An Economic Damage Model - Semantic Scholar...• Massive distributed Denial-of-Service (DDoS)...

An Economic Damage Modelfor Large-Scale Internet Attacks

Thomas DübendorferETH Zurich, Switzerland

Co-authors: Arno Wagner, Bernhard Plattner{duebendorfer, wagner, plattner}@tik.ee.ethz.ch

Workshop for the Consortium “Risk Management and Modelling for Distributed Systems”

7th September 2004

© T. Dübendorfer (2004), TIK/CSG, ETH Zurich - 2 -

Agenda

1) Introduction

2) System Model• Scope• Types of damage

3) Economic Damage• Qualitative View• Quantitative View

4) Sample Scenarios

5) Questions and Discussion


Research Team

Prof. Dr. Bernhard PlattnerProfessor for technical computer science at ETH Zurich (since 1988)Head of Computer Engineering and Networks Laboratory TIK

Thomas DübendorferDipl. Informatik-Ing., ETH Zurich (2001); minor in economicsISC2 CISSP (Certified Information System Security Professional) (2003)PhD student at TIK/ETH; DDoSVax researcher

Arno WagnerDipl. Inform., Uni Karlsruhe, Germany (1996)ISC2 CISSP (Certified Information System Security Professional) (2003)PhD student at TIK/ETH; DDoSVax researcher

… and many thanks to our students Jürg Schmid and Peter Weigelfor collecting economic data and working on the loss model.


Problem Statement

The Problem:Companies relying on the Internet are faced by large-scale attacks:• Uncontrolled massive worm spreading

e.g. SQL Slammer (Jan. 2003), Blaster (Aug. 2003)• Massive distributed Denial-of-Service (DDoS) attacks

e.g. attacks on ebay, Yahoo, DNS root servers (Oct. 2002), attacks by Blaster on MS update web site

Many companies are not aware how Internet-dependent their business is and how much financial damage theywould suffer when the Internet is „down“.

Todays economic damage modelstypically ignore damage by Internet attacks.

Reliability and availability of the Internet and its services can be drastically reduced within minutes.Such interruptions can last for hours or even days.


Sample attack scenario: A reflector DDoS attackIn a DDoS attack there is at least an attacker, an amplifying network, and a victim.

Under Attack

Attacker

Victim

Masters

Amplyfing network

ReflectorsAgents


What is attacked?

• Commercial Internet servers (e.g. ebay, Yahoo, Microsoft update, SCO)

• Network core services (e.g. DNS, routers)

• Consumer computers (worm and virus infections; misused directly orbackdoors installed)

• In the near future: Smaller backbones (e.g. massive flooding attacks)

Such attacks usually also cause collateral damage, e.g. causing high packet loss or even virtually detaching certain networks from the Internet.

Targets of the Attack


• Who is attacking?Mostly single persons or small groups of• Hacker(s) (for fun; to proof technical excellence)• Saboteur(s) (criminal motives)

• Resources needed for an attack:• Personal computer with development software [cheap]• Internet connectivity (e.g. Internet café) [cheap]• Technical know-how (most can be found in the Internet) [easy to get]• Many poorly secured computers hooked up to the Internet [easy to get]

Attacker’s profile


Press Statements

Group mi2g Estimates Slammer Damage at US$ 1 Billionby Scott Bekker, 1/30/2003, ENT News

A U.K.-based security firm is estimating that economic damage from the SQL Slammer worm is already over US$ 1 billion, making it the ninth most damaging malware attack yet in the firm's estimation. MI2g released the billion-dollar estimate on Thursday, which was an upward revision of a figure the group released earlier in the week.

… Klez caused between $8 billion and US$ 9.9 billion in damage; Love Bug, between $7.8 billion and US$ 9.6 billion.Coming in third is SQL Slammer's distant cousin, Code Red, at an estimated $2.4 billion to $2.9 billion in damage. Other members of the billion-dollar club, in order, are Yaha, SirCam, BugBear, Mafia Boy and Melissa.

Source: http://www.entmag.com/news/article.asp?EditorialsID=5677


Press Statements

Probability of a catastrophic malware attack rises from 2.5% to 30%

London, UK - 2 June 2004, 11:30 GMT - May was the fifth worst month on record in terms of malware proliferation -virus, worm and trojan attacks - and is estimated to have caused between US$ 16.2bn and US$ 19.8bn of economic damage worldwide, largely because of the Sasser outbreak and other associated variants according to the mi2gIntelligence Unit, the world leader in digital risk. The probability of a catastrophic malware attack, defined as global damages in excess of US$ 100bn from a chain of combined events, has risen from 1 in 40 (2.5%) for 2003 to about 3 in 10 (30%) for 2004.

http://www.mi2g.com/cgi/mi2g/frameset.php?pageid=http%3A//www.mi2g.com/cgi/mi2g/press/020604.php


• AssumptionInternet availability and reliability can be drastically reduced within minutesby large-scale Internet attacks.

Consequently, many companies will suffer direct and indirect financialdamage.

• Core questions• Who suffers which financial damage?• When does how much damage occur?

