A Proposed Collateral Effect Potential Metric for Computer Exploits: TechNet Augusta 2015

1Approved for Public Release
Approved for Public Release
A proposed
“Exploit Collateral Effect Potential
(ECEP)” metric
August 2015
Giorgio Bertoli
Chief Scientist (A)
Intelligence and Information Warfare Directorate (I2WD)
Distribution A – Unlimited All
Giorgio Bertoli (CERDED/I2WD)
Lisa Marvel, PhD (ARL)

2
Kinetic Vs. Cyberspace “Fires”KINETICCYBER
Distance

3
ERRORS
UNCONTROLLED
WEAPON
BEHAVIOR
TARGET
DEPENDENCIES
POLITICAL
RAMIFICATIONS
Collateral Damage Taxonomy

4
POLITICAL RAMIFICATIONS
• Is it moral (during war) to poison people?
• If discovered, could an antidote be readily created?
• Can it be reverse-engineered and used against us?
• Was Bob also an informant who was more valuable alive?
UNCONTROLLED
BEHAVIOR
Contaminated
water supply; killed
all Bob’s neighbors
UNCONTROLLED
BEHAVIOR
Contaminated
water supply; killed
all Bob’s neighbors
ERRORS
Poison is
infectious
TARGET
DEPENDENCIES
Bob would have
cured cancer
Can we devise a quantitative
metric for individual SW
exploits, synonymous to
Potential Energy (PE) as related
to the amount of Collateral
Damage the exploit can achieve
based solely on its inherent
capabilities?
Hypothetical Example
BOB
ALICE

5
Vulnerability
Created
System
Susceptible
(Vulnerable SW
deployed)
Vulnerability
Discovered
Vulnerability
Exploited
(0 day Created)
Exploit
discovered
Exploit reverse
engineered
Signature
Developed
Signature
Deployed
Patch
Developed
Patch
Deployed
T0 T2 T3
T4 T5
T4’ T5’
T-1T-2T-3
Incubation
period
• Incubation Period: The time between catching an infection and symptoms appearing
• Infectious Period: The time period during which those infected can spread the disease to others
Infectious period
Exploit
deployed
T1
Lytic Cycle
SW Transmitted
to target System Exploit SW
becomes
resident on
target System
Exploit SW
is Executed
Absorption Entry Replication Assembly Release
Exploit
Propagates
Epidemiology of SW exploits

6
• DAMAGE
• EXCLUSIVITY:
• PROPAGATION:
• CONTROL:
• DETECTABILITY:
• REMEDIATION:
Scoring Range
0.0
4.0
Quantized in
steps of 0.5
(Very High)
(None)
0.5
2.0
3.0
1.5
1.0
2.5
3.5
ECEP Attributes

7
Metric Value Description
Very Low
(0)
Exploit applies specifically to one system and has no ability to
execute on any other system. (e.g. embedded SW within a
very unique HW device)
Low
(0.5, 1.0)
Exploit applies to a very narrow set of systems, or a family of
systems which are not available in large quantity within
cyberspace. (e.g. Specific family of Programmable Logic
Controllers (PLC))
Moderate
(1.5, 2.0)
Exploit applies to a moderate number of systems within
cyberspace (1 – 5%) (i.e. Specific make of SQL, Web, or email
server)
High
(2.5, 3.0)
Exploit applies to a large number of Systems (5 – 10%) (e.g.
all Web servers)
Very High
(3.5, 4.0)
Exploit applies to a very large number of systems (> 10%) (e.g.
all Microsoft Windows Systems or most Internet Browsers)
Exclusivity Attribute

8
Computing ECEP
Assumes all attributes are
independent variables
0
0.2
0.4
0.6
0.8
1
0 0.5 1 1.5 2 2.5 3 3.5 4
y=0.8
y=1.1
y=1.3
δ = 0.8
δ = 1.0
δ = 1.2
• Ai is the assigned attribute score
• AE is the attribute score for exclusivity
• AP is the attribute score for
propagation
• Wi, WE, WP are respective attribute
weighting factors
• δ is the exponential rise constant
AE , AP

9
0
4
8
12
16
20
24
Morris
Tequila
Michelangelo
Concept
Chernobyl
Melissa
LoveLetter
CodeRed
NIMDA
KLEZ
sobig
SQLSlammer
MyDoom
Sasser
SpaceHero
Nyxem
Conficker
stuxnet
flame
Flashback
1988 1991 1992 1995 1998 1999 2000 2001 2001 2001 2003 2003 2004 2004 2005 2006 2008 2010 2012 2012
ECEPScore
Author's Basic ECEP Score Author's Extended ECEP Score Exploit Historical Damage Assessment
Historical Study Results – Part 1

