The Current Economics of Cyber Attacks
Ron Winward Security Evangelist October 17, 2016 What Are We Talking About
Historical Context
Does Hacking Pay?
Cyber A ack Marketplace
Economics of Defenses: Reality Check
2 Once Upon a Time…
3 Story of the Automobile Ideal economic condi ons help fuel and grow this industry
Be er Roads Assembly Line
Ideal Economic Condi ons Growth
4 Cyber Attacks Reaching a Tipping Point
More Resources More Targets More Mature Availability of low More high value, A level of maturity cost resources increasingly vulnerable that drives efficiency targets leads to more and ensures valuable informa on anonymity The economics of hacking have turned a corner!
5 Modern Economics of Cyber Attacks and Hacking
6 Do You Romanticize Hackers?
7 Reality of Today’s Hackers
May look more like this . . .
. . . than like this
8 Today’s Adversary: Not always the Lone Wolf
Structured organiza on with roles, focus Premeditated plan for targe ng, exfiltra on, mone za on of data/assets Mul -layered trading networks for distribu on, Source: HPE: the business of hacking obfusca on
Why? Because increasingly, CRIME PAYS!
9 Or Does It?
The average a acker earns approximately ¼ of the salary of an average IT employee The cost and me to plan a acks has decreased Be er access to be er tools makes a acks easier Remember: Nobody is trying to be “average”
10 Sophisticated Understanding of Value Mone zable criminal enterprise Credit Cards Medical Records Intellectual Property Creden als Vulnerabili es Exploits
11 The Economics of Web Attacks
Hacker steals US healthcare records 397,000 records from Georgia - 607.84 BTC / about $350,000 210,000 records from Central / Midwest US - 303.92 BTC / about $175,000 48,000 records from Missouri
- 151.96 BTC / about $87,000 Image Source: h ps://www.deepdotweb.com/2016/06/26/655000-healthcare-records-pa ents-being-sold/
12 The Economics of Web Attacks
Hacker steals $72M in BTC Bi inex is the 3rd largest Bitcoin exchange Hacker stole 119,756 BTC / $72M by breaching the exchange Breach caused a 20% decrease in trading value of BTC $3.5M reward for info leading to Image Source: h p://blockchain.info recovery
13 The Economics of DDoS
Commercial DDoS Services
Recent study found over 430 booter and stresser websites on the Clearnet For as li le as $6, people can anonymously order a 5-10 Gbps DDoS a ack las ng 10 minutes or
more Source: h p://booterblacklist.com/ Related Work:J. J. Santanna, R. de O. Schmidt, D. Tuncer, J. de Vries, L. Granville, and A. Pras. "Booter Blacklist: Unveiling DDoS-for-hire Websites” Interna onal Conference on Network and Service Management (CNSM). 2016.
14 The Economics of RDoS
Ransom a acks pay!
In Radware’s recent report, 1 in 7 say they’ve had ransom a acks in the past year In US, the average ransom paid was $7,520 In UK, the average ransom paid was ₤22,218
15 The Economics of RDoS
Fake ransom a acks also pay!
Armada Collec ve and Lizard Squad impersonators send ransom emails Warning shots par cularly useful They reportedly earned $100,000 with this wave of ransom le ers
16 Global Impact: Cyberwar and Espionage
NSA Hack “The Shadow Brokers” hack the NSA’s hacking team “Equa on Group” Highest bidder gets the tools but all other bidders “lose lose” If 1M Bitcoins are raised, the en re kit will be released publically (~ $572.4M)
17 Global Impact: Cyberwar and Espionage
Nega ve Impacts
NSA’s PRISM project leaked by Snowden Companies avoiding US providers to avoid spying ITIF study es mated a $35B loss to US companies from lost business Forrester es mated it at $180B!
