Underground Economics for Vulnerability Risk
The estimation of vulnerability risk is at the core of any IT security management strategy. Among technical and infrastructural metrics of risk, attacker economics represent an emerging new aspect that several risk assessment methodologies propose to consider (e.g., based on game theory). Yet the factors over which attackers make their (economic) decisions remain unclear and, importantly, unquantified. To address this, I infiltrated a prominent Russian cybercrime market where the most prominent attack technology is traded. Supported by direct observations of market activity, I investigate in this work the economic factors that drive the adoption of new attacks at scale and their effect on risk of attack in the wild. As a market participant, I have access to the full spectrum of attack services offered to all members and, in particular, look at the market economics of vulnerability exploitation.