Flipping the economy of a Hacker
Palo Alto Networks partnered with the Ponemon Institute to answer a very specific question: what is the economic incentive for adversaries? Ponemon was chosen as they have a history of crafting well respected cybersecurity research, including their well know annual “cost of a data breach” reports. The findings are based on surveys and interviews with Cybersecurity experts, including current or former attacks. These are all individuals who live and breathe security, many of whom have conducted attacks. Nearly 400 individuals were part of the research, across the United States, Germany and the United Kingdom. When you think about security research, most of the focus has been on how attackers get in, and the damage they cause once they are inside. We set out to approach this problem from a completely different angle: understand the economic motivations of an attack, the factors that influence this, and be able to leverage this data to help organizations better respond to attacks. If we can remove the motivation, we can decrease the number of successful attacks. It is as simple as that. You can download the full report from: http://media.paloaltonetworks.com/lp/ponemon/report.html and http://www.ponemon.org/library/flipping-the-economics-of-attacks There are clear highlights I believe that can influence your understanding of attackers, and influence your ability to defend yourself from them:
To understand how to influence an attacker’s economic motivation, we must consider what I call the “adversary arithmetic,” which boils down to the cost of an attack versus the potential outcome of a successful data breach. If malicious actors are putting in more resources than they are getting out, or we decrease their profit, being an attacker becomes much less attractive. What we have seen is simple, more malware and exploits, more effective toolkits, combined with cheaper computing power has lowered the “barrier to entry” for an attack, and resulted in the increase in attacks we covered in the last slide. Using the survey finding as a guideline, let’s walk through what we can do to reverse this trend. It is a random mugging, not a robbery. Data suggests that majority of adversaries are motivated by quick and easy financial gain. As opposed to a “movie script heist”, attackers are looking for opportunistic street “muggings” that take advantage of easy targets. About 69% of them are motivated by profit, 72% of the attacks are opportunistic.
Ponemon suggests that the financial motivation for profit is being supported by a decline in the cost for conducting an attack. 56% of respondents believed that time & resources required to conduct successful attacks have gone down. This is the proof behind the cost curve, and why it is more important than ever to focus on increasing the cost. We cannot allow adversaries to maintain this “edge,” as they will continue to erode our trust in the Internet, if we allow this to happen. Let’s look at the reasons behind this cost decrease. It is not enough to know that costs are decreasing, we must examine why this is occurring, in order to combat each reason. From the survey results, we see a few key facts bubble to the surface:
Toolkits automate the entire process, and have become increasingly sophisticated. They can be crafting to do essentially anything, usable by anyone, without much technical skill. Dark Comet and Poison Ivy are two well-known examples, which have been used in some very high-profile attacks, including against Syrian activities and government organizations. They aren’t just for the “easy targets.”
Now that we understand how powerful these toolkits can be, let’s dive into the report findings on how they have evolved. The data here proves our hypothesis: toolkits are highly effective, and make being an attacker much easier you can see how nearly 70% cited how using a toolkit make it easier to be an attack, with 64% saying they are highly effective. Given this, what is concerning is the scale at which they have been increasing in popularity, with the study finding 63% cited increased usage. Lastly, and most importantly, is their relative low cost. With only $1,387 spent by attackers on average, we can see how they can act as force multipliers in the threat landscape. It is also important to note that attackers ARE buying these. They are serious applications with developers, support, and an entire ecosystem out there. There are even attackers following usage-based models for their software! Rent a botnet, ransomware as a service. Consider how this compares with the Enterprise software you use and purchase. The survey found that the average attacker is making less than $30,000 on an annual basis! It literally doesn’t pay to be the bad guy, as this is about one quarter of the annual salary of a Cybersecurity professional. There have been many cases of former attackers turning around and applying the skills they learned to help the security community. Not only this, but we have such a need for talented security operators, that leveraging this group to help defend the network, rather than attack, is good business for everyone. Think about Pentesters who really know how to break into networks, application security developers who know how to find vulnerabilities. You also must consider the legal risk of being an attacker, which can include large fines and jail time. The question we must ask is how can we convert attackers into good guys? Paying them well is a good start. Now we come to the most important finding in the report: How can we deter attacks. Some of the findings may be surprising to you. Delaying an attacker by less than 2 days (40 hours) will deter 60% of attacks. Think about an average week, and how much of an impact this simple addition can have. They will give up and move on to the next opportunistic target after a relatively short time period. Every single security control, policy, and training you deploy will all add to how long it takes them to break it, and it all matters. It was surprising just how much time is the defining factor to change the adversary’s arithmetic. As network defenders, the more we delay adversaries, the more resources they will waste, and higher their cost will be. We can interrupt the march toward more and more lower cost attacks, by taking a slightly different perspective on the problem. Another finding is that companies rates typical took less than 3 total days to breach (70 hours). This is HALF the time is takes for well protected organization, as 140 hours. Combine this finding with the 70% who will walk away when presented with a strong defense, and how adding 40 hours will deter 60% of attacks, the adversary equation can begin to flip in the “good guys” favor. So now what?Based on the research, we know that attacks are increasing due to their decreasing cost, which has a number of important factors. We also know that attackers are motivated by profit. With that mindset, we need to think about this challenge from the less of increase the cost of attacks and decreasing their profit motivation. We have split this into three categories:
|
Richard 173 Posts ISC Handler Jul 20th 2016 |
Thread locked Subscribe |
Jul 20th 2016 5 years ago |
$30k/year is not much in 1st-world countries, but what about in eastern Europe or Russia or Asia?
