full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] phish war game

[Full-disclosure] phish war game

From: lsi <stuart_at_nospam>
Date: Tue Aug 05 2008 - 01:03:22 GMT
To: full-disclosure@lists.grok.org.uk


BLUE TEAM: anti-phishing blacklist
RED TEAM: phish
GREEN TEAM: end-users

starting degree of obfuscation: 0% (none) starting number of blocked domains: 0


round 1:

action: RED sends billions of phish
consequence: 5% of GREEN members are suckered and lose some cash

action: BLUE blocks the top 20 phished domains using the FROM field consequence: 80% of RED members are forced to make new sites and find new victims

current degree of obfuscation: 0%
current number of blocked domains: 20

round 2:

action: RED obfuscates their FROM fields by 20% and resends billions of phish
consequence: 4% of GREEN members are suckered and lose some cash

action: BLUE blocks the next top 20 phished domains using the FROM field
consequence: 80% of RED members are forced to make new sites and find new victims

current degree of obfuscation: 20%
current number of blocked domains: 40

round 3:

action: RED obfuscates their FROM fields by 20% and resends billions of phish
consequence: 3% of GREEN members are suckered and lose some cash

action: BLUE blocks the next top 20 phished domains using the FROM field
consequence: 80% of RED members are forced to make new sites and find new victims

current degree of obfuscation: 24%
current number of blocked domains: 60

round 4:

action: RED obfuscates their FROM fields by 20% and resends billions of phish
consequence: 2% of GREEN members are suckered and lose some cash

action: BLUE blocks the next top 20 phished domains using the FROM field
consequence: 80% of RED members are forced to make new sites and find new victims

current degree of obfuscation: 28.8%
current number of blocked domains: 80

round 5:

action: RED obfuscates their FROM fields by 20% and resends billions of phish
consequence: 1% of GREEN members are suckered and lose some cash

action: BLUE blocks the next top 20 phished domains using the FROM field
consequence: 80% of RED members are forced to make new sites and find new victims

current degree of obfuscation: 34.56%
current number of blocked domains: 100

round 6:

action: RED obfuscates their FROM fields by 20% and resends billions of phish
consequence: 0% of GREEN members are suckered and lose some cash


GAME OVER: RED loses at round 6, as 0% of GREEN members are suckered, due to over-obfuscation.

final degree of obfuscation: 41.47%
final number of blocked domains: 100


observations:

  1. The model is over-simplified, in reality it's unlikely that BLUE would consistently achieve 80%. However in reality it's also unlikely that RED would enjoy a linear relationship between obfuscation and success, specifically, the more RED obfuscates the less success it has. Both teams might suffer diminishing returns from their efforts. (for the purposes of the above model, these effects have been allowed to cancel each other out)
  2. The model has a constant 1% reduction in the victim rate, this is debatable, however it will never go upwards, eg., there is nothing RED can do to push that number back towards 100%. Conversely, everything BLUE does pushes that number towards 0%. In addition, other anti-phishing technologies will also be pushing the number towards 0%. GREEN itself might even push the number down.
  3. The model does not allow RED to increase the number of phish they send. In reality, they way well do so. However they will blocked faster in this case, not only by BLUE but also by other technologies, such as spam filters. (for the purposes of the above model, these effects have been allowed to cancel each other out)
  4. The model does not allow the game to be terminated voluntarily. In reality, RED will terminate the game voluntarily when phish revenue per hour falls below revenues per hour available from other sources. This will be some time before 0% of GREEN members are suckered, perhaps as early as round 3.
  5. The blacklist contains 100 items at the time RED loses. It may contain as little as 60 at the time RED terminates voluntarily.

links:

(...)
http://en.wikipedia.org/wiki/Business_War_Games

(this is a sales brochure, however it describes a war game a bit nicer than wiki, it's got diagrams, for a start) http://www.coleago.co.uk/uploads/Training/War%20Gaming.pdf

(this isn't relevant to a war game, it might be something like what's happening when the top 20 phished domains are used to select the items to blacklist, OTOH, it might not, I don't know, I'm not a statistician. I'd love to know the name of the technique, I use something similar to optimise my spam rules...) http://en.wikipedia.org/wiki/Monte_Carlo_method

(this was mentioned in one of the papers I quoted previously) http://en.wikipedia.org/wiki/Pareto_principle

---

Stuart Udall
stuart at_at_cyberdelix.dot net - http://www.cyberdelix.net/

---

  • Origin: lsi: revolution through evolution (192:168/0.2)

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/