© Sam Ransbotham

The Impact of Immediate Disclosure on Attack Diffusion and

Volume

Sam Ransbotham

Boston College

Sabyasachi Mitra

Georgia Institute of Technology

© Sam Ransbotham 2

Security Vulnerabilities and Disclosure

Does immediate disclosure of vulnerabilities affect exploitation attempts?

Specifically, does immediate disclosure affect affect…

Risk: the likelihood of a vulnerability being exploited?

Diffusion: the diffusion of exploitations based on a vulnerability?

Volume: the volume of exploitations based on the vulnerability?

MethodologyStatistical analysis of intrusion detection system attack and NVD data

Key ResultImmediate disclosure accelerates exploitation attempts, slightly increases number of distinct targets but decreases attack volume.

© Sam Ransbotham

Disclosure Process as a R&D Race

Discovery of Vulnerability

Development of Exploit Method

Diffusion of Attacks

Firm is attacked

ATTACK PROCESS

Discovery of Vulnerability

Development of Patch by Vendor

Diffusion of Patch

Firm is patched

Development of Countermeasures

(e.g. detection signatures)

Diffusion of Countermeasures

SECURITY PROCESS

Adapted from Ransbotham, Mitra, Ramsey (forthcoming MIS Quarterly)

? ?

PublicDisclosure?

© Sam Ransbotham

Tension: Immediate disclosure helps and hurts

Attackers- Disclosure provides information- Opens “window of opportunity”- Tells everyone the window is open

Defenders - Can’t close a window you don’t know is open- Disclosure allows countermeasure development- Focuses defender attention- Encourages quick vendor response

4

© Sam Ransbotham 5

Research Environment

Internet(e.g.

customers, vendors, attackers)

Intrusion Detection

System0101010…

Data Stream CorporateNetwork

0101010…

Filtered Data

Security Company

Alert

Database

0101010…

Matched Alert Data

Operator

Signature

Database

Monitor

Signature

Updates

NVD

400+ million alert subset2006-2007, 960 firms

National Vulnerability Database

This paper

matched to

© Sam Ransbotham 7

NVD Example

Begin Date

Disclosure(s)

Alternative Explanations

© Sam Ransbotham 8

Key Control Variables

1. Common Vulnerability Scoring System (CVSS) AssessmentA. Access required: (local, adjacent, remote)

B. Complexity: (low, medium, high)

C. Authentication: (required or not)

D. Impacts: (confidentiality, data integrity, availability of system resources)

E. Type1. Access Validation: incorrect allowance of privileges

2. Input Validation: failure to handle incorrect input

3. Design Error: shortcomings in design of software

4. Exception Error: Insufficient response to unexpected conditions

5. Configuration Error: weak configuration of settings

6. Race Condition: errors due to sequencing of events

2. Patch available

3. Signature available

4. Application affected: Desktop or Server

5. Disclosure through Market (paid) mechanism

6. Age of vulnerability (days since publication)

© Sam Ransbotham

Vulnerability details

10

Immediate Disclosure Non-ImmediateVariable Value Count % Count %Complexity Low 270 50.75% 347 51.87%

Medium 194 36.47% 263 39.31%  High 68 12.78% 59 8.82%Confidentiality Impact No 121 22.74% 157 23.47%  Yes 411 77.26% 512 76.53%Integrity Impact No 104 19.55% 156 23.32%  Yes 428 80.45% 513 76.68%Availability Impact No 106 19.92% 97 14.50%  Yes 426 80.08% 572 85.50%Vulnerability Input 184 34.59% 206 30.79%

Design 76 14.29% 111 16.59%  Exception 44 8.27% 72 10.76%Market Disclosure No 441 82.89% 600 89.69%  Yes 91 17.11% 69 10.31%Server Application No 513 96.43% 651 97.31%  Yes 19 3.57% 18 2.69%Contains Signature No 466 87.59% 576 86.10%  Yes 66 12.41% 93 13.90%Patch Available No 224 42.11% 320 47.83%  Yes 308 57.89% 349 52.17%

© Sam Ransbotham 11

Does immediate disclosure affect attacks?Three ways to analyze this question…

1. Risk: the likelihood of a vulnerability being exploited?• Data summarized by firm, vulnerability, day• Dependent variable is yes/no if attack seen on that day• Using stratified Cox proportional hazard models

2. Diffusion: the diffusion of attacks based on a vulnerability?• Data summarized by vulnerability, day• Dependent variable is the cumulative number of firms attacked by that day• Using nonlinear regression to estimate diffusion curve

