Devaluing Attack: Disincentivizing Threats Against the Next Billion Devices

Presented at Black Hat Asia 2016, Unknown date/time (Unknown duration)

Cyberattacks are not like natural disasters or other forces of nature, nor are they like diseases or other autonomously evolving and spreading agents (yet). They are ultimately and fundamentally driven by rational human action. As such, economics is the best way to view attacker and defender strategies. The traditional approach to defense is to raise the cost for your attackers by making attacks as difficult as possible. This, unfortunately, has a tendency to raise costs for the defender and their users too and does not scale well. An alternative and more scalable strategy is to reduce the value to the attacker of a successful attack. What does this look like? This strategy is already in use in many forms around us and we will point out where it is being employed successfully. Does it work? We will examine the phases of an intrusion common to both financially-motivated and state-sponsored attackers in order to show how defenses based on lowering the value versus raising the cost affect both the attacker and defender. Finally, we will explore what this strategy means for the security threats against the next billion devices.

Presenters:

• Dino Dai Zovi - Square
  Dino Dai Zovi is the Mobile Security Lead at Square. He has been working in information security for over 15 years with experience in red teaming, penetration testing, software security, information security management, and cybersecurity R&D. Dino is also a regular speaker at information security conferences having presented his independent research on memory corruption exploitation techniques, 802.11 wireless client attacks, and Intel VT-x virtualization rootkits at conferences around the world including Black Hat, RSA, DEF CON, and CanSecWest. He is a co-author of the books "The iOS Hacker's Handbook" (Wiley, 2012), "The Mac Hacker's Handbook" (Wiley, 2009) and "The Art of Software Security Testing" (Addison-Wesley, 2006). In 2008, eWEEK named him one of the 15 Most Influential People in Security. He is best known in the information security and Mac communities for winning the first PWN2OWN contest at CanSecWest 2007.

Links:

• https://www.blackhat.com/asia-16/briefings.html#devaluing-attack-disincentivizing-threats-against-the-next-billion-devices
• https://www.youtube.com/watch?v=_A6Y62AcQ2g
• https://www.blackhat.com/docs/asia-16/materials/asia-16-DaiZovi-Devaluing-Attack-Disincentivizing-Threats-Against-The-Next-Billion-Devices.pdf

Similar Presentations:

• THOTCON 0x9 (2018) / Best travel buddy 3vaaar!
• Black Hat USA 2010 / Security is Not a Four Letter Word
• DEF CON 24 (2016) / Maelstrom - Are You Playing with a Full Deck? : Using a Newly Developed Attack Life Cycle Game to Educate, Demonstrate and Evangelize.