Let’s say you have $10 to start and someone offers you a game:

Heads you win $2 and Tails you pay $1.

How likely is it that you lose money?

I made a small python notebook to demonstrate. First, we have a random binomial distribution (1 or 0) of 10 items to represent 10 coin flips. Starting with $10 in the “bank”, I ran the simulation 10 times to simulate playing 10 games of 10 coin flips.

You can see that despite the more favorable payout on a 50% probability of heads, it is still possible to end up in a scenario where we lose money at least half the times played.

Time Probability != Ensemble Probability

The reason this phenomenon arises is that most have learned and think about probability in terms of the % of times a coin will land on heads or tails. This is referred to as the ensemble probability or the probability a coin will land on heads of a single flip across many copies of the same world.

The time probability represents the probability we will end up in a certain state over a period of time. In the above example, there are 5 games where we actually lost money despite the payout for heads being double the loss for tails.

How Does This Apply to Cybersecurity?

It is critically important that we understand the difference between time probability and ensemble probability when making any type or probability or likelihood estimate for a particular threat.

This is because it is easy to fall into the fallacy of thinking in a way of “this has a 1% probability of occurring because out of 100 attackers I expect 1 to exploit it”. This creates a huge fallacy because it's just not how reality works.

In the real world, the baseline probability of exploitation for a threat (P(E)) is going to be:

P(E) = 1/Ω(M)

Where Ω represents the possibility space of a message (M). More explicitly the set of Ω can be visualized as an array containing all possible string combinations of M. For an HTTP request, it would be all permutations of a valid HTTP request with all methods, payloads, headers etc. enumerated.

This represents the ensemble probability that any given message M is going to exploit the threat. This is an insanely low number.

However, the time probability comes into play here and anyone who has cracked passwords or brute forced logins probably has picked up on this by now.

An attacker is limited by time, T, for which they can send a message, M, to service, S.

This means that the time probability of exploitation (P(E)) is going to be:

P(E) = T / Ω(M) where each unit of T corresponds to 1 element of Ω(M).

Heartbleed as a Concrete Example

Disposing with the mathematical jargon I am probably butchering, Heartbleed demonstrates the difference between ensemble and time probability.

Heartbleed allowed for an arbitrary memory read of remote systems using OpenSSL. This went undiscovered for years.

buffer = OPENSSL_malloc(1 + 2 + payload + padding);

A simple ensemble probability of finding the offending line would be this line divided by all lines in the codebase. This would yield a fairly low number (1/5719 according to wc -l and the git repo).

However, as we found out, the time probability of Heartbleed was increasing towards 1 with time.

Takeaways

First, as I have said in my previous post on Risk, The False Prophet of Cybersecurity, we should avoid using probability as a primary variable in our decision-making because it’s unknowable for one-off events.

However, we can gain less-noisy information about relative probability using tools from statistics and graph theory. In cases where you wish to take on the risk of a probability calculation, you must always focus on time probability and not ensemble probability. This is because by increasing time T an attacker can vastly increase the probability of exploitation of a target, even if they have to brute force, fuzz service interfaces, or crack passwords in order to move on to their target node.