18 The Cyber Attack Marketplace
19 What is the Cyber Attack Marketplace?
E-Commerce for criminals Mainly found on the Darknet Most markets are available to the public – Some require you to commit a crime for membership Currency of choice: Bitcoin
20 Why is it Attractive to Hackers?
Accessible Easy to Use Everything You Need Full marketplace As-a-Service Variety of vectors, Readily available op ons tools, lists and customized solu ons
21 Why is it Attractive to Hackers?
Accessible Easy to Use Everything You Need Full marketplace As-a-Service Variety of vectors, Readily available op ons tools, lists and customized solu ons
22 Your Marketplace of Choice
Variety of marketplaces available on Darknet: - HELL - Alphabay - Valhalla - Hansa - The Real Deal One click shopping experience for - DDoS services, Tools, PII lists
23 You Don‘t Need to Look Far Services on Hidden in legi mate Vendor area in Clearnet e-commerce sites hacker forums
Shenron, vDos, IRC setup, Preloaded A ack scripts, Amp lists, Bangstresser VPS, Botnet Hijacked accounts
24 And Vendors Market their Services
Stunt hacking Social media Forums Customer service Private offerings
25 Why is it Attractive to Hackers?
Accessible Easy to Use Everything You Need Full marketplace As-a-Service Variety of vectors, Readily available op ons tools, lists and customized solu ons
26 As A Service - Shenron Attack Tool
Lizard Squad‘s public stresser services $19.99 => 15Gb a ack for 1200 seconds
27 As A Service - vDos Attack Tool Was one of the most popular tools $19.99 would gain access to 216 Gbps A ack Network (Shared) Thirteen different vectors available
28 Custom Services
29 There Are Even Job Boards
30 …Where You Can Request Services
31 Why is it Attractive to Hackers?
Accessible Easy to Use Everything You Need Full marketplace As-a-Service Variety of vectors, Readily available op ons tools, lists and customized solu ons
32 Variety on the Darknet
DDoS as a Service Botnet Rental Malware/Ransomware Security/Hos ng Undisclosed Exploits Leaked Data/Fraud
33 Here‘s an interesting one...
34 Economics of Defense: Reality Check and Path Forward
35 The Economics of DDoS on our Businesses Cloud Premise People
CYBER INSURANCE Business
36 Security ROI: IT’s Holy Grail
37 Obstacles Have Stood in the Way
Defini on of “Return” can vary greatly by role Poor visibility into actual a ack ac vity un l it’s too late . . . i.e., breach or takedown A lack of understanding of whether or not they fit the a ackers’ profile Overlooking the actual costs of manual security solu ons Underes ma ng (or ignoring) the hidden costs of processing a ack traffic
38 How We Define “Return” May Depend on Role
Business Manager Revenue per hour x hours of down me per a ack x number of a acks
Risk Manager ALE (loss expectancy x number of a acks x likelihood of a ack)
Compliance Officer Cost of Penal es/Cost of Compliance (check box approach) Job security balancing act (need a acks to stay IT/Security Teams relevant/down me and breach cost me my job)
39 Tipping the Scales, Shifting the ROI Equation
Reduced Opportunity Cost of Manual Mi ga on Improved Efficiency of Net/App Infrastructure Compliance Security Budget Revenue/Brand Staff/Management Assurance
Return Opera onal Risk Investment/Cost Job Security Tipping the Scale in Favor of Security
40 Reduced Opportunity Cost of Manual Mitigation
Manual Signatures Automated Signatures
UP TO 30 WITHIN MINUTES SECONDS
Automa on can learn the anomaly and react faster than a human
41 More Efficient Net/App Infrastructure
How much do you spend over-provisioning for bad traffic?
42 Efficient Nets/Apps: Some Quick Math
How much would effec ve filtering save you in over-provisioning?
X% decrease in malicious traffic = X% reduc on in infrastructure over-investment
X% malicious traffic removed
43 Bringing it home…
44 History Repeating?
45 Cyber Security Reaching a Tipping Point
More Resources More Targets More Mature
• Investment in Automated, Adap ve Security Protec ons • Reduced Opportunity Cost of Manual Mi ga on • Improved Efficiency of Network/Applica on Infrastructure
46 Stay Focused. Be Prepared. Build your protec on strategy. Develop an incident response plan. Consider Automa on. Cover the Blind Spot. It has become necessary to Choose a solu on with the fight automated threats with widest coverage to protect automa on technology. from mul -vector a acks.
Simplify with Services. Have Visibility. Fully managed services will There are many tools (free provide the resources and and commercial) that will exper se needed to give you insigh ul data to combat today's a acks. a acks in your network.
47 48