3. Volume: the volume of attacks based on the vulnerability?• Data summarized by firm, vulnerability, day• Dependent variable is the count of attacks seen on that day• Using Heckman two-stage regression

© Sam Ransbotham 12

Variable Control Model Test Model

Complexity: Medium -0.215*** -0.188***

Complexity: High 0.227*** 0.227***Confidentiality Impact -0.135*** -0.165***

Integrity Impact 0.288*** 0.298***

Availability Impact 0.296*** 0.339***

Market Disclosure -1.508*** -1.594***

Server Application -0.620*** -0.628***

Patch Available 0.009 -0.001

Signature Available 1.034*** 1.075***

Vulnerability Types indicators indicatorsImmediate Disclosure 0.497***

Cox proportional hazard model of exploitation attempts across 1,152,406 observations of 1201 vulnerabilities in 960 firms; robust standard errors in parentheses; analysis stratified across 960 firms; significance levels: * p<0.05; ** p<0.01; *** p<0.001

Increased risk of

exploitation attempt

1. Does immediate disclosure affect exploitation risk?

© Sam Ransbotham 13

2. Does immediate disclosure affect diffusion?

Delay (D)

Rate (R)

cumulativepenetration

Penetration (P)

© Sam Ransbotham 14

VariablePenetration

(P) Rate (R) Delay (D)

Complexity: Medium 174.27*** 0.57*** 136.68***

Complexity: High 42.09*** 0.57*** 20.65***

Confidentiality Impact -32.48*** 0.19*** 135.88***

Integrity Impact 11.74*** 0.39*** 91.90***

Availability Impact -11.13*** -0.78***-156.51***

Server Application -3.05* -0.10*** 27.30***

Patch Available -19.94*** -0.60***-140.87***

Market Disclosure -57.46*** -1.15*** 278.74***

Signature Available 123.24*** 1.42***-141.58***

Vulnerability Types indicatorsindicators indicators

Immediate Disclosure 3.69*** -0.09*** -5.77**

Nonlinear regression on the cumulative number of affected firms; 132,768 daily observations of vulnerabilities exploited in at least one of 960 firms. Robust standard errors in parentheses; significance levels: *p<0.05; **p<0.01; ***p<0.001

2. Does immediate disclosure affect diffusion?

?

© Sam Ransbotham 15

2. Does immediate disclosure affect diffusion?

Acceleration

Increased Penetration (?)

© Sam Ransbotham 16

Variable Stage 1 Stage 2

Complexity: Medium 0.100*** -0.050***

Complexity: High 0.280*** -0.037***

Confidentiality Impact 0.015*** 0.031***

Integrity Impact 0.501*** -0.083***

Availability Impact -0.253*** -0.005

Vulnerability Types indicators indicators

Firm effects indicators indicators

Monthly indicatorsPublish month Alert month

Age (in days, log) -0.210***

Server Application -0.325*** 0.130***

Market Disclosure -0.050*** -0.098***

Patch Available -0.432** -0.019***

Signature Available 0.738*** 0.166***

Immediate Disclosure -0.067*** 0.148***Heckman two stage regression; n = 1,302,931; 709,090 uncensored; 1201vulnerabilities;

standard errors in parentheses; significance levels: * p<0.05; **p<0.01; ***p<0.001

Stage 1: uncensored if exploit attempt for the vulnerability is observed in the sample

Stage 2: natural log of the number of exploitation attempts

increases volume

3. Does immediate disclosure affect volume of alerts?

© Sam Ransbotham 17

Immediate Disclosure can increase the risk, accelerate the diffusion and but decrease volume of attack attempts for vulnerabilities.

Adds to the scarce empirical research (most analytical)• Not single firm (hundreds)• Extended time period (two years)• Real attacks (not honeypot)

Opens window for attackers• But defenders are reacting quickly to close window• Attackers seem to abandon attacks quickly as well

Main Result

© Sam Ransbotham 18

Implications• Immediate disclosure affects both actions on window--- closing

and opening• Forces defenders to react quickly

• May not be socially optimal; prioritization skewed?• Limited disclosure?• Unclear if results hold for extreme case (all immediate disclosure)

• Limited resource budget of defenders; attackers less limited• Using “workload index” to help understand this

Limitations• Working to further clarify first disclosure; results are conservative• High volume of noisy data: IDS and NVD

Going forward