Download
1 / 16
160 likes | 226 Views
The Impact of Immediate Disclosure on Attack Diffusion and Volume. Sam Ransbotham Boston College Sabyasachi Mitra Georgia Institute of Technology. Security Vulnerabilities and Disclosure. Does immediate disclosure of vulnerabilities affect exploitation attempts?
E N D
The Impact of Immediate Disclosure on Attack Diffusion and Volume Sam Ransbotham Boston College Sabyasachi Mitra Georgia Institute of Technology
Security Vulnerabilities and Disclosure • Does immediate disclosure of vulnerabilities affect exploitation attempts? • Specifically, does immediate disclosure affect affect… • Risk: the likelihood of a vulnerability being exploited? • Diffusion: the diffusion of exploitations based on a vulnerability? • Volume: the volume of exploitations based on the vulnerability? • Methodology • Statistical analysis of intrusion detection system attack and NVD data • Key Result • Immediate disclosure accelerates exploitation attempts, slightly increases number of distinct targets but decreases attack volume.
Disclosure Process as a R&D Race Attack Process Development of Exploit Method Firm is attacked Discovery of Vulnerability Diffusion of Attacks Security Process Discovery of Vulnerability Development of Patch by Vendor Firm is patched Public Disclosure? Diffusion of Patch ? ? Diffusion of Countermeasures Development of Countermeasures (e.g. detection signatures) Adapted from Ransbotham, Mitra, Ramsey (forthcoming MIS Quarterly)
Internet (e.g. customers, vendors, attackers) Corporate Network Alert Database Signature Database Research Environment Intrusion Detection System 0101010… Data Stream 0101010… Filtered Data Monitor Signature Updates 0101010… Matched Alert Data This paper 400+ million alert subset 2006-2007, 960 firms NVD Operator Security Company matched to National Vulnerability Database
NVD Example Begin Date Alternative Explanations Disclosure(s)
Key Control Variables • Common Vulnerability Scoring System (CVSS) Assessment • Access required: (local, adjacent, remote) • Complexity: (low, medium, high) • Authentication: (required or not) • Impacts: (confidentiality, data integrity, availability of system resources) • Type • Access Validation: incorrect allowance of privileges • Input Validation: failure to handle incorrect input • Design Error: shortcomings in design of software • Exception Error: Insufficient response to unexpected conditions • Configuration Error: weak configuration of settings • Race Condition: errors due to sequencing of events • Patch available • Signature available • Application affected: Desktop or Server • Disclosure through Market (paid) mechanism • Age of vulnerability (days since publication)
Does immediate disclosure affect attacks? • Three ways to analyze this question… • 1. Risk:the likelihood of a vulnerability being exploited? • Data summarized by firm, vulnerability, day • Dependent variable is yes/no if attack seen on that day • Using stratified Cox proportional hazard models • 2. Diffusion:the diffusion of attacks based on a vulnerability? • Data summarized by vulnerability, day • Dependent variable is the cumulative number of firms attacked by that day • Using nonlinear regression to estimate diffusion curve • 3. Volume:the volume of attacks based on the vulnerability? • Data summarized by firm, vulnerability, day • Dependent variable is the count of attacks seen on that day • Using Heckman two-stage regression
1. Does immediate disclosure affect exploitation risk? Increased risk of exploitation attempt Cox proportional hazard model of exploitation attempts across 1,152,406 observations of 1201 vulnerabilities in 960 firms; robust standard errors in parentheses; analysis stratified across 960 firms; significance levels: * p<0.05; ** p<0.01; *** p<0.001
2. Does immediate disclosure affect diffusion? cumulative penetration Rate (R) Penetration (P) Delay (D)
2. Does immediate disclosure affect diffusion? ? Nonlinear regression on the cumulative number of affected firms; 132,768 daily observations of vulnerabilities exploited in at least one of 960 firms. Robust standard errors in parentheses; significance levels: *p<0.05; **p<0.01; ***p<0.001
2. Does immediate disclosure affect diffusion? Increased Penetration (?) Acceleration
3. Does immediate disclosure affect volume of alerts? increases volume Heckman two stage regression; n = 1,302,931; 709,090 uncensored; 1201vulnerabilities; standard errors in parentheses; significance levels: * p<0.05; **p<0.01; ***p<0.001 Stage 1: uncensored if exploit attempt for the vulnerability is observed in the sample Stage 2: natural log of the number of exploitation attempts
Main Result • Immediate Disclosure can increase the risk, accelerate the diffusion and but decrease volume of attack attempts for vulnerabilities. • Adds to the scarce empirical research (most analytical) • Not single firm (hundreds) • Extended time period (two years) • Real attacks (not honeypot) • Opens window for attackers • But defenders are reacting quickly to close window • Attackers seem to abandon attacks quickly as well
Going forward • Implications • Immediate disclosure affects both actions on window--- closing and opening • Forces defenders to react quickly • May not be socially optimal; prioritization skewed? • Limited disclosure? • Unclear if results hold for extreme case (all immediate disclosure) • Limited resource budget of defenders; attackers less limited • Using “workload index” to help understand this • Limitations • Working to further clarify first disclosure; results are conservative • High volume of noisy data: IDS and NVD
