CCNs
Banking
Fungible $
IP, Trade
Secrets,
National
Security Data
Asset Focus
CCNs
CCNs
Reputation,
Dirty Laundry
DDoS/Availabi
lity
Timeframe
Annual
Anytime
Flash Mobs
Continuous
Long Cons
Target
Stickiness
NA
LOW
HIGH
LOW
HIGH
Probability
100%
MED
HIGH
Impact
Annual $
1 and done
Relentless
Varies
Varies
HDMoores Law:
Casual Attacker
Strength grows at
the rate of
MetaSploit
HDMoores Law
100
90
80
70
Adversary Classes
60
Espionage
Organized Crime
50
APT/APA
Chaotic Actors
Organized
CasualCrime
Attacker
40
Anon/Lulz
Auditor/Assessor
30
Casual
QSA
20
10
x
1
10
11
12
Defender SecureOns
http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/
80
70
Adversary Classes
60
Espionage
Organized Crime
50
APT/APA
Chaotic Actors
Organized
CasualCrime
Attacker
40
Anon/Lulz
Auditor/Assessor
30
Casual
QSA
20
10
x
1
10
11
12
Defender SecureOns
http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/
80
70
Adversary Classes
60
Espionage
Organized Crime
50
APT/APA
Chaotic Actors
Organized
CasualCrime
Attacker
40
Anon/Lulz
Auditor/Assessor
30
Casual
QSA
20
10
x
1
10
11
12
Defender SecureOns
http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/
80
70
Adversary Classes
60
Espionage
Organized Crime
50
APT/APA
Chaotic Actors
Organized
CasualCrime
Attacker
40
Anon/Lulz
Auditor/Assessor
30
Casual
QSA
20
10
x
1
10
11
12
Defender SecureOns
http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/
90
80
70
Adversary Classes
60
Espionage
Organized Crime
50
APT/APA
Chaotic Actors
Organized
CasualCrime
Attacker
40
Anon/Lulz
Auditor/Assessor
30
Casual
QSA
20
10
x
1
10
11
12
Defender SecureOns
http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/
80
70
Adversary Classes
60
Espionage
Organized Crime
50
APT/APA
Chaotic Actors
Organized
CasualCrime
Attacker
40
Anon/Lulz
Auditor/Assessor
30
Casual
QSA
20
10
x
1
10
11
12
Defender SecureOns
http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/
Application in
the Real
World
Was #18 in
overall DBIR
Top Threat Action Types used to steal INTELLECTUAL PROPERTY AND CLASSIFIED INFORMATION by number of
breaches - (excludes breaches only involving payment card data, bank account information, personal information, etc)
Source: Verizon Business Security Blog (post-DBIR), 2011
http://securityblog.verizonbusiness.com/2011/06/23/new-views-into-the-2011-dbir/
(
X
Attack Value
Cost of
the Attack
Increase
adversary Work
Effort
Deterrence
(% Chance of Getting Caught x Cost of Getting Caught)
Measures
Ability to
respond and
recover key
False Flags
http://www.flickr.com/photos/pierre_tourigny/367078204/
VZ DBIR Patching:
Evolving Adversary TTPs
Lets Patch Faster!
2008
22% Patchable
(not 90%)
2009
6 of 90 Patchable
6.66%
2010
ZERO Patchable
[0]
44
SQLi
We spend under $500m
Only 55 of
the 630
possible
events have a
value greater
than 090%
of the threat
space was not
in play at all
Source: 2011 Verizon
Business Data Breach
Investigations Report (DBIR)
Only 22 of
the 315
possible
events have a
value greater
than 093.1%
of the threat
space was not
in play at all
Source: 2012 Verizon
Business Data Breach
Investigations Report (DBIR)
2009
141 incidents
2010
761 incidents
Delta
Intellectual Property
10
41
+ 31
20
+ 19
Sensitive Organizational
13
81
+ 68
ZERO
41
+ 41
System Information
Source: 2010 & 2011 Verizon Business Data Breach Investigations Report (DBIR)
2009
141 incidents
2010
761 incidents
Delta
Intellectual Property
10
41
+ 31
20
+ 19
Sensitive Organizational
13
81
+ 68
ZERO
41
+ 41
System Information
WebLabyrinth
http://code.google.com/p/weblabyrinth/
FOG Computing
http://sneakers.cs.columbia.edu:8080/fog/
Honeyports
http://honeyports.sourceforge.net/
http://cs.gmu.edu/~asood/scit/
Photo - http://www.flickr.com/photos/shannonholman/2138613419
Enrich Budgeting
More precision in how you apply investment
David Etue
@djetue
blog.cognitivedissidents.com
profile.david.etue.net
Actor Classes
Motivations
Target Assets
Impacts
Methods