Identifying Risk Factors for Targeted Attack
The analogy between computer viruses and biological viruses is well developed. Computer viruses spread across the world and within organisations in ways that are consistent with models developed to understand and predict the spread of biological diseases in epidemics.
However, viruses that spread from host to host aren't the only form of malware, targeted trojans are an example of malware that infect hosts but which does not spread. These particular malware are sent to individuals that have been specifically selected by the attackers in order to compromise the target's computer to steal high value information. Because, unlike computer viruses, these malware do not replicate, we cannot predict who will be hit by these types of malware by considering these computer infections as similar to a spreading epidemic.
We can, however, apply other techniques adapted from the understanding of human disease. If the recipients of targeted trojan attacks have been specifically selected, then we can imagine that the attackers have undertaken some form of research where they have identified individuals most likely to have access to the information that they wish to compromise. This research activity would probably involve considering factors associated with the occupation of the potential target, and these are likely to influence the attacker in their choice of whom to attack.
In this way targeted attacks may resemble occupational diseases, where exposure to environmental factors as part of employment results in the future development of diseases. Epidemiological techniques to detect these risk factors for health outcomes are well developed and form the foundation upon which modern public health campaigns are based. Adapting such techniques and using them to analyse common factors shared between recipients of targeted trojans may identify the risk factors which predispose individuals to an increased risk of attack.
In a paper presented at Virus Bulletin conference this week, we show that one such technique, the calculation of Odds Ratios, can be used to identify a strong association between individuals researching certain subjects and being sent targeted attacks .
The strongest association discovered is for researchers in the “Social Studies”, notably those researching Economics and International Relations, and also those researching subjects in “Eastern, Asiatic, African, American and Australasian Languages, Literature and Related Subjects“. Conversely, those researching “Medicine & Dentistry”, “Veterinary Science”, “Agriculture and Related Subjects”, “Architecture Building & Planning” were at a greatly reduced risk.
Identifying these risk factors can assist in spotting those who may be at increased risk of being subjected to targeted attacks, so that they take appropriate steps to secure themselves and their data. In many ways, this follows the classic public health process, identifying risk factors that are associated with an adverse outcome, identifying those who possess these factors, and then informing them of their risk so that they can take measures to protect themselves.
We are still a long way from being able to exactly identify who will be affected by what malware, but this is a first step in showing that epidemiological techniques can be adapted to measure specific risks for attack.
 M Lee, “Who’s Next? Identifying Risk Factors for Subjects of Targeted Attack”, in Proceedings of the 22nd Virus Bulletin Conference VB2012.