The Current Economics of Cyber Attacks

Ron Winward Security Evangelist October 17, 2016 What Are We Talking About

Historical Context

Does Hacking Pay?

Cyber Aack Marketplace

Economics of Defenses: Reality Check

2 Once Upon a Time…

3 Story of the Automobile Ideal economic condions help fuel and grow this industry

Beer Roads Assembly Line

Ideal Economic Condions Growth

4 Cyber Attacks Reaching a Tipping Point

More Resources More Targets More Mature Availability of low More high value, A level of maturity cost resources increasingly vulnerable that drives efficiency targets leads to more and ensures valuable informaon anonymity The economics of hacking have turned a corner!

5 Modern Economics of Cyber Attacks and Hacking

6 Do You Romanticize Hackers?

7 Reality of Today’s Hackers

May look more like this . . .

. . . than like this

8 Today’s Adversary: Not always the Lone Wolf

Structured organizaon with roles, focus Premeditated plan for targeng, exfiltraon, monezaon of data/assets Mul-layered trading networks for distribuon, Source: HPE: the business of hacking obfuscaon

Why? Because increasingly, CRIME PAYS!

9 Or Does It?

The average aacker earns approximately ¼ of the salary of an average IT employee The cost and me to plan aacks has decreased Beer access to beer tools makes aacks easier Remember: Nobody is trying to be “average”

10 Sophisticated Understanding of Value Monezable criminal enterprise Credit Cards Medical Records Intellectual Property Credenals Vulnerabilies Exploits

11 The Economics of Web Attacks

Hacker steals US healthcare records 397,000 records from Georgia - 607.84 BTC / about $350,000 210,000 records from Central / Midwest US - 303.92 BTC / about $175,000 48,000 records from Missouri

- 151.96 BTC / about $87,000 Image Source: hps://www.deepdotweb.com/2016/06/26/655000-healthcare-records-paents-being-sold/

12 The Economics of Web Attacks

Hacker steals $72M in BTC Biinex is the 3rd largest exchange Hacker stole 119,756 BTC / $72M by breaching the exchange Breach caused a 20% decrease in trading value of BTC $3.5M reward for info leading to Image Source: hp://blockchain.info recovery

13 The Economics of DDoS

Commercial DDoS Services

Recent study found over 430 booter and stresser websites on the Clearnet For as lile as $6, people can anonymously order a 5-10 Gbps DDoS aack lasng 10 minutes or

more Source: hp://booterblacklist.com/ Related Work:J. J. Santanna, R. de O. Schmidt, D. Tuncer, J. de Vries, L. Granville, and A. Pras. "Booter Blacklist: Unveiling DDoS-for-hire Websites” Internaonal Conference on Network and Service Management (CNSM). 2016.

14 The Economics of RDoS

Ransom aacks pay!

In Radware’s recent report, 1 in 7 say they’ve had ransom aacks in the past year In US, the average ransom paid was $7,520 In UK, the average ransom paid was ₤22,218

15 The Economics of RDoS

Fake ransom aacks also pay!

Armada Collecve and Lizard Squad impersonators send ransom emails Warning shots parcularly useful They reportedly earned $100,000 with this wave of ransom leers

16 Global Impact: Cyberwar and Espionage

NSA Hack “The Shadow Brokers” hack the NSA’s hacking team “Equaon Group” Highest bidder gets the tools but all other bidders “lose lose” If 1M are raised, the enre kit will be released publically (~ $572.4M)

17 Global Impact: Cyberwar and Espionage

Negave Impacts

NSA’s PRISM project leaked by Snowden Companies avoiding US providers to avoid spying ITIF study esmated a $35B loss to US companies from lost business Forrester esmated it at $180B!

