2011.04 how to isotope tag a ghost
DESCRIPTION
Instrumenting and measuring indirect threats: lessons from economics applied to the underground.TRANSCRIPT
![Page 1: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/1.jpg)
How to Isotope-Tag a GhostAllison Miller
Thursday, April 28, 2011
![Page 2: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/2.jpg)
Thursday, April 28, 2011
![Page 3: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/3.jpg)
we don't talk about what we see; we see only what we can talk about
Donella Meadows Thinking in Systems: A Primer
Thursday, April 28, 2011
![Page 4: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/4.jpg)
threat trees
p(x)p(y)
p(z)
Thursday, April 28, 2011
![Page 5: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/5.jpg)
Start
Escalation
Impact
Breach
Thursday, April 28, 2011
![Page 6: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/6.jpg)
The Jungle-Gym Effect
Thursday, April 28, 2011
![Page 7: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/7.jpg)
The Porous Attack Surface
Thursday, April 28, 2011
![Page 8: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/8.jpg)
Enter the Ghosts
Thursday, April 28, 2011
![Page 9: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/9.jpg)
an example:
Fraud
Thursday, April 28, 2011
![Page 10: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/10.jpg)
Fraud
Thursday, April 28, 2011
![Page 11: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/11.jpg)
Haunted by an old problem
How do we measure things we can’t observe directly?
Thursday, April 28, 2011
![Page 12: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/12.jpg)
Like what?
Fraud/Crime
Movement of cash
Underground economy
Thursday, April 28, 2011
![Page 13: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/13.jpg)
Direct methods
Samples/Surveys
Intrusive observation
Passive observation
Indirect methods
Gap accounting
Impact indicators
Qualitative modeling
Thursday, April 28, 2011
![Page 14: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/14.jpg)
Crime
Thursday, April 28, 2011
![Page 15: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/15.jpg)
NCVS is the Nation's primary source of information on criminal victimization.
Sample of 76,000 households & ~135,300 persons
Frequency, characteristics and consequences (crimes in the US)
The survey enables BJS to estimate the likelihood of victimization via categories of violent & property crimes for the population as a whole
Population segments: gender, age, ethnicity, geography
http://bjs.ojp.usdoj.gov/index.cfm?ty=dcdetail&iid=245Thursday, April 28, 2011
![Page 16: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/16.jpg)
Thursday, April 28, 2011
![Page 17: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/17.jpg)
0
50
100
150
200
1999 2000 2001 2002 2003 2004 2005 2007 2008
Total property crimeBurglaryTheftMotor vehicle theft
Figure 2. Property crime rates overall fell by 32% from 1999 to 2008
Thursday, April 28, 2011
![Page 18: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/18.jpg)
Financial Crimes Report to the Public: 2009 | 2008 | 2007 | 2006 | 2005
Financial Institution Fraud and Failure Reports: 2006-2007 | 2005 | 2004 | 2003 (pdf) | 2002 (pdf) | 2000-2001 (pdf)
Insurance Fraud: Program Overview and Consumer Information
Mass Marketing Fraud: A Threat Assessment, June 2010
Mass Marketing Fraud: Awareness and Prevention Tips
Mortgage Fraud Reports: 2009 | 2008 | 2007 | 2006
National Money Laundering Strategy (pdf)
Securities Fraud: Awareness and Prevention Tips
http://www.fbi.gov/stats-services/publications
Thursday, April 28, 2011
![Page 19: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/19.jpg)
2010 Internet Crime Report
www.ic3.gov
Partnership between NW3C/BJA and the FBI
Thursday, April 28, 2011
![Page 20: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/20.jpg)
Cybercrime against Businesses, 2005
7,818 businesses in 2005
Data on:
Monetary loss and system downtime
Types of offenders, types of systems affected, vulnerabilities, whether incidents were reported to LE
Highlights:
3,247 businesses incurred loss totaling $867M
Majority of attacks went unreported to LE
http://bjs.ojp.usdoj.gov/index.cfm?ty=pbdetail&iid=769Thursday, April 28, 2011
![Page 21: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/21.jpg)
Cash
Thursday, April 28, 2011
![Page 22: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/22.jpg)
Cash movement
Velocity of money
V=Nominal GDP/Money Supply
Thursday, April 28, 2011
![Page 23: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/23.jpg)
http://research.stlouisfed.org/fred2/categories/32242
Thursday, April 28, 2011
![Page 24: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/24.jpg)
Where’s George?
