The most common themes I heard during this year's BlackHat conference were driven by the implications of the underground economy. Monetization of the attack space has dramatically changed how the information security community handle emerging threats. Practitioners no longer talk about 100% effectiveness and other meaningless metrics and instead focus on minimization of harm. I have been towing this line myself for some time, and I would like to share with you the general framework in which I think about security in this current context.
Five years ago or so, Dan Geer and several others put forth the concept that the root cause of infosec issues was the monoculture of Microsoft systems. No longer a controversial idea in the community, the statement caused a gigantic uproar at the time, leading to Dr. Geer's departure from @Stake. The paper was a milestone for those working in the security economics field, as its basic postulate linked the creation of individual exploits to the value that can be derived from an exploit. In other words, people exploited windows because their work would create far more value for the author, as it could be applied to the vast majority of computer systems in the world.
We can formalize this concept as a zero-sum non-cooperative game. Consider two players, the Attacker (A) and Defender (D). A and D can either attack/defend one of two classes of system, denoted 1 and 2. Systems 1 and 2 cover assets valued at v1 and v2. A given system may be the entire class of Microsoft OS's, a class of messaging technologies (e-mail vs. SMS), processor architectures, Anti-Virus products, etc. The value associated with a class of systems is what the attacker assumes the monetization rate to be for that class of products: a block of ATM machines versus several hundred spam generating home computers. I digress.
During each iteration of the game, the defender can invest his energy into defending either of the two systems. If the defender chooses the same system n as the attacker, then he has a probability p of success, giving the attacker an expected payoff of (1-p)vn. If the attacker and defender choose different systems, then the payoff to the attacker is vn, as the system is undefended.
One of the implications of the model is that there are situations where it is never the best decision to attack the system that covers the least assets, even if it is undefended. If we consider two system classes n and m, if the value of attacking the defended system is greater than that of attacking an undefended system ((1-p)vn > vm), then the strategy of attacking vn strictly dominates the strategy of attacking vm. In other words, a rational attacker will ignore an unprotected system if he or she can profit by attacking a far more valuable but defended system.
This appears to be a validation of the concept of software diversity, but I consider this model to be interesting for a very different reason: it effectively segments the market for both attacks and defenses based upon what I call quantifiable rationality, or whether or not someone can put a dollar value on the work that is being done. Attackers and defenders who choose to go after systems which are either minimally valued or difficult to value are doing so for publicity, which is notoriously difficult to economically quantify, or expectations that the future will shift the relative valuations of the protected systems. Likewise, attackers and defenders who focus on the highest valued systems are the same individuals who are able to truly quantify their market. Consider the iPhone browser vulnerabilities and SMS spam, Hypervisor Rootkits and Detection and actual working AV Technologies, and Network-layer Firewalls and Application Layer Protections: each of these parings consists of a concept that either dominates either the mind-share or security market, while the problems that cause true financial pain points remain unaddressed.
As we will see in a later post, the two halves of the security market act in very different ways, necessitating different technologies and business practices.