18 The Cyber Attack Marketplace

19 What is the Cyber Attack Marketplace?

E-Commerce for criminals Mainly found on the Darknet Most markets are available to the public – Some require you to commit a crime for membership Currency of choice: Bitcoin

20 Why is it Attractive to Hackers?

Accessible Easy to Use Everything You Need Full marketplace As-a-Service Variety of vectors, Readily available opons tools, lists and customized soluons

21 Why is it Attractive to Hackers?

Accessible Easy to Use Everything You Need Full marketplace As-a-Service Variety of vectors, Readily available opons tools, lists and customized soluons

22 Your Marketplace of Choice

Variety of marketplaces available on Darknet: - HELL - Alphabay - Valhalla - - The Real Deal One click shopping experience for - DDoS services, Tools, PII lists

23 You Don‘t Need to Look Far Services on Hidden in legimate Vendor area in Clearnet e-commerce sites hacker forums

Shenron, vDos, IRC setup, Preloaded Aack scripts, Amp lists, Bangstresser VPS, Botnet Hijacked accounts

24 And Vendors Market their Services

Stunt hacking Forums Customer service Private offerings

25 Why is it Attractive to Hackers?

Accessible Easy to Use Everything You Need Full marketplace As-a-Service Variety of vectors, Readily available opons tools, lists and customized soluons

26 As A Service - Shenron Attack Tool

Lizard Squad‘s public stresser services $19.99 => 15Gb aack for 1200 seconds

27 As A Service - vDos Attack Tool Was one of the most popular tools $19.99 would gain access to 216 Gbps Aack Network (Shared) Thirteen different vectors available

28 Custom Services

29 There Are Even Job Boards

30 …Where You Can Request Services

31 Why is it Attractive to Hackers?

Accessible Easy to Use Everything You Need Full marketplace As-a-Service Variety of vectors, Readily available opons tools, lists and customized soluons

32 Variety on the Darknet

DDoS as a Service Botnet Rental Malware/ Security/Hosng Undisclosed Exploits Leaked Data/Fraud

33 Here‘s an interesting one...

34 Economics of Defense: Reality Check and Path Forward

35 The Economics of DDoS on our Businesses Cloud Premise People

CYBER INSURANCE Business

36 Security ROI: IT’s Holy Grail

37 Obstacles Have Stood in the Way

Definion of “Return” can vary greatly by role Poor visibility into actual aack acvity unl it’s too late . . . i.e., breach or takedown A lack of understanding of whether or not they fit the aackers’ profile Overlooking the actual costs of manual security soluons Underesmang (or ignoring) the hidden costs of processing aack traffic

38 How We Define “Return” May Depend on Role

Business Manager Revenue per hour x hours of downme per aack x number of aacks

Risk Manager ALE (loss expectancy x number of aacks x likelihood of aack)

Compliance Officer Cost of Penales/Cost of Compliance (check box approach) Job security balancing act (need aacks to stay IT/Security Teams relevant/downme and breach cost me my job)

39 Tipping the Scales, Shifting the ROI Equation

Reduced Opportunity Cost of Manual Migaon Improved Efficiency of Net/App Infrastructure Compliance Security Budget Revenue/Brand Staff/Management Assurance

Return Operaonal Risk Investment/Cost Job Security Tipping the Scale in Favor of Security

40 Reduced Opportunity Cost of Manual Mitigation

Manual Signatures Automated Signatures

UP TO 30 WITHIN MINUTES SECONDS

Automaon can learn the anomaly and react faster than a human

41 More Efficient Net/App Infrastructure

How much do you spend over-provisioning for bad traffic?

42 Efficient Nets/Apps: Some Quick Math

How much would effecve filtering save you in over-provisioning?

X% decrease in malicious traffic = X% reducon in infrastructure over-investment

X% malicious traffic removed

43 Bringing it home…

44 History Repeating?

45 Cyber Security Reaching a Tipping Point

More Resources More Targets More Mature

• Investment in Automated, Adapve Security Protecons • Reduced Opportunity Cost of Manual Migaon • Improved Efficiency of Network/Applicaon Infrastructure

46 Stay Focused. Be Prepared. Build your protecon strategy. Develop an incident response plan. Consider Automaon. Cover the Blind Spot. It has become necessary to Choose a soluon with the fight automated threats with widest coverage to protect automaon technology. from mul-vector aacks.

Simplify with Services. Have Visibility. Fully managed services will There are many tools (free provide the resources and and commercial) that will experse needed to give you insighul data to combat today's aacks. aacks in your network.

47 48