Cybersecurity is a constant battle between attackers and defenders who try to leverage advances in technology to gain an advantage. Progress in those technologies can tip the scales in favor of either offense or defense, and it is not always clear beforehand which side will benefit more. This report illustrates how mathematical modeling can provide insights into how advances in technology might affect a few areas of cybersecurity: 1) phishing, 2) vulnerability discovery, and 3) the race between patching and exploitation. We demonstrate the approach and show the types of insights that it can provide.
Phishing is already a popular and effective technique for attackers. With little effort, attackers can send a generic message to many recipients, tricking a small percentage of them into cracking the door to the victim’s organization. Attackers can work harder to tailor their message to individual targets and increase the probability of success. Today, automated systems that can collect private data and write convincingly threaten to combine the scale of those spray-and-pray phishing campaigns with the effectiveness of spear phishing.
For this report, we consider how sending many emails to an organization increases the chance of a breach but also increases the chances of being discovered by the organization’s defenders. We find that even if applying artificial intelligence (AI) to the phishing process increases the odds of an employee falling for a phishing email, the attacker may choose to send few emails to avoid being detected—so few that humans could write them for themselves. That is especially true if phishing detection technologies improve as well. This means that organizations that have been targeted in the past may not experience drastic changes from automated phishing. Organizations that have so far been too low-profile to garner much interest from attackers may not be as fortunate, and may experience an increase in high-quality phishing attacks due to the availability of automated writing systems. If phishing campaigns target a larger number of these organizations, then sharing threat information about these offensive campaigns may become even more beneficial than it already is.
In examining the vulnerability discovery process, we found that both computers and humans discover vulnerabilities at a rate that starts high then decreases over time. When modeling this mathematically there are just two components: one that describes the initial rate of vulnerability discovery, and a second that describes how quickly that rate decreases. Modeling this activity suggests that testing quickly can uncover most or all of those vulnerabilities so they can be fixed, perhaps even before the software is released. However, for testers that continue to discover vulnerabilities with only modest decreases in the rate of discovery, the vulnerability discovery process continues for much longer. Testing faster may just mean that there are more vulnerabilities for attackers to use and for defenders to remediate. This suggests that techniques that simply accelerate vulnerability discovery are a benefit to defense, but techniques that are more creative and sustain the vulnerability discovery process over time—something more akin to current human processes—may actually hurt more than they help.
Race Between Patching and Exploitation
Once a new vulnerability is discovered, attackers and defenders are in a race to either patch the systems or exploit them. Patches need to be developed and also distributed to computers around the world before the exploits are developed and distributed. For this report, we draw on models that match the historical delays in these separate stages of the race.
Defenders usually get a head start, about 80 percent of the vulnerabilities have a patch ready on the day the vulnerability is disclosed. Even when they do not have that head start, patch development tends to be faster than exploit development. This head start and rapid development mean that there are only limited benefits to gain from further advances in patch development. On the other hand, deploying those patches is often much slower in practice for a variety of reasons, so advances that help users incorporate patches can significantly decrease the fraction of computers that are vulnerable to a given vulnerability at a given time. Our estimates suggest that a five times speedup in patch adoption would reduce the peak number of exposed vulnerabilities by about 25 percent and would decrease the number of exposed computers at the one-hundredth-day mark by 400 percent.
Conclusions Regarding Modeling Technology Development
We believe that models like these can help guide investment and research decisions in ways that prioritize technologies that are likely to have the most beneficial impact. As a few examples, AI for phishing may increase the need for information sharing, vulnerability discovery technologies should aim to increase speed of discovery but not creativity, and patch-deployment technology should be prioritized over patch development. However, these models are highly uncertain and we expect that their main benefit may not be in any specific recommendation, but rather in concretizing assumptions. We hope that being mathematically explicit can accelerate debate over which assumptions are most appropriate.