Information Security News
Richard Porter --- ISC Handler on Duty(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Palo Alto Networks partnered with the Ponemon Institute to answer a very specific question: what is the economic incentive for adversaries?
Ponemon was chosen as they have a history of crafting well respected cybersecurity research, including their well know annual cost of a data breach reports. The findings are based on surveys and interviews with Cybersecurity experts, including current or former attacks. These are all individuals who live and breathe security, many of whom have conducted attacks. Nearly 400 individuals were part of the research, across the United States, Germany and the United Kingdom.
When you think about security research, most of the focus has been on how attackers get in, and the damage they cause once they are inside. We set out to approach this problem from a completely different angle: understand the economic motivations of an attack, the factors that influence this, and be able to leverage this data to help organizations better respond to attacks. If we can remove the motivation, we can decrease the number of successful attacks. It is as simple as that.
You can download the full report from: http://media.paloaltonetworks.com/lp/ponemon/report.html and
There are clear highlights I believe that can influence your understanding of attackers, and influence your ability to defend yourself from them:
To understand how to influence an attackers economic motivation, we must consider what I call the adversary arithmetic, which boils down to the cost of an attack versus the potential outcome of a successful data breach. If malicious actors are putting in more resources than they are getting out, or we decrease their profit, being an attacker becomes much less attractive. What we have seen is simple, more malware and exploits, more effective toolkits, combined with cheaper computing power has lowered the barrier to entry for an attack, and resulted in the increase in attacks we covered in the last slide.
Using the survey finding as a guideline, lets walk through what we can do to reverse this trend.
It is a random mugging, not a robbery. Data suggests that majority of adversaries are motivated by quick and easy financial gain. As opposed to a movie script heist, attackers are looking for opportunistic street muggings that take advantage of easy targets. About 69% of them are motivated by profit, 72% of the attacks are opportunistic.
Ponemon suggests that the financial motivation for profit is being supported by a decline in the cost for conducting an attack. 56% of respondents believed that time resources required to conduct successful attacks have gone down. This is the proof behind the cost curve, and why it is more important than ever to focus on increasing the cost. We cannot allow adversaries to maintain this edge, as they will continue to erode our trust in the Internet, if we allow this to happen. Lets look at the reasons behind this cost decrease.
It is not enough to know that costs are decreasing, we must examine why this is occurring, in order to combat each reason. From the survey results, we see a few key facts bubble to the surface:
Toolkits automate the entire process, and have become increasingly sophisticated. They can be crafting to do essentially anything, usable by anyone, without much technical skill. Dark Comet and Poison Ivy are two well-known examples, which have been used in some very high-profile attacks, including against Syrian activities and government organizations. They arent just for the easy targets.
Now that we understand how powerful these toolkits can be, lets dive into the report findings on how they have evolved.
The data here proves our hypothesis: toolkits are highly effective, and make being an attacker much easier you can see how nearly 70% cited how using a toolkit make it easier to be an attack, with 64% saying they are highly effective. Given this, what is concerning is the scale at which they have been increasing in popularity, with the study finding 63% cited increased usage. Lastly, and most importantly, is their relative low cost. With only $1,387 spent by attackers on average, we can see how they can act as force multipliers in the threat landscape. It is also important to note that attackers ARE buying these. They are serious applications with developers, support, and an entire ecosystem out there. There are even attackers following usage-based models for their software! Rent a botnet, ransomware as a service. Consider how this compares with the Enterprise software you use and purchase.
The survey found that the average attacker is making less than $30,000 on an annual basis! It literally doesnt pay to be the bad guy, as this is about one quarter of the annual salary of a Cybersecurity professional. There have been many cases of former attackers turning around and applying the skills they learned to help the security community. Not only this, but we have such a need for talented security operators, that leveraging this group to help defend the network, rather than attack, is good business for everyone. Think about Pentesters who really know how to break into networks, application security developers who know how to find vulnerabilities.
You also must consider the legal risk of being an attacker, which can include large fines and jail time. The question we must ask is how can we convert attackers into good guys? Paying them well is a good start.
Now we come to the most important finding in the report: How can we deter attacks. Some of the findings may be surprising to you. Delaying an attacker by less than 2 days (40 hours) will deter 60% of attacks. Think about an average week, and how much of an impact this simple addition can have. They will give up and move on to the next opportunistic target after a relatively short time period. Every single security control, policy, and training you deploy will all add to how long it takes them to break it, and it all matters.
It was surprising just how much time is the defining factor to change the adversarys arithmetic. As network defenders, the more we delay adversaries, the more resources they will waste, and higher their cost will be. We can interrupt the march toward more and more lower cost attacks, by taking a slightly different perspective on the problem.
Another finding is that companies rates typical took less than 3 total days to breach (70 hours). This is HALF the time is takes for well protected organization, as 140 hours. Combine this finding with the 70% who will walk away when presented with a strong defense, and how adding 40 hours will deter 60% of attacks, the adversary equation can begin to flip in the good guys favor.
Based on the research, we know that attacks are increasing due to their decreasing cost, which has a number of important factors. We also know that attackers are motivated by profit. With that mindset, we need to think about this challenge from the less of increase the cost of attacks and decreasing their profit motivation. We have split this into three categories: