O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Ransomware & Game Theory: To Pay, or Not to Pay?

174 visualizações

Publicada em

Slides from Tony Martin-Vegue's presentation at NBTcon, San Francisco: December 03, 2016.

"Ransomware & Game Theory: To Pay, or Not to Pay?"

What do the San Francisco Giants, Cryptolocker and nuclear war all have in common? They all involve conflicts in which incentives, payouts and winning strategies can be analyzed with game theory. Game theory is a branch of mathematics that models conflict and cooperation between parties and is used in many real-world decision making scenarios, inside and outside the Information Security field. Game theory is particularly useful in analyzing the extortionist / victim dynamic present in ransomware infection scenarios.

Ransomware comes in many varieties and works in different ways, but the basic setting is the same: cybercriminals infect a computer with malicious software that blocks access to the system or important files until the ransom is paid.

The conventional wisdom in information security regarding ransomware is to never pay. But, why? The answer is a little more nuanced than “never pay” or “always pay.” The decision is a complex scenario of incentives and payoffs. Who stands to gain when ransomware is paid? Who gains when it is not paid?
This talk will use the familiar topic of ransomware to introduce participants to game theory concepts like rational decision-making, zero-sum games, incentives, utility and Nash Equilibrium – all important tools that can help solve security problems. By analyzing ransomware decision-making with a game theory mindset, participants will learn a new set of skills and a new way of incentive-driven thinking.

Publicada em: Tecnologia
  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

Ransomware & Game Theory: To Pay, or Not to Pay?

  1. 1. Ransomware and Game Theory: To Pay, or Not To Pay? Tony Martin-Vegue @tdmv #nbt3
  2. 2. About me Tony Martin-Vegue • Manager, Information Security Risk at SF-based Financial Institution • CISSP, CISM, GCIH • BS, Business Economics, University of San Francisco • 20 years in IT • Focus: Risk management, the economics of information security
  3. 3. Key Takeaways • Learn about Game Theory • Decision analysis • Payoff matrix and decision tree • Cooperation / competition between actors • Learn about Ransomware • Options you have when infected • Examine payouts, incentives • What happens when you pay the ransom?
  4. 4. (Very) Brief Ransomware 101 Image Source: TrendMicro.com
  5. 5. Ransom Note
  6. 6. Game Theory 101 “Game Theory can be defined as the study of mathematical models of conflict and cooperation between intelligent rational decision- makers.” - Roger B. Myerson, Game Theory: Analysis of Conflict
  7. 7. Game Theory 101 • Study of cooperative and non-cooperative game since early 1700’s • Emerged as a unique field via John von Neumann • “Theory of Games and Economic Behavior” published in 1944
  8. 8. ChoicesPlayer1 • Walk straight • Swerve Player2 • Walk Straight • Swerve
  9. 9. Swerve Straight Swerve -1,1 -1, 1 Straight 1,-1 -5, -5 Sidewalk Game
  10. 10. Swerve Straight Swerve -1,-1 -1, 1 Straight 1,-1 -5, -5 Sidewalk Game
  11. 11. Swerve Straight Swerve -1,-1 -1, 1 Straight 1,-1 -5, -5 Sidewalk Game
  12. 12. Game Theory & Ransomware Key Attributes • Two player • Non-cooperative • Asymmetric <- strategies are different for each player • Zero sum
  13. 13. Players & Their ChoicesCyberCriminal • Start/don't start ransomware campaign • Release data/don't release data Victim • Restore data from backup • Use or wait for a 3rd party decrypter kit • Negotiate or pay for ransom • Do nothing
  14. 14. Decision Tree Cyber criminal Do not start ransomware campaign Start ransomware campaign Victim Restore from backup No backups available Use third party decrypter None available Don't pay ransom Negotiate/pay ransom Cyber Criminal Release Data Don't release data
  15. 15. IncentivesCyberCriminal • (Almost) always purely profit driven • Provide good customer service (good reputation=more victims) Victim • Want their data back / primary objective • Time is a factor (e.g. can’t wait forever for a decrypter kit) • Ransom needs to be reasonably priced • SOMETIMES: greater good
  16. 16. IncentivesLawEnforcement • Investigate crimes • Prosecute cyber criminals to the fullest extent of the law Anti-VirusVendors • Disrupt ransomware, as it aligns with the firm's value proposition
  17. 17. It depends.
  18. 18. Negative externality
  19. 19. How Can I Use This? • Game theory and decision analysis can be used to analyze complex adversary/defender events • In turn, you will have more data to communicate complex concepts to executives • Try to think about risk in term of economics decisions instead of red/yellow/green
  20. 20. Questions