(U.S.) Rule-based policies for mitigating software risk suggest using the CVSS score to measure of an individual vulnerability and act accordingly. A key issue is whether ‘danger’ does actually match exploitation in wild, if how such a could be improved. To address this question, we propose case-control study methodology similar procedure used link lung cancer smoking 1950s. allows researcher draw conclusions on relation between some factor (e.g., smoking) effect cancer) by looking backward...

Cybercrime markets support the development and diffusion of new attack technologies, vulnerability exploits, malware. Whereas revenue streams cyber attackers have been studied multiple times in literature, no quantitative account currently exists on economics acquisition deployment. Yet, this understanding is critical to characterize production (traded) economy that drives it, its effects overall scenario. In paper we provide an empirical investigation exploitation, market factors likelihood...

Current industry standards for estimating cybersecurity risk are based on qualitative matrices as opposed to quantitative estimates. In contrast, assessment in most other sectors aims at deriving estimations (e.g., Basel II Finance). This article presents a model and methodology leverage the large amount of data available from IT infrastructure an organization's security operation center quantitatively estimate probability attack. Our specifically addresses untargeted attacks delivered by...

In this study, we provide extensive analysis of the (unique) characteristics phishing and spear-phishing attacks, argue that attacks cannot be well captured by current countermeasures, identify ways forward, analyze an advanced campaign targeting white-collar workers in 32 countries.

Phishing attacks are a main threat to organizations and individuals. Current widespread defenses based on spam filters domain blacklisting unfortunately insufficient. Prior work identifies phishing reporting as key, largely untapped resource mitigate threats. Yet, its practice suffers from very low rates generally too an uptake users. Whereas it is known that behavior affected by number of 'human factors', comprehensive view the different theories their effects (intent to) report not yet...

NVD and Exploit-DB are the de facto standard databases used for research on vulnerabilities, CVSS score is measure risk. On open question whether such scores actually representative of attacks found in wild. To address this we have constructed a database (EKITS) based vulnerabilities currently exploit kits from black market extracted another Symantec's Threat Database (SYM). Our final conclusion that EDB not reliable source information exploits wild, even after controlling exploitability...

The interdisciplinarity of the Social Engineering (SE) domain creates crucial challenges for development and advancement empirical SE research, making it particularly difficult to identify space open research questions that can be addressed empirically. This encompasses on attack conditions, employed experimental methods, interactions with underlying cognitive aspects. As a consequence, much potential in breadth existing its mapping actual processes aims measure is left untapped. In this...

Abstract Assessing the risks of software vulnerabilities is a key process development and security management. This assessment requires to consider multiple factors (technical features, operational environment, involved assets, status vulnerability lifecycle, etc.) may depend from assessor’s knowledge skills. In this work, we tackle with an important part problem by measuring accuracy technical assessments assessors different level type knowledge. We report experiment compare how accurately...

Many Security Operations Centers (SOCs) today still heavily rely on signature-based Network Intrusion Detection Systems (NIDS) such as Suricata. The specificity of intrusion detection rules and the coverage provided by rulesets are common concerns within professional community surrounding SOCs, which impact effectiveness automated alert post-processing approaches. We postulate a better understanding factors influencing quality can help address current SOC issues. In this paper, we...

Cybercrime is notoriously maintained and empowered by the underground economy, manifested in black markets. In such markets, attack tools vulnerability exploits are constantly traded. this paper, we focus on making a quantitative assessment of risk attacks coming from investigating expected reduction overall against final users if, for example, vulnerabilities traded markets were all to be promptly patched. order conduct analysis, mainly use data (a) bundled 90+ collected us; (b) actual...

Cybercrime activities are supported by infrastructures and services originating from an underground economy. The current understanding of this phenomenon is that the cybercrime economy ought to be fraught with information asymmetry adverse selection problems. They should make effects we observe every day impossible sustain. In paper, show market structure design used cyber criminals have evolved toward a similar legitimate, thriving, online forum markets such as eBay. We illustrate evolution...

The assessment of new vulnerabilities is an activity that accounts for information from several data sources and produces a `severity' score the vulnerability. Common Vulnerability Scoring System (\CVSS) reference standard this assessment. Yet, no guidance currently exists on \emph{which information} aids correct should therefore be considered. In paper we address problem by evaluating which cues increase (or decrease) accuracy. We devise block design experiment with 67 software engineering...

In this paper we employ quantitative measurements of cognitive vulnerability triggers in phishing emails to predict the degree success an attack. To achieve rely on psychology literature and develop automated fully method based machine learning econometrics construct a triaging mechanism built around features email; showcase our approach relying data from anti-phishing division large financial organization Europe. Our evaluation shows empirically that effective for can be put place by...

In this paper we provide evidence of an emerging criminal infrastructure enabling impersonation attacks at scale. Impersonation-as-a-Service (IMPaaS) allows attackers to systematically collect and enforce user profiles (consisting credentials, cookies, device behavioural fingerprints, other metadata) circumvent risk-based authentication system effectively bypass multi-factor mechanisms. We present the IMPaaS model evaluate its implementation by analysing operation a large, invite-only,...

Organizations are experiencing more and sophisticated attacks specifically targeting their employees customers. These exploit tailored information on the victim or organization to increase credibility. To date, no study has evaluated role of 'traditional' phishing cognitive effects in these advanced settings. In this paper, we run a field experiment 747 subjects employed two organizations (a university large international consultancy company) evaluate interaction between persuasion...

Organizations are increasingly facing sophisticated social engineering attacks that exploit human vulnerabilities and overcome commonly available countermeasures. Spear-phishing campaigns becoming the most prevalent attack source of compromise for organizations. We argue existing prevention detection countermeasures fundamentally ineffective against this class attacks. In work, we propose a novel approach to address limitations Our proposition is new course action capabilities as basis...

Phishing attacks arrive in high numbers and often spread quickly, meaning that after-the-fact countermeasures such as domain blacklisting are limited efficacy. Visual similarity-based approaches have the potential of detecting previously unseen phishing webpages. These approaches, however, require identifying legitimate webpage(s) they reproduce. Existing rely on textual feature analysis for target identification, with misclassification rates approximately 1%; most websites a user might...

Abstract The assumption that a cyberattacker will potentially exploit all present vulnerabilities drives most modern cyber risk management practices and the corresponding security investments. We propose new attacker model, based on dynamic optimization, where we demonstrate large, initial, fixed costs of development induce attackers to delay implementation deployment exploits vulnerabilities. theoretical model predicts mass preferably (i) only one vulnerability per software version, (ii)...

A common conceit is that the typical cyber attacker assumed to be all powerful and able exploit possible vulnerabilities with almost equal likelihood. In this paper we present, empirically validate, a novel more realistic model. The intuition of our model mass will optimally choose whether act weaponize new vulnerability, or keep using existing toolkits if there are enough vulnerable users. predicts attackers may i) only one vulnerability per software version, ii) include low attack...

In this paper we present, showcase, and analize a novel framework to dissect Social Engineering (SE) attacks. The is based on extant theories in the cognitive sciences, meant as an instrument for researchers practitioners alike structure analyze SE attacks of varying sophistication, isolating specific features their effects at level, providing common comparisons across different We showcase against reproduced academic literature well real (highly-targeted) reported wild, relating techniques...

Phishing emails are becoming more and sophisticated, making current detection techniques ineffective. The reporting of phishing from users is, thus, crucial for organizations to detect attacks mitigate their effect. Despite extensive research on how the believability a email affects rates, there is little no about relationship between associated rate. In this work, we present controlled experiment with 446 subjects evaluate rate linked its Our results show that decreases as increases around...