(I know it's quite good pay in most cities in China) Also, international hackers have less to fear from law enforcement as they're seldom caught and extradited. |
Anonymous |
Quote |
Jul 20th 2016 5 years ago |
Study funded by "next generation security" vendor finds that next generation security products can decrease made up security metric X by Y%, film at 11.
|
Anonymous |
Quote |
Jul 20th 2016 5 years ago |
Certainly there is the possibility of bias in any research. The data behind the research is where to search for internal validity. It is why I question 'any' poll these days, according to what instrument, what questions? Did the questions pass an internal validity and instrument bias test?
familymed.uthscsa.edu/facultydevelopment/elearning/… A great read for those that want to really understand bias in research. I am neither defending nor condemning the research, but will go so far as to say Ponemon Institute does have a good reputation. ~Richard -- ISC Handler -- |
Richard 173 Posts ISC Handler |
Quote |
Jul 20th 2016 5 years ago |
For a long time, we've been hearing about the "defender's dilemma," whereby one envisions a single castle, a single defender, and a single attacker. The defender has to make sure that the entire perimeter of the castle is secure, while the attacker needs only find one weak point. But this report does highlight an interesting problem with that metaphor; the real situation is more like Eddie Izzard's jest about American perceptions of Europe:
"We've got tons of them. You think we all live in castles and we do. We've got a castle each. We're up to here with castles. We just long for a bungalow or something." And if an attack if motivated by profit, then this is a lot less like the defender's dilemma and a lot more like the joke about two people running from a bear. If the attacker who's standing outside your castle can see a weaker spot in someone else's wall, he's going to go over there instead. Sure, one of the two entities behind this report is a vendor; that's always reason to question the perspective, bias (I won't even say "potential bias"), and conclusions of something like this. But 1, the underlying premises all match with what I've seen elsewhere, 2, the final conclusions make complete sense to me, and 3, while Palo Alto definitely has a motive to produce something that drives their sales, Ponemon has an even stronger motive not to put their name on something that is skewed. Putting out a biased report is not part of Palo Alto's core business, but putting out trustworthy, objective reports IS Ponemon's core business. And just because a conclusion supports a vendor's product sales doesn't automatically mean it's wrong. And while the report's conclusions don't apply to the minority of attacks which are targeted and well-resourced, it also makes sense that keeping out the larger majority will improve the signal-to-noise ratio of security monitoring inside your environment, and that slowing down even a determined attacker will give you more opportunity to see them coming. |
Rogueshoten 3 Posts |
Quote |
Jul 21st 2016 5 years ago |
I had a chance to go to a seminar by Professor Nicolas Christin. Some of his work revolves around online crime and the motivators behind it. He has an awesome approach to answering some questions in this area. You should check out his two papers:
"Automatically Detecting Vulnerable Websites Before They Turn Malicious" (along with Kyle Soska) and "Traveling the Silk Road: A Measurement Analysis of a Large Anonymous Online Marketplace." I think are good reads to go with this post, especially when it comes to the attackers' economic reasoning. It drives home how the techniques they use are more driven by money than maybe more than one realizes. |
briggzy 1 Posts |
Quote |
Jul 21st 2016 5 years ago |
There was no earth shattering or completely new revelation discovery here on top of what the security industry don't already know. Bias? There is always a bias of some sort, however, if you look at the statistics and what the conclusion suggest, you might see what a comprehensive approach together with understanding the economics behind it is not a bad way to solve this problem.
|
Etay 4 Posts |
Quote |
Jul 24th 2016 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!