CAMBRIDGE–Researchers and security vendors have been telling us for years now that attackers have developed sophisticated, targeted attacks designed to separate victims from their money as quickly and cleanly as possible. If that’s so, why aren’t all of us being compromised on a regular basis? A researcher from Microsoft Research posited at the WEIS 2010 workshop Tuesday that the answer is simple economics.
Mass attacks such as phishing, spam, email viruses and others have been around for nearly 20 years, and most users have developed some level of familiarity and immunity to them. And yet they’re still humming right along, if not growing in some cases. Why? In short, because they still work to some degree and the effort involved is quite low.
The amount of time and money it takes to send out 10 million phishing emails versus five million emails is negligible once the attacker has his infrastructure in place. As a result, these attacks are still quite prevalent, despite their diminishing economic return. But even with relatively low returns per attack, these kinds of scalable attacks yield a high profit for professionals, said Cormac Herley of Microsoft Research, who presented his paper on the topic, “The Plight of the Targeted Attacker in a World of Scale,” at the Workshop on the Economics of Information Security here Tuesday.
“The profit is far higher for scalable attacks,” he said. “The rewards are growing linearly and the costs are growing sub-linearly. In that case, you attack everyone as often as possible.”
By contrast, non-scalable attacks such as highly targeted efforts to compromise one specific user, group of users or company, take far more effort on the attacker’s part and come with a set of variables that are very difficult for him to control. For example, attackers going after specific targets likely have little in the way of insight into the target system’s actual monetary value (i.e., does it house banking credentials or other easily monetized data) and gaining that kind of insight takes a lot of time and effort.
That extra expenditure of effort and likely money eats into whatever the potential profit from the operation might be, Herley said, meaning that these attacks must produce a higher yield per attack in order to make them worthwhile. If they don’t yield a lot of money, then the attacker would be better off moving to another tactic.
“Non-scalable attacks have to be selective attacks. Every attack costs you something,” Herley said. “If the non-scalable attacks can’t match the return of the scalable attacks, she should change tactics. At equal costs, she needs a way better yield. But competing on yield makes no sense because when she extracts the same value per victim, there’s too much effort.”
So, the short answer is that you’re not being attacked constantly because you’re not worth the effort.
In order for the skilled attacker to succeed financially with his targeted, non-scalable attacks, he needs to find a high concentration of value. But the trick is that the value in those targets also must be observable. If he doesn’t know it’s there, then it’s of no use to him.
“Elaborate non-scalable attacks fail to happen because the benefit to the attacker is far less than the cost we represent to the attacker,” he said. “Most users never see most attacks.”