Should I Pay or Should I Go? Game Theory and Ransomware
•
1 gostou•216 visualizações
Slides from Tony Martin-Vegue's presentation at Security BSides, San Francisco: February 12, 2017. "Should I Pay or Should I Go? Game Theory and Ransomware" Ransomware infections are nasty and potentially devastating events that can cripple large companies and home computers alike. Ransomware comes in many varieties and works in different ways, but the basic scenario is the same: cybercriminals infect your computer with malicious software that blocks access to your system or important files until you pay the ransom. You have a finite amount of days to pay if you ever want to see your files again. Should you pay? The answer is a little more nuanced than “never pay” or “always pay.” The decision is a complex scenario of incentives and payoffs that can be analyzed with game theory. Game theory is a branch of mathematics that models conflict and cooperation between parties and is used in many real-world scenarios, inside and outside the Information Security field, including machine learning, poker games, allocation of security resources, kidnappings and nuclear war. This talk will use the familiar topic of ransomware to introduce participants to game theory concepts like rational decision-making, zero-sum games, incentives, utility and Nash Equilibrium – all important tools that can help solve security problems. By analyzing ransomware decision-making with a game theory mindset, participants will learn a new set of skills and a new way of incentive-driven thinking. Participants may be surprised to find that ransomware response isn’t black or white.
Recomendados
Recomendados
Mais conteúdo relacionado
Semelhante a Should I Pay or Should I Go? Game Theory and Ransomware
Semelhante a Should I Pay or Should I Go? Game Theory and Ransomware (20)
Mais de Tony Martin-Vegue
Mais de Tony Martin-Vegue (9)
Último
Último (20)
Should I Pay or Should I Go? Game Theory and Ransomware
- 1. Should I Pay or Should I Go? Game Theory and Ransomware #bsidessf
- 7. Why is this an open problem? What incentivizes the players? Should one ever pay a ransom?
- 9. “Game Theory can be defined as the study of mathematical models of conflict and cooperation between intelligent rational decision-makers.” - Roger B. Myerson, Game Theory: Analysis of Conflict
- 10. Two Player
- 11. Non-Cooperative
- 12. Asymmetric
- 13. Zero Sum
- 14. Players & Their Choices Cyber Criminal Victim
- 15. Decision Tree Cyber criminal Do not start ransomware campaign Start ransomware campaign Victim Restore from backup No backups available Use third party decrypter None available Don't pay ransom Negotiate/pay ransom Cyber Criminal Release Data Don't release data
- 16. Decision Tree Cyber criminal Do not start ransomware campaign Start ransomware campaign
- 17. Decision Tree Victim Restore from backup No backups available Use third party decrypter None available
- 18. Decision Tree Victim Restore from backup No backups available Use third party decrypter None available Don't pay ransom Negotiate/pay ransom
- 22. Thought leaders
- 23. Risk managers
- 24. Resources No More Ransom! Project https://www.nomoreransom.org Economics and Security (complied by Ross Anderson) https://www.cl.cam.ac.uk/~rja14/econsec.html Game Theory: Analysis of Conflict (book) by Roger Myerson Theory of Games and Economic Behavior (book) by John von Neumann
Notas do Editor
- Hi – welcome for coming I am very excited to be here. I’m here to talk about game theory and ransomwre. When you are dealing with ransomware – incident reponder, CISO, victim, etc, what’s really going on? I’m not talking about the strain of ransomware or bitcoing or phishing emails. I’m talking about how your brain works when you are making tough, difficult decision. how do people interact with each other when they are in adversarial situtations
- Here’s a picture of me. My parents, to this day, brag about how TV was the best babysitter when I was young. but little else has changed I work for Lending Club – I manage the Information Security Risk team. Part of my job responsibilities – Risk quantification of ransomware Decision analysis; how to I privide information to leaders to make better decision about possible events? I particurarly got interested in ransomware and game theory around the time hollywood presbyterian got hit in early 2016
- I’m from LA, I know this hospital well. It’s big – they have over 400 beds, 500 doctors – it’s a major regional care care center. I’ve visitied sick family and friends there. - Around feb 4 2016 – Someone in the hospital clicked on a word doc inside of a phishing email - The word doc was malicious and used to infect the system with the Lockie strain of ransomware IT dept believed it was spreading – some people couldn’t access the network, then more Started shutting systems down proactively; other systems and servers were infected Initial ransom was 3.6 million
- System down for a week Pen and paper Re-route 911 patients Pharmacy was offline Oncology was offline No lab work
- They struggled for a week in this degraded state until they finally paid up negotiated down to 17k The question is, did they make the right decision Should they have not paid, should they have sucked it up The infosec community was very loud and vocal – must of us had this reaction
- Duh – Dummies, this is what happens to you when you don’t patch, don’t have backups, don’t use linux, whatever I would have never paid There’s something else at play here. We’re clearly losing the war against ransomware Law firms and others setting up bitcpin retainers On the rise – kapersky labs, 2015 1 infection every 2 minutes, 2016, 1 every 40 seconds Best advice we have for people is just, don’t pay. People are paying. Why?
