1 / 16

The Impact of Immediate Disclosure on Attack Diffusion and Volume

The Impact of Immediate Disclosure on Attack Diffusion and Volume. Sam Ransbotham Boston College Sabyasachi Mitra Georgia Institute of Technology. Security Vulnerabilities and Disclosure. Does immediate disclosure of vulnerabilities affect exploitation attempts?

nevaeh
Télécharger la présentation

The Impact of Immediate Disclosure on Attack Diffusion and Volume

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Impact of Immediate Disclosure on Attack Diffusion and Volume Sam Ransbotham Boston College Sabyasachi Mitra Georgia Institute of Technology

  2. Security Vulnerabilities and Disclosure • Does immediate disclosure of vulnerabilities affect exploitation attempts? • Specifically, does immediate disclosure affect affect… • Risk: the likelihood of a vulnerability being exploited? • Diffusion: the diffusion of exploitations based on a vulnerability? • Volume: the volume of exploitations based on the vulnerability? • Methodology • Statistical analysis of intrusion detection system attack and NVD data • Key Result • Immediate disclosure accelerates exploitation attempts, slightly increases number of distinct targets but decreases attack volume.

  3. Disclosure Process as a R&D Race Attack Process Development of Exploit Method Firm is attacked Discovery of Vulnerability Diffusion of Attacks Security Process Discovery of Vulnerability Development of Patch by Vendor Firm is patched Public Disclosure? Diffusion of Patch ? ? Diffusion of Countermeasures Development of Countermeasures (e.g. detection signatures) Adapted from Ransbotham, Mitra, Ramsey (forthcoming MIS Quarterly)

  4. Tension: Immediate disclosure helps and hurts

  5. Internet (e.g. customers, vendors, attackers) Corporate Network Alert Database Signature Database Research Environment Intrusion Detection System 0101010… Data Stream 0101010… Filtered Data Monitor Signature Updates 0101010… Matched Alert Data This paper 400+ million alert subset 2006-2007, 960 firms NVD Operator Security Company matched to National Vulnerability Database

  6. NVD Example Begin Date Alternative Explanations Disclosure(s)

  7. Key Control Variables • Common Vulnerability Scoring System (CVSS) Assessment • Access required: (local, adjacent, remote) • Complexity: (low, medium, high) • Authentication: (required or not) • Impacts: (confidentiality, data integrity, availability of system resources) • Type • Access Validation: incorrect allowance of privileges • Input Validation: failure to handle incorrect input • Design Error: shortcomings in design of software • Exception Error: Insufficient response to unexpected conditions • Configuration Error: weak configuration of settings • Race Condition: errors due to sequencing of events • Patch available • Signature available • Application affected: Desktop or Server • Disclosure through Market (paid) mechanism • Age of vulnerability (days since publication)

  8. Vulnerability details

  9. Does immediate disclosure affect attacks? • Three ways to analyze this question… • 1. Risk:the likelihood of a vulnerability being exploited? • Data summarized by firm, vulnerability, day • Dependent variable is yes/no if attack seen on that day • Using stratified Cox proportional hazard models • 2. Diffusion:the diffusion of attacks based on a vulnerability? • Data summarized by vulnerability, day • Dependent variable is the cumulative number of firms attacked by that day • Using nonlinear regression to estimate diffusion curve • 3. Volume:the volume of attacks based on the vulnerability? • Data summarized by firm, vulnerability, day • Dependent variable is the count of attacks seen on that day • Using Heckman two-stage regression

  10. 1. Does immediate disclosure affect exploitation risk? Increased risk of exploitation attempt Cox proportional hazard model of exploitation attempts across 1,152,406 observations of 1201 vulnerabilities in 960 firms; robust standard errors in parentheses; analysis stratified across 960 firms; significance levels: * p<0.05; ** p<0.01; *** p<0.001

  11. 2. Does immediate disclosure affect diffusion? cumulative penetration Rate (R) Penetration (P) Delay (D)

  12. 2. Does immediate disclosure affect diffusion? ? Nonlinear regression on the cumulative number of affected firms; 132,768 daily observations of vulnerabilities exploited in at least one of 960 firms. Robust standard errors in parentheses; significance levels: *p<0.05; **p<0.01; ***p<0.001

  13. 2. Does immediate disclosure affect diffusion? Increased Penetration (?) Acceleration

  14. 3. Does immediate disclosure affect volume of alerts? increases volume Heckman two stage regression; n = 1,302,931; 709,090 uncensored; 1201vulnerabilities; standard errors in parentheses; significance levels: * p<0.05; **p<0.01; ***p<0.001 Stage 1: uncensored if exploit attempt for the vulnerability is observed in the sample Stage 2: natural log of the number of exploitation attempts

  15. Main Result • Immediate Disclosure can increase the risk, accelerate the diffusion and but decrease volume of attack attempts for vulnerabilities. • Adds to the scarce empirical research (most analytical) • Not single firm (hundreds) • Extended time period (two years) • Real attacks (not honeypot) • Opens window for attackers • But defenders are reacting quickly to close window • Attackers seem to abandon attacks quickly as well

  16. Going forward • Implications • Immediate disclosure affects both actions on window--- closing and opening • Forces defenders to react quickly • May not be socially optimal; prioritization skewed? • Limited disclosure? • Unclear if results hold for extreme case (all immediate disclosure) • Limited resource budget of defenders; attackers less limited • Using “workload index” to help understand this • Limitations • Working to further clarify first disclosure; results are conservative • High volume of noisy data: IDS and NVD

More Related