Economic Factors of Vulnerability Trade and Exploitation

Cybercrime markets support the development and diffusion of new attack technologies, vulnerability exploits, and malware. Whereas the revenue streams of cyber attackers have been studied multiple times in the literature, no quantitative account currently exists on the economics of attack acquisition and deployment. Yet, this understanding is critical to characterize the production of (traded) exploits, the economy that drives it, and its effects on the overall attack scenario. In this paper we provide an empirical investigation of the economics of vulnerability exploitation, and the effects of market factors on likelihood of exploit. Our data is collected first-handedly from a prominent Russian cybercrime market where the trading of the most active attack tools reported by the security industry happens. Our findings reveal that exploits in the underground are priced similarly or above vulnerabilities in legitimate bug-hunting programs, and that the refresh cycle of exploits is slower than currently often assumed. On the other hand, cybercriminals are becoming faster at introducing selected vulnerabilities, and the market is in clear expansion both in terms of players, traded exploits, and exploit pricing. We then evaluate the effects of these market variables on likelihood of attack realization, and find strong evidence of the correlation between market activity and exploit deployment. We discuss implications on vulnerability metrics, economics, and exploit measurement.

[1]  Hadi Asghari,et al.  Security Economics in the HTTPS Value Chain , 2013 .

[2]  M. C. Corradin,et al.  Then and Now: On The Maturity of Cybercrime Markets , 2014 .

[3]  David A. Wagner,et al.  An Empirical Study of Vulnerability Rewards Programs , 2013, USENIX Security Symposium.

[4]  Eric Bodden,et al.  An In-Depth Study of More Than Ten Years of Java Exploitation , 2016, CCS.

[5]  Paul Resnick,et al.  Trust among strangers in internet transactions: Empirical analysis of eBay' s reputation system , 2002, The Economics of the Internet and E-commerce.

[6]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.

[7]  Bruno Ribeiro,et al.  The socio-monetary incentives of online social network malware campaigns , 2014, Conference on Online Social Networks.

[8]  A. Ozment,et al.  Bug Auctions: Vulnerability Markets Reconsidered , 2004 .

[9]  Stefan Savage,et al.  An analysis of underground forums , 2011, IMC '11.

[10]  Vern Paxson,et al.  Trafficking Fraudulent Accounts: The Role of the Underground Market in Twitter Spam and Abuse , 2013, USENIX Security Symposium.

[11]  Fabio Massacci,et al.  Quantitative Assessment of Risk Reduction with Cybercrime Black Market Monitoring , 2013, 2013 IEEE Security and Privacy Workshops.

[12]  C. Shapiro Consumer Information, Product Quality, and Seller Reputation , 1982 .

[13]  Amr M. Youssef,et al.  On the analysis of the Zeus botnet crimeware toolkit , 2010, 2010 Eighth International Conference on Privacy, Security and Trust.

[14]  Chengyu Song,et al.  Studying Malicious Websites and the Underground Economy on the Chinese Web , 2008, WEIS.

[15]  Tudor Dumitras,et al.  Patch Me If You Can: A Study on the Effects of Individual User Behavior on the End-Host Vulnerability State , 2017, PAM.

[16]  Thomas J. Holt,et al.  Examining signals of trust in criminal markets online , 2016, J. Cybersecur..

[17]  Stefan Savage,et al.  Manufacturing compromise: the emergence of exploit-as-a-service , 2012, CCS.

[18]  Fabio Massacci,et al.  Then and Now: On the Maturity of the Cybercrime Markets The Lesson That Black-Hat Marketeers Learned , 2016, IEEE Transactions on Emerging Topics in Computing.

[19]  Luís M. B. Cabral,et al.  The Dynamics of Seller Reputation: Evidence from Ebay , 2006 .

[20]  Karen A. Scarfone,et al.  An analysis of CVSS version 2 vulnerability scoring , 2009, ESEM 2009.

[21]  Johannes M. Bauer,et al.  OF MALWARE : SECURITY DECISIONS , INCENTIVES AND EXTERNALITIES , 2008 .

[22]  Muhammad Zubair Shafiq,et al.  A large scale exploratory analysis of software vulnerability life cycles , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[23]  Leyla Bilge,et al.  The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching , 2015, 2015 IEEE Symposium on Security and Privacy.

[24]  Kai Chen,et al.  An Exploratory Study of White Hat Behaviors in a Web Vulnerability Disclosure Program , 2014, SIW '14.

[25]  Chris Kanich,et al.  Spamalytics: an empirical analysis of spam marketing conversion , 2008, CCS.

[26]  Tudor Dumitras,et al.  Toward a standard benchmark for computer security research: the worldwide intelligence network environment (WINE) , 2011, BADGERS '11.

[27]  Nicolas Christin,et al.  Measuring the Longitudinal Evolution of the Online Anonymous Marketplace Ecosystem , 2015, USENIX Security Symposium.

[28]  Mourad Debbabi,et al.  On the Reverse Engineering of the Citadel Botnet , 2014, FPS.

[29]  Nigel Shadbolt,et al.  Why forums?: an empirical analysis into the facilitating factors of carding forums , 2013, WebSci.

