Hac , Hac s, an C be k Se ...

Rig pi D n 2019

Ports have been hacked.

Not just the ports, but ships too.

What is it like to work a cyber incident?Long days and weeks, often sleepless nights.

Coordination between multiple victims.

Usually the group you thought was the attacker is a victim too.

Tough choices about knowing when the intrusion has been cleaned up.

High pressure as the business is leaking money or data.

Shall we have a little demonstration?

“All risks are comparable, or at least they should be.” - Gordon Woo

Cyber risk should not be special here!

It needs to become comparable.

“Life can only be understood backwards; but it must be lived forwards.”

-Søren Kierkegaard

Start with your risk to others, not their risk to you.

What if IoCs are a historical record of hacker effort?1. Binaries take time to produce (and reproduce).2. Domains have to be bought, maintained, shut down..3. Certificates have to be bought, keys generated…4. IP addresses for exfiltration need to have listening sockets…

Money, Time, Team size, and yes….TALENT, are encoded in their operational capacity.

APTs need infrastructure to operate, and that *is* quantifiable..

The simplest of metrics would be event count.

We can do much, much, better than this if we take this seriously as a research idea.

And we MUST!

Ok, but you have to be careful of sampling bias...maybe you detected more, because you focused more?

Where those the most prolific threats? Or the most tracked?

@ErwinKooi“Yo r im o f AP ’s ca t a d l in s p o r o l ow l u n t e n h i T .”

“All your heatmaps are belong to us.” -Richard Struse

“All your heatmaps are belong to us.” -Richard Struse

But what if we abandon heatmaps and get quantitative?

Some open research questions...

How much:

Money

People

Time

Does it take for attackers to:

Change an IP Address

Spin up a new domain

Make a 1Kb Binary

Make a 500Mb Binary

Change a binary’s SHA1

Change a binary’s IMPHash

Some open^H^H^H^H quantifiable research questions...How much:

Money

People

Time

Does it take for attackers to:

Change an IP Address $4 1 8 Seconds

Spin up a new domain $20 1 30 seconds

Make a 1Kb Binary $5000 1-5 2 weeks

Make a 500Mb Binary $2500 1-2 1 Week

Change a binary’s SHA1 $0 1 90 seconds

Change a binary’s IMPHash ???

Cost, people, and time, are distributions...

...but this is a proof of concept, so let’s pretend they are just constants for now.

Now we’ve made APTs comparable, can we start to understand their capacity, so what about Ransomware?

928 -> $105,955

1074 -> $7.84 Million

837 -> $7.50 Million

Ain’t correlation grand?

25

Source for ransomware families: 2017 F-Secure State of Cyber Security & Trend Micro 2016 Security Roundup

● Ankit and Mauro studied all the recent ransomware: ■ that used Bitcoin as at least one mode of ransom payment, and ■ for which at least one Bitcoin address is publicly known

Occurrence of Bitcoin ransomware

Ransomware payments analysis help us build models of cyber risk.

Ransomware Payment Analysisn=126kFrom an analysis of Ransomware payments:

$800 is the average, and the largest payment I found was $1.4 Million.

There are a lot of tiny payments like 0.18, presumably test payments.

We can see the cashouts too, and there’s even one that has a timestamp of 1972

(Before the blockchain was invented)

So the bad guys are obviously laughing all the way to the bank.

● First known ransomware virus was written by an AIDS researcher, called Dr. Joseph Popp, in 1989.

● The “first” cashout we found in the blockchain was from CryptoLocker, in 1972, before the blockchain EXISTED!

Don’t believe me? Check yourself with the QR code.

29

Screenshot by: Security Focus

Exploit usage is quantifiable

By volume

Exploit usage is quantifiable

Across time

Let’s switch to rDDoS. Remember, start with your risk to others.

2018 Max: 155 Tb/s

Actual: 1.35 Tb/s

https://www.tandfonline.com/doi/abs/10.1080/23738871.2017.1362020

Largest DDoS per year.

Gathered from marketing material.

Our estimates of pool of capacity.

Created by summing risk to others!

Beware of our selection bias.

Most companies can not detect the largest DDoS without

sharing information!

Normalise, Normalise, Normalise!

First we estimate APT “capacity for harm”, then we solve for “loss estimation” of minimal and maximal harms.

Why haven’t We Solved Cyber Risk yet?1. Because we focused on the risk to ourselves instead of our risk to others.2. Because we did not put any science in the loss quantification or estimation.3. Because we did not normalise or share the data.

Cyber risk is shared. Collaboration, not solitary heroes, reduce that risk.