Model Predicts Optimal Timing for Targeted Attacks

A mathematical model developed by University of Michigan researchers helps attackers and defenders understand optimal conditions when a targeted malware attack should be launched.

Security researchers from the Ford School of Public Policy at the University of Michigan have published a mathematical model they said will produce the proper timing for the delivery of offensive cyberweapons. Defenders can also make use of the model to understand attackers and when an targeted attack might occur.

“A simple mathematical model is offered to clarify how the timing of such a choice can depend on the stakes involved in the present situation, as well as the characteristics of the resource for exploitation,” wrote Robert Axelrod and Rumen Iliev in a paper called Timing of Cyber Conflict.”

The two researchers used the Stuxnet and Saudi Aramco attacks, as well as the persistent targeted attacks attributed to the Chinese government, as a baseline for their analysis of cyber conflicts. The researchers’ goal is to mitigate the harm destructive cyberattacks can do and understand their capabilities.

The experiment conducted by the researchers is done so from the point of view of the attacker in order to make a best guess as to the conditions and timing under which a potentially destructive attack is launched. The model takes into account the fact that a zero-day launched today will likely be less effective at a later date, especially once an attack is discovered and mitigations are put in place.

“The heart of our model is the trade-off between waiting until the stakes of the present situation are high enough to warrant the use of the resource, but not waiting so long that the vulnerability the resource exploits might be discovered and patched even if the resource is never used,” Axelrod and Iliev wrote.

The model makes a number of assumptions about what’s at stake in a particular conflict, be it an all-out war, or an espionage engagement for trade or military secrets. The stakes change relevant to time, but the model focuses only on the current environment. It also looks at resource, or weapon, characteristics and its sustainability based on its stealth and persistence abilities. A benchmark for stealth used in the study is the average duration of a zero-day attack, 312 days, according to Leyla Bilge and Tudor Dumitras, while a persistence benchmark is that within three to five years, only three percent to five percent of vulnerabilities in Chrome and Firefox are rediscovered. The target’s patching practices also impact the stealth and persistence of an attack, the researchers said.

“Because stakes are not under your control, your best policy is to wait until the stakes are high enough to risk losing the resource because of its limited stealth,” they wrote. In short, an attacker will want to use his available resources often, but only when the stakes are their highest.

Another assumption made in the model is the value of a weapon, which is dependent on its persistence and stealth, the researchers said. Within their paper, the researchers present an equation that helps an attacker or defender determine the value of a resource, which helps determine how to best use it based on particular thresholds.

The researchers concluded that in situations where the stakes are constant, such as the payoff for stealing payment card data, a cyberweapon should be used quickly and often. For high stakes events, attackers and defenders need to evaluate three factors before deciding how long to wait to launch an attack: low stealth, high persistence and large stakes, the researchers wrote.

For a comparison, the researchers looked at the Stuxnet worm, which they said likely had low persistence because it relied on multiple zero-day exploits to get the job done. This meant the attackers had to quickly use their malware, therefore, stealth was important. Stuxnet accomplished this in spades, lasting 17 months inside the Natanz network before it was detected. As for the stakes, they were high for the attackers, whose goal was to derail Iran’s nuclear program.

Another factor to consider is the legitimate market for zero-day exploits and competing vendor bounties for mitigation bypass attacks. The researchers go against the grain of thinking that says the market would be saturated with new exploits, but the pool of undiscovered vulnerabilities is deep.

“With new versions of commonly used software being introduced at a high rate to patch recently discovered vulnerabilities and to add new features, the pool of zero-day exploits waiting to be discovered is ever renewable,” the researchers wrote.

Turning their model on the zero-day market, the researchers concluded that the more effort that goes into finding zero days, persistence will go down because a resource is likely to also be discovered by others and possible sold before it is used. Lower prices will be instituted because supply will be greater and less persistence means weapons are worth less, they said.

“The implications of our model are easy to summarize: Stealth and Persistence are both desirable properties of a resource, and increase its Value,” they wrote. “However, they have opposite effects on the best time to use the resource. Persistence leads to more patience, meaning the stakes need to meet   a higher Threshold before the resource is worth using.”

Suggested articles