October 30–31, 2016: Training
October 31–November 2, 2016: Tutorials & Conference
New York, NY

Criminal cost modeling

Chris Baker (Dyn)
1:15pm–1:55pm Wednesday, 11/02/2016
Bridging business and security
Location: Mercury Ballroom Level: Intermediate
Average rating: ****.
(4.60, 5 ratings)

Prerequisite knowledge

  • A general understanding of the communications involved in loading a web page

What you'll learn

  • Explore a blueprint for quantifying a security-related business decision using data analysis
  • Gain awareness of the ease of access of markets for user data and credentials to aid decision making and user access controls


When trying to make defense-oriented investment decisions, it can be hard to forecast the impact said investment will have on internal KPIs. These decisions don’t take into account the cost curve for identifying increasingly complex schemes and adversaries. Chris Baker explores the criminal’s cost model, covering research, data collection, and analysis from abuse identification, sinkholing, and crawling. This research was born out of a need to quantify the profitability of abusing Dyn’s services. Chris outlines a model built to answer the question of how quickly you need to respond to phishing abuse to make the activity unprofitable and shares lessons learned along the way.

Building the model involved developing some heuristics for identifying the abusive behavior, which established the known population. Chis explains how, from this point, he was able to leverage some sinkholing and corresponding interaction analysis to understand the volume of activity associated with the campaigns and number of clicks/visits over time, which shows how long the domain has been in the DNS, how many recursive resolvers have requested it, and how many IPs have attempted to connect to the host.

This data is good, but it needs to be paired with economic data that correspond to the value of the information being gathered—the phished credentials. What is the going price for a compromised Apple account? What is the value of a dollar in a compromised PayPal account compared to a “clean” dollar? Collecting observations to fuel values for these variables required crawling through sites and forums on both the clear Web and those hosted on overlay networks such as Tor Hidden Services and Dark Markets. This dataset helps establish understanding of the profitability for the criminal.

At this point, we have all the data and observations we need for a first pass. We know what services the criminals are abusing, we have observations of the amount of activity going to the phishing sites, we have multiple market values for the credentials they are collecting and expending purchasing services. . .we have a cost model. Chris shows how we can now contrast profitability of abuse of a platform with defensive investments that can help mitigate the abuse.

Photo of Chris Baker

Chris Baker


Chris Baker is an Internet cartographer, data analyst, and wanderlust researcher at Dyn, where he is responsible for an array of data analysis and research projects ranging from business intelligence to Internet measurements and communication analysis. Previously, Chris worked at Fidelity Investments as a senior data analyst. He graduated from Worcester Polytechnic Institute with a master’s degree in system dynamics and a bachelor’s degree in management of information systems and philosophy.