Author: **Ariel Futoransky**

CTO

@AFutoransky

This is a short article discussing the relationship between a traditional attack lifecycle and an attack where the BitTrap incentive is present. We introduce a model to describe layered attacks and analyze the impact of applying this type of incentives to transform the attacker behavior.

We show that after adding the BitTrap incentive there is at least a 10x pressure to switch to the more benevolent path. Furthermore, if the hacker chooses to ignore and proceed with the traditional monetization strategy, the presence of the BitTrap incentive is neglectable in terms of the reward obtained (0.25% increase).

We are considering a setting with one attacker and an organization with multiple
devices.

**The attacker** has a set of tools he can use to try to breach into each device.
These tools can
either be exploits that profit from software vulnerabilities or system
misconfigurations, or social
engineering or phishing tricks that make use of unsafe user behavior.

The attacker is trying to gain an economic advantage by hacking into the organization and accessing valuable information from one or more devices. This information can be sold on the dark web for a meaningful amount of money. In real life there are other possible monetization strategies but on this model we are focused on data exfiltration. Not all the devices contain this kind of valuable data, so the attacker will try to traverse through different nodes to access the ones he is interested in. To progress in his plans, the attacker will use his tools, or take advantage of trust relationships present among the nodes.

**The organization** has a layered approach to security. With only some devices
on the perimeter
that can be directly attacked. Security components patrol the infrastructure, trying
to identify the
attacker tools, suspicious behavior or attempts to violate access policy. If an
event is detected,
an incident response is started, kicking the hacker out of the compromised devices.

In order to analyze this setting we create a simplified model with two stages, X1: the perimeter exposed device, and X2: the target monetizable device. We represent the attacker tools as two numbers per device. The probability of successfully breaking into the device without being detected by trying each available tool, and the time it will take on average to complete the whole task.

This is a good representation of our conceptual framework because the probabilities and times associated with breaking into X1 or X2 can summarize several intermediate steps, or alternative targets in a succinct way.

With this model in mind we describe two Scenarios:

This is the traditional scenario. There is a single path for the attacker, he needs to first break into the surface asset (X1), and then complete a second step to breach the target asset (X2)

If successful, he will collect the standard reward Ra.

We model the first stage of the attack, breaking into X1, using two parameters
P_{1}
and T_{1}. P_{1}
represents the probability of success for the attacker. T_{1} represents the
average
amount of time
invested in the attack for this stage, independent of the result.

We model the second stage of the attack likewise using P_{2} as the
probability of
breaking into
X2, and T_{2} the time required given that X1 was breached successfully.

This is the scenario augmented with BitTrap. A new reward is added to X1 (Rb), Here the attacker has two choices, either going for the original target by breaking into X1 and then X2, where if successful he will be able to collect Ra + Rb (If the attack fails he is detected and collects 0 reward). Or retire as soon as breaking into X1 and collecting Rb.

The parameters of the model are equivalent to Sa.

For both scenarios, the Probability of breaking into X1 is:

P(X1) = P_{1}

And the probability of breaking into X2, which requires breaking into X1 first is:

P(X2) = P_{1} . P_{2}

(Here P_{2} = P(X2|X1) is the probability of the attacker breaking into X2
given that
he has already broken into X1.)

The expected time for trying to break into X2 is:

ET_{2} = T_{1} + P_{1} . T_{2}

The expected reward for SA is:

Ea = P(X2) . Ra = P_{1} . P_{2} . Ra

For scenario SB there are two possible strategies. Choosing exit on X1 yields the following expected reward:

Eb_{1} = P_{1}. Rb

While choosing to attack X2 yields^{*1} :

Eb_{2} = P_{1} . P_{2}. (Ra + Rb)

The return on investment for SA (expected reward per unit time invested) is:

*ROI *-A= Ea / ET_{2}

Return on investment for SB choice 1 (exit) is:

*ROI *-B-1 = Eb_{1} / T_{1}

Return on investment for SB choice 2 (Attack X2) is:

*ROI *-B-2 = Eb_{2} / ET_{2}

***1** : We assume that if the attacker fails with X2, he is detected and has 0 reward. Thus, he either gets a reward of Ra+Rb with probability P_{1}.P_{2}, or he gets nothing.

P_{1} |
0.1 | The attacker breaks into 1/10 of the chosen initial targets |

P_{2} |
0.001 | Breaking into the final target is as hard as breaking into three surface assets |

T_{1} |
10 | 10 days to try to break into X1 |

T_{2} |
300 | 10 months average attack lifecycle |

Ra | 1,000,000 | The stolen information from X2 can be sold for 1 Million dollars |

Rb | 2,500 | We set $2500 as BitTrap’s incentive wallet |

Ea | 100 | Expected reward $100 per target |

ET_{2} |
40 | Expected average time spent on targets looking for X2 is 40 days |

Eb_{1} |
250 | Expected reward for choosing bittrap is $250 per target |

Eb_{2} |
100.25 | Expected reward for choosing X2 on a bittrap protected site |

ROI -A |
2.500 | For SA, the expected reward per day is $2.5 |

ROI -B-1 |
25.000 | For SB choosing exit, the expect reward per day is $25 |

ROI -B-2 |
2.506 | For SB ignoring BitTrap and going for the original target yields $2.506 per day |

***2** : There are other possible extensions to the model that can be studied:

· Sometimes X1 is also monetizable. Like for example under ransomware monetization
tactics. We could add an Ra1 parameter representing this reward, and calculate the
expected rewards accordingly.

· We could represent different sets of exploits with dissimilar characteristics,
each with
their own P,T pairs.

· We could represent independently the exploits characteristic with three possible
outcomes: Probability of successfully breaking into the device, probability of
failing but
remain undetected, and probability of being detected.

From this simple analysis we can conclude:

1. *ROI *-B-1 is 10 times higher than *ROI *-B-2, so there is a significant
incentive for
the attacker
to choose the incentive on companies protected with BitTrap.

2. *ROI *-B-2 is only 0.25% higher than *ROI *-A, so there is no noticeable
increase in the
incentives to attack X2 after installing BitTrap. X2 is where the valuable
information is
stored.

This is a simplified model, but it can illustrate how the deployment of a simple strategic incentive can radically transform the behavior and perceived preferences of the attacker in a beneficial way. Considering that incentives can be deployed with almost no resource consumption (network, storage, computation) and that maintenance costs are negligible, the upside of investing in this type of strategy can be huge.