10
Historical “Collateral” Damage Assessment
Number of Hosts
Infected
Impact on Internet
Operation
Resulting
Damage in $
1
0
2
3
4
5
6
7
8
1
0
2
3
4
5
6
7
8
1
0
2
3
4
5
6
7
8
1-10k
10-100k
100-500k
(relative to historical size of Internet)
500k-1M
1-5M
5-15M
< 10k
15-50M
> 50M
Negligible
Minor
degradation
Noticeable
degradation
Significant
slowdown
Severe
slowdown
Partitioning of domains
& service outage
None
Extended global
communication loss
Long term global
communication shutdown
Some temporary
disconnection
Self quarantine
Backbone
crash
1-100M
100-500M
500M – 1B
1-5B
< 100k
5-20B
100k - 1M
20-200B
> 200B

11
Historical Study Results

12
Growth of the Internet
Mark Schueler Southampton University 2012

13
Virulence Category Overlay
0
4
8
12
16
20
24
Morris
Tequila
Michelangelo
Concept
Chernobyl
Melissa
LoveLetter
CodeRed
NIMDA
KLEZ
sobig
SQLSlammer
MyDoom
Sasser
SpaceHero
Nyxem
Conficker
stuxnet
flame
Flashback
1988 1991 1992 1995 1998 1999 2000 2001 2001 2001 2003 2003 2004 2004 2005 2006 2008 2010 2012 2012
ECEPScore
Extended ECEP Score Avg. Exploit Historical Damage Assessment

14
Conclusion
• The proposed ECEP score derivation process is a viable
mechanism for quantifying the collateral damage
potential associated with a particular SW exploit.
• Identified attributes provide a key indicator (predictor)
for how exploit centric collateral damage can be
bounded
• Many computer exploits do not behave like computer
viruses / worms. Most are (can be) highly exclusive or
targeted and have minimal to no propagation
opportunities – thus resulting in very low ECEP

15
Questions?

16
Problem Statement

17
Metric Value Description
Very Low (0)
Dp: No impact. Execution of exploit does not result in any loss of functionality.
Dc: No impact. Execution of exploit does not result in any loss of data.
Low
(0.5, 1.0)
Dp: Nuisance level impact. Execution of exploit results in only nuisance level or minimal loss of
productivity (e.g. SpamWare)
Dc: Minimal loss of data confidentiality. Execution of exploit may exfiltrate basic metadata as related to
the targeted system (e.g. logical address information and/or OS type)
** exploits that results in a mechanisms for the deployment and execution of other effect payloads (e.g.
turns machine into a zombie) are to be assigned a value of 1.
Moderate
(1.5, 2.0)
Dp: Execution of exploit results in partial loss of system functionality (e.g. degradation is system
performance or disruption of a single process; corruption of specific data file types)
Dc: Execution of exploit results in some loss of non-critical data[1] (e.g. simple Trojans with capabilities
such as Sub7 or BackOrifice)
High
(2.5, 3.0)
Dp: Execution of exploit results in significant loss of system functionality; potentially for an extended
period of time. (e.g. loss of all network connectivity or corruption of OS preventing system boot)
Dc: Execution of exploit results in significant, but partial, loss of critical data confidentiality. (e.g. theft
of credit card information, PII, proprietary information, passwords, etc.)
Very High
(3.5, 4.0)
Dp: Execution of exploit results in the complete (possibly permanent) loss of system functionality (e.g.
corruption or damage to critical system components, often at hardware level, that make the system
inoperable and very difficult to repair). May result in physical destruction of equipment or loss of life.
(e.g. manipulating a heat sensor preventing cooling thus permanently damaging the system)
Dc: Execution of exploit results in the complete loss of all data confidentiality to include data of the
highest sensitivity.
Damage Attribute

18
Historical Study Results - Part 2a (Std. Dev.)
0
4
8
12
16
20
24
Morris
Tequila
Michelangelo
Concept
Chernobyl
Melissa
LoveLetter
CodeRed
NIMDA
KLEZ
sobig
SQLSlammer
MyDoom
Sasser
SpaceHero
Nyxem
Conficker
stuxnet
flame
Flashback
1988 1991 1992 1995 1998 1999 2000 2001 2001 2001 2003 2003 2004 2004 2005 2006 2008 2010 2012 2012
ECEPScore
Extended ECEP Score Avg. Exploit Historical Damage Assessment

19
Future Work
• Focus only on estimating virulence
(equilibrium point at which a pandemic
occurs)
• Models abstract all virus characteristics
into two parameters:
• Virus Birth Rate
• Virus Death Rate
• To properly measure a computer virus’s
collateral damage potential, these models
would need to be extended to also account
for “pain and suffering” (damage caused to
both host and communication backbone).
• Augmenting such models should provided
a probabilistic mathematical mechanisms
for validation of calculated ECEP scores.

A Proposed Collateral Effect Potential Metric for Computer Exploits: TechNet Augusta 2015

More Related Content

Viewers also liked (14)

Similar to A Proposed Collateral Effect Potential Metric for Computer Exploits: TechNet Augusta 2015 (20)

More from AFCEA International (15)

Recently uploaded (20)

A Proposed Collateral Effect Potential Metric for Computer Exploits: TechNet Augusta 2015