Quantitative Assessment of Risk Reduction with Cybercrime Black Market Monitoring

Cybercrime is notoriously maintained and empowered by the underground economy, manifested in black markets. In such markets, attack tools and vulnerability exploits are constantly traded. In this paper, we focus on making a quantitative assessment of the risk of attacks coming from such markets, and investigating the expected reduction in overall attacks against final users if, for example, vulnerabilities traded in the black markets were all to be promptly patched. In order to conduct the analysis, we mainly use the data on (a) vulnerabilities bundled in 90+ attack tools traded in the black markets collected by us; (b) actual records of 9 × 107 attacks collected from Symantec's Data Sharing Programme WINE. Our results illustrate that black market vulnerabilities are an important source of risk for the population of users; we further show that vulnerability mitigation strategies based on black markets monitoring may outperform traditional strategies based on vulnerability CVSS scores by providing up to 20% more expected reduction in attacks.

[1]  Mehran Bozorgi,et al.  Beyond heuristics: learning to classify vulnerabilities and predict exploits , 2010, KDD.

[2]  Muhammad Zubair Shafiq,et al.  A large scale exploratory analysis of software vulnerability life cycles , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[3]  Fabio Massacci,et al.  Crime Pays If You Are Just an Average Hacker , 2012, 2012 International Conference on Cyber Security.

[4]  Karen A. Scarfone,et al.  SP 800-117. Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.0 , 2010 .

[5]  Stefan Savage,et al.  An analysis of underground forums , 2011, IMC '11.

[6]  Fabio Massacci,et al.  A preliminary analysis of vulnerability scores for attacks in wild: the ekits and sym datasets , 2012, BADGERS@CCS.

[7]  L S Robertson,et al.  Estimates of motor vehicle seat belt effectiveness and use: implications for occupant crash protection. , 1976, American journal of public health.

[8]  Bernhard Plattner,et al.  Large-scale vulnerability analysis , 2006, LSAD '06.

[9]  Tudor Dumitras,et al.  Ask WINE: Are We Safer Today? Evaluating Operating System Security through Big Data Analysis , 2012, LEET.

[10]  Stefan Savage,et al.  Manufacturing compromise: the emergence of exploit-as-a-service , 2012, CCS.

[11]  L Evans,et al.  Double pair comparison--a new method to determine how occupant characteristics affect fatality risk in traffic crashes. , 1986, Accident; analysis and prevention.

[12]  Leyla Bilge,et al.  Before we knew it: an empirical study of zero-day attacks in the real world , 2012, CCS.

[13]  L Evans,et al.  The effectiveness of safety belts in preventing fatalities. , 1986, Accident; analysis and prevention.

[14]  Fabio Massacci,et al.  Anatomy of Exploit Kits - Preliminary Analysis of Exploit Kits as Software Artefacts , 2013, ESSoS.

[15]  W W Hunter SEAT BELT USAGE AND BENEFITS IN NORTH CAROLINA ACCIDENTS , 1974 .

[16]  Karen A. Scarfone,et al.  A Complete Guide to the Common Vulnerability Scoring System Version 2.0 | NIST , 2007 .

[17]  Stefan Savage,et al.  An inquiry into the nature and causes of the wealth of internet miscreants , 2007, CCS '07.

[18]  Cormac Herley,et al.  Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy , 2009, WEIS.

[19]  Adam A. Porter,et al.  Empirical studies of software engineering: a roadmap , 2000, ICSE '00.