[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4897B4EA.1012.433AED8F@stuart.cyberdelix.net>
Date: Tue, 05 Aug 2008 02:03:22 +0100
From: "lsi" <stuart@...erdelix.net>
To: full-disclosure@...ts.grok.org.uk
Subject: phish war game
BLUE TEAM: anti-phishing blacklist
RED TEAM: phish
GREEN TEAM: end-users
starting degree of obfuscation: 0% (none)
starting number of blocked domains: 0
----------
round 1:
action: RED sends billions of phish
consequence: 5% of GREEN members are suckered and lose some cash
action: BLUE blocks the top 20 phished domains using the FROM field
consequence: 80% of RED members are forced to make new sites and find
new victims
current degree of obfuscation: 0%
current number of blocked domains: 20
round 2:
action: RED obfuscates their FROM fields by 20% and resends billions
of phish
consequence: 4% of GREEN members are suckered and lose some cash
action: BLUE blocks the next top 20 phished domains using the FROM
field
consequence: 80% of RED members are forced to make new sites and find
new victims
current degree of obfuscation: 20%
current number of blocked domains: 40
round 3:
action: RED obfuscates their FROM fields by 20% and resends billions
of phish
consequence: 3% of GREEN members are suckered and lose some cash
action: BLUE blocks the next top 20 phished domains using the FROM
field
consequence: 80% of RED members are forced to make new sites and find
new victims
current degree of obfuscation: 24%
current number of blocked domains: 60
round 4:
action: RED obfuscates their FROM fields by 20% and resends billions
of phish
consequence: 2% of GREEN members are suckered and lose some cash
action: BLUE blocks the next top 20 phished domains using the FROM
field
consequence: 80% of RED members are forced to make new sites and find
new victims
current degree of obfuscation: 28.8%
current number of blocked domains: 80
round 5:
action: RED obfuscates their FROM fields by 20% and resends billions
of phish
consequence: 1% of GREEN members are suckered and lose some cash
action: BLUE blocks the next top 20 phished domains using the FROM
field
consequence: 80% of RED members are forced to make new sites and find
new victims
current degree of obfuscation: 34.56%
current number of blocked domains: 100
round 6:
action: RED obfuscates their FROM fields by 20% and resends billions
of phish
consequence: 0% of GREEN members are suckered and lose some cash
----------
GAME OVER: RED loses at round 6, as 0% of GREEN members are suckered,
due to over-obfuscation.
final degree of obfuscation: 41.47%
final number of blocked domains: 100
----------
observations:
1. The model is over-simplified, in reality it's unlikely that BLUE
would consistently achieve 80%. However in reality it's also
unlikely that RED would enjoy a linear relationship between
obfuscation and success, specifically, the more RED obfuscates the
less success it has. Both teams might suffer diminishing returns
from their efforts. (for the purposes of the above model, these
effects have been allowed to cancel each other out)
2. The model has a constant 1% reduction in the victim rate, this is
debatable, however it will never go upwards, eg., there is nothing
RED can do to push that number back towards 100%. Conversely,
everything BLUE does pushes that number towards 0%. In addition,
other anti-phishing technologies will also be pushing the number
towards 0%. GREEN itself might even push the number down.
3. The model does not allow RED to increase the number of phish they
send. In reality, they way well do so. However they will blocked
faster in this case, not only by BLUE but also by other technologies,
such as spam filters. (for the purposes of the above model, these
effects have been allowed to cancel each other out)
4. The model does not allow the game to be terminated voluntarily.
In reality, RED will terminate the game voluntarily when phish
revenue per hour falls below revenues per hour available from other
sources. This will be some time before 0% of GREEN members are
suckered, perhaps as early as round 3.
5. The blacklist contains 100 items at the time RED loses. It may
contain as little as 60 at the time RED terminates voluntarily.
----------
links:
(...)
http://en.wikipedia.org/wiki/Business_War_Games
(this is a sales brochure, however it describes a war game a bit
nicer than wiki, it's got diagrams, for a start)
http://www.coleago.co.uk/uploads/Training/War%20Gaming.pdf
(this isn't relevant to a war game, it might be something like what's
happening when the top 20 phished domains are used to select the
items to blacklist, OTOH, it might not, I don't know, I'm not a
statistician. I'd love to know the name of the technique, I use
something similar to optimise my spam rules...)
http://en.wikipedia.org/wiki/Monte_Carlo_method
(this was mentioned in one of the papers I quoted previously)
http://en.wikipedia.org/wiki/Pareto_principle
---
Stuart Udall
stuart at@...erdelix.dot net - http://www.cyberdelix.net/
---
* Origin: lsi: revolution through evolution (192:168/0.2)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists