Full Disclosure mailing list archives
phish war game
From: "lsi" <stuart () cyberdelix net>
Date: Tue, 05 Aug 2008 02:03:22 +0100
BLUE TEAM: anti-phishing blacklist RED TEAM: phish GREEN TEAM: end-users starting degree of obfuscation: 0% (none) starting number of blocked domains: 0 ---------- round 1: action: RED sends billions of phish consequence: 5% of GREEN members are suckered and lose some cash action: BLUE blocks the top 20 phished domains using the FROM field consequence: 80% of RED members are forced to make new sites and find new victims current degree of obfuscation: 0% current number of blocked domains: 20 round 2: action: RED obfuscates their FROM fields by 20% and resends billions of phish consequence: 4% of GREEN members are suckered and lose some cash action: BLUE blocks the next top 20 phished domains using the FROM field consequence: 80% of RED members are forced to make new sites and find new victims current degree of obfuscation: 20% current number of blocked domains: 40 round 3: action: RED obfuscates their FROM fields by 20% and resends billions of phish consequence: 3% of GREEN members are suckered and lose some cash action: BLUE blocks the next top 20 phished domains using the FROM field consequence: 80% of RED members are forced to make new sites and find new victims current degree of obfuscation: 24% current number of blocked domains: 60 round 4: action: RED obfuscates their FROM fields by 20% and resends billions of phish consequence: 2% of GREEN members are suckered and lose some cash action: BLUE blocks the next top 20 phished domains using the FROM field consequence: 80% of RED members are forced to make new sites and find new victims current degree of obfuscation: 28.8% current number of blocked domains: 80 round 5: action: RED obfuscates their FROM fields by 20% and resends billions of phish consequence: 1% of GREEN members are suckered and lose some cash action: BLUE blocks the next top 20 phished domains using the FROM field consequence: 80% of RED members are forced to make new sites and find new victims current degree of obfuscation: 34.56% current number of blocked domains: 100 round 6: action: RED obfuscates their FROM fields by 20% and resends billions of phish consequence: 0% of GREEN members are suckered and lose some cash ---------- GAME OVER: RED loses at round 6, as 0% of GREEN members are suckered, due to over-obfuscation. final degree of obfuscation: 41.47% final number of blocked domains: 100 ---------- observations: 1. The model is over-simplified, in reality it's unlikely that BLUE would consistently achieve 80%. However in reality it's also unlikely that RED would enjoy a linear relationship between obfuscation and success, specifically, the more RED obfuscates the less success it has. Both teams might suffer diminishing returns from their efforts. (for the purposes of the above model, these effects have been allowed to cancel each other out) 2. The model has a constant 1% reduction in the victim rate, this is debatable, however it will never go upwards, eg., there is nothing RED can do to push that number back towards 100%. Conversely, everything BLUE does pushes that number towards 0%. In addition, other anti-phishing technologies will also be pushing the number towards 0%. GREEN itself might even push the number down. 3. The model does not allow RED to increase the number of phish they send. In reality, they way well do so. However they will blocked faster in this case, not only by BLUE but also by other technologies, such as spam filters. (for the purposes of the above model, these effects have been allowed to cancel each other out) 4. The model does not allow the game to be terminated voluntarily. In reality, RED will terminate the game voluntarily when phish revenue per hour falls below revenues per hour available from other sources. This will be some time before 0% of GREEN members are suckered, perhaps as early as round 3. 5. The blacklist contains 100 items at the time RED loses. It may contain as little as 60 at the time RED terminates voluntarily. ---------- links: (...) http://en.wikipedia.org/wiki/Business_War_Games (this is a sales brochure, however it describes a war game a bit nicer than wiki, it's got diagrams, for a start) http://www.coleago.co.uk/uploads/Training/War%20Gaming.pdf (this isn't relevant to a war game, it might be something like what's happening when the top 20 phished domains are used to select the items to blacklist, OTOH, it might not, I don't know, I'm not a statistician. I'd love to know the name of the technique, I use something similar to optimise my spam rules...) http://en.wikipedia.org/wiki/Monte_Carlo_method (this was mentioned in one of the papers I quoted previously) http://en.wikipedia.org/wiki/Pareto_principle --- Stuart Udall stuart at () cyberdelix dot net - http://www.cyberdelix.net/ --- * Origin: lsi: revolution through evolution (192:168/0.2) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- phish war game lsi (Aug 04)
- Re: phish war game Biz Marqee (Aug 05)
- Re: phish war game blah (Aug 05)