- To answer that question, we need to ask more questions. Here are the questions I have Should one ever paythe ransom?
- Spoiler alert – I know the title of this speech is should I pay or should I go Going to give you the answer to this question now instead of waiting until the end. The answer is…. It depends. Like everything else in info sec, there is no yes/no binary answer. It’s all shades of risk. I am however going to show you some tools you can use to start thinking about this problem in a different way
- What is game theory? “Game Theory can be defined as the study of mathematical models of conflict and cooperation between intelligent rational decision-makers.” Price war Nuclear war – one tangible example Optimal ways to play hide and seek Information security, from where to deploy network defenses to taking down cyber criminal rings
- I’ve done it in the past but I’ve made it a personal vow to never use the hoodie wearing keyboard guy symbolize a cyber criminal or hacker ever again. I’m using a raccoon from now on. Let’s take a look at the choices. They are different – so this is an asymmetric game. The criminal has two choices; they are the ones that choose to start the game. Second, at the end of the game, they can choose to release data or not to release data. I haven’t been able to find any hard figures about the success rate of paying the ransom, but a few folks at one of the ISACs told me it’s about 80%. 80% of ransomware payments result in you getting your data back. The victim has several choices when they are hit by ransomware. Restore data from backup Use or wait for a 3rd party decrypter kit Negotiate or pay for ransom Do nothing
- Let’s take a look at these choices in a decision tree. Decision trees are another way, in addiiton to the payoff matrix, that we use to visualize decisions in games
- Let’s take a look at these choices in a decision tree. Decision trees are another way, in addiiton to the payoff matrix, that we use to visualize decisions in games How do we disrupt this? Incentives Why are kidnappings down? Anti-virus
- Let’s take a look at these choices in a decision tree. Decision trees are another way, in addiiton to the payoff matrix, that we use to visualize decisions in games Can most people find or use decrypters? How do we help this? Incentives tie back to the hospital
- Let’s take a look at these choices in a decision tree. Decision trees are another way, in addiiton to the payoff matrix, that we use to visualize decisions in games Law enforcements is involved on a macro level. Ransowmare is a crime, and the FBI and other LE investigate crimes and prosceute criminals. Given this as their main objective, they don’t really care about your data. I’m sure they do on some level, but what they really want to do is totally shot down the ransomware profit stream and dry up the money. How do you do that – encourage people and companies not to pay the ransom, which is exactly what most LE do. This is greater good What about AV vendors? They want to disrupt ransomware and malware infections, but only as it aligns with the firm’s value proposition. What do I mean by that? There are many cases reported in news of big pharma doing things that put profit over people. The same has been alleged many times about AV firms.
- Let’s take a look at these choices in a decision tree. Decision trees are another way, in addiiton to the payoff matrix, that we use to visualize decisions in games
- Incident responders –multi-facted set to responses. It’s not just pay/don’t pay; there are things you can do. Partner with LE, some of the ISACS who can help with decrypters. DO NOT WAIT for nan event to know the names of agents in the fbi. Also prepare for the eventuality that you may have to pay.
- Incident responders –multi-facted set to responses. It’s not just pay/don’t pay; there are things you can do. Partner with LE, some of the ISACS who can help with decrypters. DO NOT WAIT for nan event to know the names of agents in the fbi. Also prepare for the eventuality that you may have to pay.
- We have a lot of thought leaders, don’t we? Thought leaders: recognize that this is an open problem and that we need help. Ransomware is the scourge of information security, and if people are paying or if they are stuck, don’t know what to do, we’re failing. We need infosec 2.0. the vast majority if IT shops, will say patching is is the biggest thing they struggle with. This needs to change
- Risk managers: We need more rigerous analysis Evidence based Data driven Encourage you to use economic models in your risk analysis insea The era of linking your thunb iand putting itin the wind is over -- risk matrix is debunked nd we need
- Go back to main point, “Ransomware response is a good example of how game theory can used to analyze decisions, payouts and competition between actors.” Encourage the audience to use economic models to study security problems. Side with resources/further reading