http://www.wheresgeorge.com/
Thursday, April 28, 2011
![Page 25: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/25.jpg)
Shadow
Thursday, April 28, 2011
![Page 26: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/26.jpg)
Method Approach
Direct methods Surveys
Audits
Indirect methods
Via national accounting
Gap between production & expenditure
Via national accounting Gap between official & actual laborVia national accounting
Gap between official & actual income
Monetary statistics
Velocity of M1 (cash/currency)
Monetary statisticsVelocity of major bills
Monetary statisticsTransactions approach
Monetary statistics
Currency demand
Physical input consumption Electricity consumption
Soft modeling Cause/effect (DYMIMIC)
The Shadow Economy: An International Study. Cambridge Press. Schneider & Enste (2002)
Thursday, April 28, 2011
![Page 27: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/27.jpg)
Changes over time
0
7.5
15
22.5
30
Belgium Sweden Ireland France Netherlands Germany GB USA
Size of shadow economy as a % of official GNP (cash approach)
Data Source: Schneider & Enste (1998)
197019801994199519961997
Thursday, April 28, 2011
![Page 28: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/28.jpg)
Comparing results
0
7.5
15
22.5
30
Belgium Sweden Ireland France Netherlands Germany GB USA
Size of the shadow economy as % of official GNP
Cash approach (Johnson 1990/93)Cash approach (Schneider 1989/90)Cash approach (Schneider 1990/93)Electricity Consumption (1989/90)
Data Source: Schneider & Enste (1998)
Thursday, April 28, 2011
![Page 29: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/29.jpg)
Method Example
Direct methods
Samples/Surveys Crime surveys
Intrusive observation Tax Audits
Passive observation Bill tracking
Indirect methods
Gap accounting Income vs expenditure
System statistics Velocity of money
Impact indicators Energy consumption
Qualitative modeling DYMIMIC
Thursday, April 28, 2011
![Page 30: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/30.jpg)
Spam & Phishing
Botnets
Virus & Malware
Thursday, April 28, 2011
![Page 31: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/31.jpg)
Spam & Phishing
Botnets Virus & Malware
Transactional
High-volume
Feedback loop
Centralized collection
Widely distributed
Thursday, April 28, 2011
![Page 32: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/32.jpg)
Spam & Phishing
Email ISPs & spam detection
Content segmentation
Metrics on origin, target, intermediaries
Cyclicality, event correlation
Botnets Virus & Malware
Thursday, April 28, 2011
![Page 33: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/33.jpg)
Spam & Phishing
Majority of email is “bad” (~90% Q1‘2010)
Malware taking share from spam
Crafted attacks as well as blitzes
Most campaigns are short (<24 hours)
Botnets Virus & Malware
Thursday, April 28, 2011
![Page 34: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/34.jpg)
AV vendors
Software, devices environments targeted
Mechanism of infection
Payload/impactSpam & Phishing
Botnets
Virus & Malware
Thursday, April 28, 2011
![Page 35: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/35.jpg)
Custom malware
Social networks: Infection mechanism & targets
Drive-bys
Mobile & POS devicesSpam & Phishing
Botnets
Virus & Malware
Thursday, April 28, 2011
![Page 36: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/36.jpg)
ISPs, independent researchers
Mechanisms of communication, control
Profiling & tracking (network, victims, targets)
Feature analysis
Performance (attack metrics)
Spam & Phishing
Botnets
Virus & Malware
Thursday, April 28, 2011
![Page 37: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/37.jpg)
Packet, Flow, Log (app, A/V, spam) analysisMachine learning algorithms for IRC-based C&C botnet traffic (Strayer et al)
Clustering analysis for P2P botnet detection (Zeidanloo et al)
DNS analysis & monitoringChanges in DNS traffic patterns (volume, errors)
Sinkholing (domain name takeovers)
IRC & P2P infiltration
Honeypots Spam & Phishing
Botnets
Virus & Malware
Thursday, April 28, 2011
![Page 38: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/38.jpg)
useful.
Spam & PhishingBotnets Virus &
Malware
Google Postini Services Spam Trend & Analysis (July 2010, >3B email connections/day)
McAfee Quarterly Threats Report, (>20M new malware samples in 2010)
Symantec State of Spam & Phishing, 300M email addresses
Trustwave Global Security Report 2011 (15 billion emails from 2006-10, 220 breach investigations)
ENISA: Botnets: Measurement, Detection, Disinfection and Defence
Thursday, April 28, 2011
![Page 39: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/39.jpg)
Method Example
Direct methods
Samples/Surveys Spam & Phishing, Virus & Malware
Intrusive observation Sinkholing, Audits
Passive observation Honeypots, Flow analysis
Indirect methods
Gap accounting “Cuckoo’s Egg”
System statistics
Impact indicators Breach investigations
Qualitative modeling
Thursday, April 28, 2011
![Page 40: 2011.04 How to Isotope Tag a Ghost](https://reader034.vdocuments.mx/reader034/viewer/2022052413/55974d411a28abb7018b45f5/html5/thumbnails/40.jpg)
More opportunities for data aggregation
System accounting
Test simple metrics, data sets in experimental models
For existing data-sets: Opportunities to move from transactional to flow-based
Questions?Allison Miller@selenakyle
Thursday, April 28, 2011