• Approach and Goals• System model (based on systems engineering)• Categorization of financial damage• Qualify damage over time• Quantify economic damage• Assure the applicability of our model and methodology (scenarios)

Our economic damage model


CMU‘s OCTAVE

Image by CMU/APEC, e-Security Task Group, 2004

Related Work


Related Work

General risk assessment frameworks• CMU‘s OCTAVE „Operationally Critical Threat, Asset, and Vulnerab. Evaluation“

• NIST’s „Federal IT Security Assessment Framework“

+ versatile+ can be used to find which assets need how much protection

- too general- no model and no quantifications for a DDoS attack‘s damage


Related Work

Industry estimates of worm damage:M2ig‘s EVEDA (Economic Valuation Engine for Damage Analysis) collects itsinformation from CEOs, publications, hacker groups and calculates the economicdamage based on a unique set of algorithms developed by the mi2g SIPS team together with economic and risk experts.

+ large collection of current company data as input

- proprietary- model and algorithms unpublished

We used a systems engineering approach and input from interviews with Swisstelcos, backbone and Internet service providers for model refinements.


Agenda

1) Introduction



4) Sample Scenarios



System Model

NMS = Network Management System


Total financial damage is the sum of the costs for

Types of Damage

• Downtime Lossproductivity loss + revenue loss

• Disaster Recovery

• Liability

• Customer Loss

i.e. employees have to use less efficient ways to fulfill their duties;certain tasks have to be postponed

i.e. lost transactions by customers that cannot access a service due to the company‘s inability to fulfill customer requests

i.e. cost of time that employees spend on recovery from an incident

i.e. compensation payments for not being able to fulfill a service level agreement (SLA)

i.e. lost revenue due to dissatisfied customers quitting a service; opportunity costs of potential customers lost


Matrix of Elements x Damage

x- Private Internet user

x(x)xxx- Banks

x(x)- ATM service

xxx- Stock market

Other Elements

(x)(x)x(x)x- Cable TV company

x- Telco

Other Network Operators

x(x)Insurance company

(x)xx- Large company

xx- SME

xxx(x)x- Web hoster

xxx- E-Shop

Corporate Customers of ISP/BSP

xxx(x)xInternet Service Provider (ISP)

xxx(x)xBackbone Service Provider (BSP)

Type of damage Custo-mer

Loss

LiabilityDisaster Recovery

Loss

b) revenue loss

Downtime

a) productivity lossElement

(variations possible)


Agenda

1) Introduction



4) Sample Scenarios



Qualitative analysis:Economic damage usually has not the same characteristics over time as technical problems have: Economic damage can still grow whentechnical problems have been resolved and the attack has been stopped.

Three time intervals:[t0,t1] during the attack[t1,t2] shortly after the attack

has been stopped(e.g. hours to days)

[t2,t3] a longer time after theincident (e.g. weeksto months)

Note: Temporal overlap of different damage types is possible

Time Characteristics of Damage

Example: Backbone/Internet Service Provider


Examples of cumulative damage curves:

Time Characteristics of Damage


Downtime loss

Quantitative Damage Analysis

Productivity loss Revenue loss


Disaster recovery


Recovery work Material


Liability


Contractualpenalties

Other liabilityclaims


Actualcustomers lost

Potential customers lost

Customer Loss



Agenda

1) Introduction



4) Sample Scenarios



Scenario: Backbone Service ProviderA Backbone Service Provider is hit by a massive attack: 24 hrs of Internet outage

May 2004: CHF 1.00 ≈ € 0.65 ≈ US$ 0.77


Scenario: BSP cont.

Loss = 1.2 % of annual income


Scenario: Switzerland Internet Blackout

0

1'000

2'000

3'000

4'000

5'000

6'000

CHF (millions)

1 day outage 1 week outage

310 mill. 5.8 bill.

In Switzerland, 48.2% of all 3.590.000 jobs are IT intense jobs


• Our model provides a basis for quantifying damage

• Values and possibly also parameters need to be adapted to company specific needs and idiosyncrasies: e.g.

– disaster recovery costs depend on technical infrastructure present

– liability costs rely of service level agreements and contractual penalties

– customer loss depends on revenue per customer and competitors

Notes on Damage Quantification


• Model extensions– Consider costs for preventive measures against Internet attacks:

Intrustion detection systems, firewalls, Anti-Virus software, frequentupdates and patching, …

– Other forms of Internet attacks: spam, industry espionage, impersonation, …

• Inclusion of damage caused by further elements– Stock market; value of a company– Company reorganisations due to security incidents– Other indirectly affected systems

• Probability estimates– Include probability estimates for different threat agents

• Dynamic damage evaluations– Adapt the model to support dynamic changes in enterprises

Future Work


• ConclusionsThreat potential of a massive DDoS attack on critical Internet elementscan no longer be ignored; our model can be used to transparentlyestimate economic damage in a qualitative and quantitative way.

• Experiences gained– Quantification is challenging (many factors are relevant; restrictive

access to sensitive economic company data)– Model can help to transparently estimate (potential) damage– Validity and evidence of model input data is crucial

• Outlook– Internet- and technology-dependence of modern economies is still rising– Number and variety of digital threats is increasing rapidly– Preventive security measures become more important

Conclusions and Outlook

This work was done in the context of the research project DDoSVax: http://www.tik.ee.ethz.ch/~ddosvax/


Thanks foryour attention!

Any questions?

Acknowledgements: Many thanks to the students Jürg Schmid and Peter Weigel for collecting economic data and elaborating on the lossmodel in their semester thesis.

An Economic Damage Model - Semantic Scholar...• Massive distributed Denial-of-Service (DDoS)...

Documents

Transcript of An Economic Damage Model - Semantic Scholar...• Massive distributed Denial-of-Service (DDoS)...