phish war game

["lsi" <stuart () cyberdelix net>]

BLUE TEAM: anti-phishing blacklist
RED TEAM: phish
GREEN TEAM: end-users

starting degree of obfuscation: 0% (none)
starting number of blocked domains: 0

----------

round 1:

action: RED sends billions of phish
consequence: 5% of GREEN members are suckered and lose some cash

action: BLUE blocks the top 20 phished domains using the FROM field
consequence: 80% of RED members are forced to make new sites and find 
new victims

current degree of obfuscation: 0%
current number of blocked domains: 20

round 2:

action: RED obfuscates their FROM fields by 20% and resends billions 
of phish
consequence: 4% of GREEN members are suckered and lose some cash

action: BLUE blocks the next top 20 phished domains using the FROM 
field
consequence: 80% of RED members are forced to make new sites and find 
new victims

current degree of obfuscation: 20%
current number of blocked domains: 40

round 3:

action: RED obfuscates their FROM fields by 20% and resends billions 
of phish
consequence: 3% of GREEN members are suckered and lose some cash

action: BLUE blocks the next top 20 phished domains using the FROM 
field
consequence: 80% of RED members are forced to make new sites and find 
new victims

current degree of obfuscation: 24%
current number of blocked domains: 60

round 4:

action: RED obfuscates their FROM fields by 20% and resends billions 
of phish
consequence: 2% of GREEN members are suckered and lose some cash

action: BLUE blocks the next top 20 phished domains using the FROM 
field
consequence: 80% of RED members are forced to make new sites and find 
new victims

current degree of obfuscation: 28.8%
current number of blocked domains: 80

round 5:

action: RED obfuscates their FROM fields by 20% and resends billions 
of phish
consequence: 1% of GREEN members are suckered and lose some cash

action: BLUE blocks the next top 20 phished domains using the FROM 
field
consequence: 80% of RED members are forced to make new sites and find 
new victims

current degree of obfuscation: 34.56%
current number of blocked domains: 100

round 6:

action: RED obfuscates their FROM fields by 20% and resends billions 
of phish
consequence: 0% of GREEN members are suckered and lose some cash

----------

GAME OVER: RED loses at round 6, as 0% of GREEN members are suckered, 
due to over-obfuscation.

final degree of obfuscation: 41.47%
final number of blocked domains: 100

----------

observations:

1. The model is over-simplified, in reality it's unlikely that BLUE 
would consistently achieve 80%.  However in reality it's also 
unlikely that RED would enjoy a linear relationship between 
obfuscation and success, specifically, the more RED obfuscates the 
less success it has.  Both teams might suffer diminishing returns 
from their efforts. (for the purposes of the above model, these 
effects have been allowed to cancel each other out)

2. The model has a constant 1% reduction in the victim rate, this is 
debatable, however it will never go upwards, eg., there is nothing 
RED can do to push that number back towards 100%.  Conversely, 
everything BLUE does pushes that number towards 0%.  In addition, 
other anti-phishing technologies will also be pushing the number 
towards 0%.  GREEN itself might even push the number down.

3. The model does not allow RED to increase the number of phish they 
send.  In reality, they way well do so.  However they will blocked 
faster in this case, not only by BLUE but also by other technologies, 
such as spam filters. (for the purposes of the above model, these 
effects have been allowed to cancel each other out)

4. The model does not allow the game to be terminated voluntarily.  
In reality, RED will terminate the game voluntarily when phish 
revenue per hour falls below revenues per hour available from other 
sources.  This will be some time before 0% of GREEN members are 
suckered, perhaps as early as round 3.

5. The blacklist contains 100 items at the time RED loses.  It may 
contain as little as 60 at the time RED terminates voluntarily.

----------

links:

(...)
http://en.wikipedia.org/wiki/Business_War_Games

(this is a sales brochure, however it describes a war game a bit 
nicer than wiki, it's got diagrams, for a start)
http://www.coleago.co.uk/uploads/Training/War%20Gaming.pdf

(this isn't relevant to a war game, it might be something like what's 
happening when the top 20 phished domains are used to select the 
items to blacklist, OTOH, it might not, I don't know, I'm not a 
statistician.  I'd love to know the name of the technique, I use 
something similar to optimise my spam rules...)
http://en.wikipedia.org/wiki/Monte_Carlo_method

(this was mentioned in one of the papers I quoted previously)
http://en.wikipedia.org/wiki/Pareto_principle

---
Stuart Udall
stuart at () cyberdelix dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/