Abstract
Anecdotally, the distinction between fast “Smash-and-Grab” cyber-attacks on the one hand and slow attacks or “Advanced Persistent Threats” on the other hand is well known. In this article, we provide an explanation for this phenomenon as the outcome of an optimization from the perspective of the attacker. To this end, we model attacks as an interaction between an attacker and a defender and infer the two types of behavior observed based on justifiable assumptions on key variables such as detection thresholds. On the basis of our analysis, it follows that bi-modal detection capabilities are optimal.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
A typical example is an analytics capability scanning through a large number of log files generated periodically by the system, checking them against predefined (mis)use cases or rules.
- 2.
The activity level parameterizes in an abstract and general way the number of actions performed during the attack per unit time. A concrete value depends on the details of the attack and the system. E.g., it may be the rate of data exfiltration from the defender’s network.
- 3.
This assumption takes into account loss occurring within any time interval after an attack. Not only incidents with a direct financial loss result in value loss for an organization. Also indirect impact in the form of lost investments and future income, as well as the consequences of (so far) unnoticed attacks usually lead to value loss for the defender in the long term.
References
Atzeni, A., Cameroni, C., Faily, S., Lyle, J., Fléchais, I.: Here’s Johnny: A methodology for developing attacker personas. In: Sixth International Conference on Availability, Reliability and Security (ARES), pp. 722–727. IEEE (2011)
Axelrod, R., Iliev, R.: Timing of cyber conflict. Proc. Nat. Acad. Sci. 111(4), 1298–1303 (2014)
Barabási, A.L., Albert, R., Jeong, H.: Scale-free characteristics of random networks: the topology of the world-wide web. Physica A Stat. Mech. Appl. 281(1), 69–77 (2000)
Cox Jr, L.A.T.: Game theory and risk analysis. Risk Anal. 29(8), 1062–1068 (2009)
Dritsoula, L., Loiseau, P., Musacchio, J.: Computing the nash equilibria of intruder classification games. In: Grossklags, J., Walrand, J. (eds.) GameSec 2012. LNCS, vol. 7638, pp. 78–97. Springer, Heidelberg (2012)
Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. (TISSEC) 5(4), 438–457 (2002)
Herley, C.: The plight of the targeted attacker in a world of scale. In: WEIS (2010)
Laszka, A., Horvath, G., Felegyhazi, M., Buttyán, L.: FlipThem: Modeling targeted attacks with FlipIt for multiple resources. In: Poovendran, R., Saad, W. (eds.) GameSec 2014. LNCS, vol. 8840, pp. 175–194. Springer, Heidelberg (2014). doi:10.1007/978-3-319-12601-2_10
Lenin, A., Willemson, J., Sari, D.P.: Attacker profiling in quantitative security assessment based on attack trees. In: Bernsmed, K., Fischer-Hübner, S. (eds.) NordSec 2014. LNCS, vol. 8788, pp. 199–212. Springer, Heidelberg (2014)
Nochenson, A., Grossklags, J., et al.: A behavioral investigation of the FlipIt game. In: Proceedings of the 12th Workshop on the Economics of Information Security (WEIS) (2013)
Pieters, W., Davarynejad, M.: Calculating adversarial risk from attack trees: control strength and probabilistic attackers. In: Garcia-Alfaro, J., Herrera-Joancomartí, J., Lupu, E., Posegga, J., Aldini, A., Martinelli, F., Suri, N. (eds.) DPM/SETOP/QASA 2014. LNCS, vol. 8872, pp. 201–215. Springer, Heidelberg (2015)
Rid, T., Buchanan, B.: Attributing cyber attacks. J. Strateg. Stud. 38(1–2), 4–37 (2015)
Van Ark, B., Inklaar, R., McGuckin, R.H.: Changing gear: productivity, ICT andservice industries in Europe and the United States. The Industrial Dynamics ofthe New Digital Economy, Edward Elgar, pp. 56–99 (2003)
Van Dijk, M., Juels, A., Oprea, A., Rivest, R.L.: FlipIt: the game of "stealthy takeover". J. Cryptology 26(4), 655–713 (2013)
Virvilis, N., Gritzalis, D.: The big four - what we did wrong in advanced persistent threat detection? In: Eighth International Conference on Availability, Reliability and Security (ARES), pp. 248–254. IEEE (2013)
Acknowledgements
The research leading to these results has received funding from the European Union’s Seventh Framework Programme (FP7/2007–2013) under grant agreement ICT-318003 (TRESPASS). This publication reflects only the authors’ views and the Union is not liable for any use that may be made of the information contained herein.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
van Wieren, M., Doerr, C., Jacobs, V., Pieters, W. (2016). Understanding Bifurcation of Slow Versus Fast Cyber-Attackers. In: Livraga, G., Torra, V., Aldini, A., Martinelli, F., Suri, N. (eds) Data Privacy Management and Security Assurance. DPM QASA 2016 2016. Lecture Notes in Computer Science(), vol 9963. Springer, Cham. https://doi.org/10.1007/978-3-319-47072-6_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-47072-6_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-47071-9
Online ISBN: 978-3-319-47072-6
eBook Packages: Computer ScienceComputer Science (R0)