"The Work Averse Attacker Model: the *real* security model and the evidence from 2 millions attack signatures"

Over 30 years have passed from the Dolev & Yao's landmark paper on the attacker model, so it is time for a change!

Several attacker models have been proposed in the meanwhile (e.g. honest but curious, computationally bounded etc.) but they are all based on a common conceit: the cyber attacker is assumed to be all powerful (within its model) and able to exploit all possible vulnerabilities (within its capabilities) with almost equal likelihood. So if she can attack a vulnerability, she likely will. From a defender's perspective this means that unless he secures all vulnerabilities he will be hacked.

We have identified, and empirically validated, a novel and more realistic attacker model building on the key economic idea that inaction can sometimes be more profitable than action (especially when many victims are involved and fixed costs for weaponizing an exploit might be high). The intuition of our Work Averse Attacker Model (or WAAM) is that a mass attacker will optimally choose whether to act and weaponize a new vulnerability, or keep using existing toolkits if there are enough vulnerable users.

The model predicts that mass attackers may exploit only one vulnerability per software version, include only vulnerabilities with low attack complexity, and be slow at introducing new vulnerabilities into their arsenal. We empirically test these predictions by analyzing the data collected on attacks against more than one million real systems by Symantec's WINE platform. Our analysis shows that WAAM is indeed the case. Substantial efficiency gains can be made by individuals and organizations by accounting for this effect when devising security countermeasures.

Joint work with Luca Allodi (TU/e) and Julian Williams (UDUR). More information on the paper here: http://securitylab.disi.unitn.it/doku.php?id=security_economics.