New equation predicts the best time to launch a cyber attack

Life just got a bit tougher for cyber saboteurs and hackers. A pair of researchers have formulated an algorithm that can predict the optimal time for unleashing specific weapons during a cyber attack.

Experts say cyber insecurity is one of the most significant threats facing nations, corporations, and individuals today. Risks include financial loss, loss of privacy, loss of intellectual property, breaches of national security via cyber espionage, and potential large-scale damage in a war involving cyber sabotage.

Stealth, persistance, value

Looking to improve our understanding of cyber conflicts and how they can be mitigated, University of Michigan security expert Robert Axelrod, along with Rumen Iliev, created a mathematical model that can predict when a cyber attack is most likely to be initiated.

To create the algorithm, the researchers focused on several variables, including the weapon's stealth, persistence, and value. They also considered current and likely future stakes, the threshold of stakes that would cause a nation, group or individual to use the weapon, and the discount rate — a reflection of the fact that a given payoff could have less impact if it's utilized too far in the future.

Thus, the equation shows that, when the stealthiness of a weapon increases, it is better to use it sooner rather than later. Or the more persistent the weapon — i.e. the realization that if it's not used now, it could still be rendered usable during a subsequent time period — the longer its use can be postponed.

Interestingly, the researchers confirmed their model by referencing it to previous attacks, including Stuxnet, the 2012 Iranian attack on Saudi Aramco, and various Chinese cyber espionage efforts.

High Stakes Stuxnet

Indeed, the Stuxnet case offers an excellent case study of how the algorithm works. This worm was low persistence that employed four different zero-day exploits to accomplish three functions: loading the malware from a flash drive, spreading the malware to other machines sharing a printer, escalating the attacker's privileges on a machine and give full control of it. The low persistence would have put pressure on the attackers — the U.S. and Israel in this case — to act sooner rather than later.

The researchers write:

Stuxnet's designers took great care to make it Stealthy, and succeeded in avoiding detection for 17 months. Instead of simply destroying the centrifuges, it caused some to speed up in short bursts that damaged but did not destroy them. In addition, Stuxnet masked the change in speed by preventing the control panel from revealing what was happening. After completing its mission, Stuxnet erased itself.

The stakes involved in the Stuxnet attack was to delay Iran's ability to attain enough enriched uranium for nuclear weapons. Once Iran did attain nuclear weapons capability, further delays in its enrichment program would be much less valuable than delays before it achieved that capability. In terms of our model, the attacker's view of the current stakes must have been very high, for both the United States and Israel.

The model thus predicted that a resource like Stuxnet would be expected to have poor persistence and relatively good stealth, meaning that it should be used as soon as possible, particularly in high stakes situations. That's pretty much what happened.

Looking ahead, the researchers hope their work will encourage other efforts to study cyber threats in a more rigorous way.

"There's a lot of discussion about cyber problems, but it's so new that the language isn't established," noted Axelrod. "People use the word attack to mean anything from stealing a credit card number to sabotage of an industrial system."

Read the entire study at PNAS: "Timing of cyber conflict."