Hac, Hacs, an Cbe k Se - Riga Shipping...
Transcript of Hac, Hacs, an Cbe k Se - Riga Shipping...
Hac , Hac s, an C be k Se ...
Rig pi D n 2019
Ports have been hacked.
Not just the ports, but ships too.
What is it like to work a cyber incident?Long days and weeks, often sleepless nights.
Coordination between multiple victims.
Usually the group you thought was the attacker is a victim too.
Tough choices about knowing when the intrusion has been cleaned up.
High pressure as the business is leaking money or data.
Shall we have a little demonstration?
“All risks are comparable, or at least they should be.” - Gordon Woo
Cyber risk should not be special here!
It needs to become comparable.
“Life can only be understood backwards; but it must be lived forwards.”
-Søren Kierkegaard
Start with your risk to others, not their risk to you.
What if IoCs are a historical record of hacker effort?1. Binaries take time to produce (and reproduce).2. Domains have to be bought, maintained, shut down..3. Certificates have to be bought, keys generated…4. IP addresses for exfiltration need to have listening sockets…
Money, Time, Team size, and yes….TALENT, are encoded in their operational capacity.
APTs need infrastructure to operate, and that *is* quantifiable..
The simplest of metrics would be event count.
We can do much, much, better than this if we take this seriously as a research idea.
And we MUST!
Ok, but you have to be careful of sampling bias...maybe you detected more, because you focused more?
Where those the most prolific threats? Or the most tracked?
@ErwinKooi“Yo r im o f AP ’s ca t a d l in s p o r o l ow l u n t e n h i T .”
“All your heatmaps are belong to us.” -Richard Struse
“All your heatmaps are belong to us.” -Richard Struse
But what if we abandon heatmaps and get quantitative?
Some open research questions...
How much:
Money
People
Time
Does it take for attackers to:
Change an IP Address
Spin up a new domain
Make a 1Kb Binary
Make a 500Mb Binary
Change a binary’s SHA1
Change a binary’s IMPHash
Some open^H^H^H^H quantifiable research questions...How much:
Money
People
Time
Does it take for attackers to:
Change an IP Address $4 1 8 Seconds
Spin up a new domain $20 1 30 seconds
Make a 1Kb Binary $5000 1-5 2 weeks
Make a 500Mb Binary $2500 1-2 1 Week
Change a binary’s SHA1 $0 1 90 seconds
Change a binary’s IMPHash ???
Cost, people, and time, are distributions...
...but this is a proof of concept, so let’s pretend they are just constants for now.
Now we’ve made APTs comparable, can we start to understand their capacity, so what about Ransomware?
928 -> $105,955
1074 -> $7.84 Million
837 -> $7.50 Million
Ain’t correlation grand?
25
Source for ransomware families: 2017 F-Secure State of Cyber Security & Trend Micro 2016 Security Roundup
● Ankit and Mauro studied all the recent ransomware: ■ that used Bitcoin as at least one mode of ransom payment, and ■ for which at least one Bitcoin address is publicly known
Occurrence of Bitcoin ransomware
Ransomware payments analysis help us build models of cyber risk.
Ransomware Payment Analysisn=126kFrom an analysis of Ransomware payments:
$800 is the average, and the largest payment I found was $1.4 Million.
There are a lot of tiny payments like 0.18, presumably test payments.
We can see the cashouts too, and there’s even one that has a timestamp of 1972
(Before the blockchain was invented)
So the bad guys are obviously laughing all the way to the bank.
● First known ransomware virus was written by an AIDS researcher, called Dr. Joseph Popp, in 1989.
● The “first” cashout we found in the blockchain was from CryptoLocker, in 1972, before the blockchain EXISTED!
Don’t believe me? Check yourself with the QR code.
29
Screenshot by: Security Focus
Exploit usage is quantifiable
By volume
Exploit usage is quantifiable
Across time
Let’s switch to rDDoS. Remember, start with your risk to others.
2018 Max: 155 Tb/s
Actual: 1.35 Tb/s
https://www.tandfonline.com/doi/abs/10.1080/23738871.2017.1362020
Largest DDoS per year.
Gathered from marketing material.
Our estimates of pool of capacity.
Created by summing risk to others!
Beware of our selection bias.
Most companies can not detect the largest DDoS without
sharing information!
Normalise, Normalise, Normalise!
First we estimate APT “capacity for harm”, then we solve for “loss estimation” of minimal and maximal harms.
Why haven’t We Solved Cyber Risk yet?1. Because we focused on the risk to ourselves instead of our risk to others.2. Because we did not put any science in the loss quantification or estimation.3. Because we did not normalise or share the data.
Cyber risk is shared. Collaboration, not solitary heroes, reduce that risk.