Are You at Risk? Profiling Organizations and Individuals Subject to Targeted Attacks

Abstract

Targeted attacks consist of sophisticated malware developed by attackers having the resources and motivation to research targets in depth. Although rare, such attacks are particularly difficult to defend against and can be extremely harmful. We show in this work that data relating to the profiles of organisations and individuals subject to targeted attacks is amenable to study using epidemiological techniques. Considering the taxonomy of Standard Industry Classification (SIC) codes, the organization sizes and the public profiles of individuals as potential risk factors, we design case-control studies to calculate odds ratios reflecting the degree of association between the identified risk factors and the receipt of targeted attack. We perform an experimental validation with a large corpus of targeted attacks blocked by a large security company’s mail scanning service during 2013–2014, revealing that certain industry sectors and larger organizations –as well as specific individual profiles – are statistically at elevated risk compared with others. Considering targeted attacks as akin to a public health issue and adapting techniques from epidemiology may allow the proactive identification of those at increased risk of attack. Our approach is a first step towards developing a predictive framework for the analysis of targeted threats, and may be leveraged for the development of cyber insurance schemes based on accurate risk assessments.

Appendices

Appendix A: Detailed Odds Ratio (OR) Results

Table 4. OR calculated as per Organisational size

Table 5. OR calculated as per individual job type and job level.

Table 6. OR calculated as per individual location and Linkedin connections.

Appendix B: Combining Odds Ratios using Multi-Criteria Decision Analysis

We use Multi-Criteria Decision Analysis (MCDA) to design an aggregation model for the calculation of combined risk scores, taking as input all odds ratio associated with the individual features. A typical MCDA problem consists to evaluate a set of alternatives w.r.t. different criteria using an aggregation function [3]. The outcome of this evaluation is a global score obtained with a well-defined aggregation model that incorporates a set of constraints reflecting the preferences and expectations of the decision-maker (Table 4).

An aggregation function is defined as a monotonically increasing function of n arguments \((n > 1)\): \(f_{aggr}: {\left[ 0,1\right] }^n \longrightarrow \left[ 0,1\right] \) (Table 5).

In the family of averaging aggregation functions, the Ordered Weighted Average (OWA) operator extends these functions by combining two characteristics: (i) a weighting vector (like in a classical weighted mean), and (ii) sorting the inputs (usually in descending order). OWA is defined as [37]:

$$\begin{aligned} OWA_\mathbf {w}(\mathbf {x}) = \sum _{i=1}^{n} w_i x_{(i)} = < \mathbf {w}, \mathbf {x}_{\searrow } > \end{aligned}$$

where \(\mathbf {x}_{\searrow }\) is used to represent the vector \(\mathbf {x}\) arranged in decreasing order: \(x_{(1)} \ge x_{(2)} \ge \ldots \ge x_{(n)}\). This allows a decision-maker to design more complex decision modeling schemes, in which we can ensure that only a portion of criteria is satisfied without any preference on which ones precisely (e.g., “at least” k criteria satisfied out of n). OWA differs from a classical weighted means in that the weights are not associated with particular inputs, but rather with their magnitude. It can thus emphasize a subset of largest, smallest or mid-range values (Table 6).

It might be useful sometimes to also take into account the reliability of each information source in the aggregation model, like in Weighted Mean (WM). Torra [34] proposed thus a generalization of OWA, called Weighted OWA (WOWA). This aggregation function quantifies the reliability of the information sources with a vector \(\mathbf p \) (as the weighted mean does), and at the same time, allows to weight the values in relation to their relative ordering with a second vector \(\mathbf w \) (as the OWA operator). It is defined by [34]:

$$\begin{aligned} WOWA_{\mathbf {w},\mathbf {p}}(\mathbf {x}) = \sum _{i=1}^{n} u_i x_{(i)}, \end{aligned}$$

where \(x_{(i)}\) is the \(i^{th}\) largest component of \(\mathbf {x}\) and the weights \(u_i\) are defined as

$$\begin{aligned} u_i = G \left( \sum _{j \in H_i} p_j \right) - G \left( \sum _{j \in H_{i-1} } p_j \right) \end{aligned}$$

where the set \(H_i = \lbrace j \vert x_j \ge x_i \rbrace \) is the set of indices of the i largest elements of \(\mathbf {x}\), and G is a monotone non-decreasing function that interpolates the points \((i/n, \sum _{j \le i} w_j)\) together with the point (0, 0). Moreover, G is required to have the two following properties:

1. 1.

   \(G(i/n) = \sum _{j \le i} w_j\), \(i = 0, \ldots , n\);

2. 2.

   G is linear if the points \((i/n, \sum _{j \le i} w_j)\) lie on a straight line.