[30]  Mehran Bozorgi,et al.  Beyond heuristics: learning to classify vulnerabilities and predict exploits , 2010, KDD.

[31]  Robert Tibshirani,et al.  An Introduction to the Bootstrap , 1994 .

[32]  Alan Agresti,et al.  Categorical Data Analysis , 1991, International Encyclopedia of Statistical Science.

[33]  Tudor Dumitras,et al.  Some Vulnerabilities Are Different Than Others - Studying Vulnerabilities and Attack Surfaces in the Wild , 2014, RAID.

[34]  Vern Paxson,et al.  Tools for Automated Analysis of Cybercriminal Markets , 2017, WWW.

[35]  Nir Kshetri,et al.  Diffusion and Effects of Cyber-Crime in Developing Economies , 2010 .

[36]  Martin C. Libicki,et al.  Hackers' Bazaar: The Markets for Cybercrime Tools and Stolen Data , 2015 .

[37]  Fabio Massacci,et al.  The Work-Averse Attacker Model , 2015, ECIS.

[38]  Peng Liu,et al.  An Empirical Study of Web Vulnerability Discovery Ecosystems , 2015, CCS.

[39]  Martin C. Libicki,et al.  Markets for Cybercrime Tools and Stolen Data: Hackers' Bazaar , 2014 .

[40]  Damon McCoy,et al.  Understanding the Emerging Threat of DDoS-as-a-Service , 2013, LEET.

[41]  Cormac Herley,et al.  Sex, Lies and Cyber-Crime Surveys , 2011, WEIS.

[42]  Richard J. Enbody,et al.  Cybercrime: Dissecting the State of Underground Enterprise , 2013, IEEE Internet Computing.

[43]  Jeannette M. Wing,et al.  An Attack Surface Metric , 2011, IEEE Transactions on Software Engineering.

[44]  Hannes Holm,et al.  An expert-based investigation of the Common Vulnerability Scoring System , 2015, Comput. Secur..

[45]  Jared D. DeMott,et al.  Bypassing EMET 4.1 , 2015, IEEE Security & Privacy.

[46]  Fabio Massacci,et al.  Security Events and Vulnerability Data for Cybersecurity Risk Estimation , 2017, Risk analysis : an official publication of the Society for Risk Analysis.

[47]  Leyla Bilge,et al.  Before we knew it: an empirical study of zero-day attacks in the real world , 2012, CCS.

[48]  Fabio Massacci,et al.  Anatomy of Exploit Kits - Preliminary Analysis of Exploit Kits as Software Artefacts , 2013, ESSoS.

[49]  Fabio Massacci,et al.  The Work-Averse Cyber Attacker Model: Theory and Evidence From Two Million Attack Signatures , 2017 .

[50]  Gianluca Stringhini,et al.  Drops for Stuff: An Analysis of Reshipping Mule Scams , 2015, CCS.

[51]  Cormac Herley,et al.  Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy , 2009, WEIS.

[52]  Jens Grossklags,et al.  An Economic Map of Cybercrime , 2009 .

[53]  Jon Erickson,et al.  Hacking: The Art of Exploitation , 2008 .

[54]  George A. Akerlof The Market for “Lemons”: Quality Uncertainty and the Market Mechanism , 1970 .

[55]  Tyler Moore,et al.  Information Security Economics - and Beyond , 2007, DEON.

[56]  Charles Miller,et al.  The Legitimate vulnerability market: the secretive world of 0-day exploit sales , 2007, WEIS.

[57]  Tyler Moore,et al.  Measuring the Cost of Cybercrime , 2012, WEIS.

[58]  Ville Leppänen,et al.  Trading exploits online: A preliminary case study , 2016, 2016 IEEE Tenth International Conference on Research Challenges in Information Science (RCIS).

[59]  Richard Clayton,et al.  Exploring the Provision of Online Booter Services , 2016 .

[60]  Henrique Madeira,et al.  Security Benchmarks for Web Serving Systems , 2014, 2014 IEEE 25th International Symposium on Software Reliability Engineering.

[61]  Juan E. Tapiador,et al.  A Look into 30 Years of Malware Development from a Software Metrics Perspective , 2016, RAID.

[62]  Luca Allodi,et al.  The Heavy Tails of Vulnerability Exploitation , 2015, ESSoS.

[63]  Stefan Savage,et al.  An inquiry into the nature and causes of the wealth of internet miscreants , 2007, CCS '07.

[64]  David G. Post,et al.  Law and Borders--The Rise of Law in Cyberspace , 1996 .

[65]  Rahul Telang,et al.  Market for Software Vulnerabilities? Think Again , 2005, Manag. Sci..

[66]  Sam Ransbotham,et al.  Are Markets for Vulnerabilities Effective? , 2012, MIS Q..

[67]  Sushil Jajodia,et al.  An Attack Graph-Based Probabilistic Security Metric , 2008, DBSec.

[68]  K. Eisenhardt Agency Theory: An Assessment and Review , 1989 .

[69]  Fabio Massacci,et al.  Comparing Vulnerability Severity and Exploits Using Case-Control Studies , 2014, TSEC.

[70]  Irina Dezhina,et al.  Science and Higher Education in Russia , 1999, Science.