Today's Top SOA Links
Victim-nomics: Estimating the “Costs” of Compromise
Should you pay now or pay later?
By: Rich Barger
Jan. 14, 2013 06:15 AM
Since launching ThreatConnect.com, Cyber Squared's Intelligence Support Team has become more effective in managing, analyzing and sharing our Threat Intelligence. While understanding the threat remains one of our core requirements, we have also begun to fill a key gap that, we feel, many within the industry are failing to address.
Providing effective Threat Intelligence requires more than just characterizing the threat from a technical perspective. Instead, you must strike a balance between providing technical context as well as non-technical relevancy to the victim. Industry report authors will often admire the cyber espionage problem all the while promoting their technical talents. Unfortunately, these overly technical threat details are not easily interpreted or acted upon by today's non-technical business leaders. So, ultimately, this shortcoming often overwhelms and distances the customer from the reality of the issue. It also reduces their ability to fully appreciate and understand how an investment toward Threat Intelligence can protect their business operations and enhance their overall corporate risk mitigation strategy.
We researched the collective group of target organizations and found that the sum of the companies' annual revenues was approximately $54 Billion dollars. The relative size of each company and specific industries give us insights into what the intelligence collections requirements of the attackers may have been at the time of compromise.
In this use case, we made some assumptions based on the information available to us. Our first assumption was that the victim companies were likely committed to making a short to mid-term investment in mitigating the immediate risk and eradicating the threat from their network. Unfortunately, we did not have any data available to us that revealed the severity of the compromise nor did we have access to the actual budgets or investments toward a response and future threat mitigation efforts in which these respective companies may choose to make.
The cost of getting "RSA'ed":
One example that helped us put the scenario in perspective is from the 2011 RSA breach. Between April and June 2011, RSA spent $66 million dollars in the aftermath of a March 2011 APT breach, which also resulted in the compromise of information associated with RSA's SecurID two-factor authentication technology. It is important to note that the $66 million cleanup figure did not include the post breach expenses from the first quarter of 2011 when EMC began investigating the breach, nor does it account for any of the long-term associated costs. EMC's 2011 earnings statement cited a consolidated revenue of $20 billion dollars. The $66 million cleanup figure would account for 0.33% of EMC's overall $20 billion dollar revenue. However, if we apply the same $66 million cleanup costs for RSA's total revenue of $828.2 million for 2011, we find that the intrusion had a direct impact of 7.96% of RSA's 2011 revenue.
Irrespective of size, could these companies really all afford a 7.96% hit in response to a major enterprise breach? Considering that many of the victims are either publicly traded or provide direct support to U.S. Government funded programs, most would be compelled to notify various stakeholders, such as investors, the U.S. Security Exchange Commission, and their primary customers or government contract managers.
Based on our long term understanding of this threat group, we are almost certain that a resourced Chinese state sanctioned or sponsored threat group is responsible for establishing and using the observed command and control infrastructure we have detected within ThreatConnect.com. We also conclude that the threat group is likely conducting economic espionage on behalf of an unknown Chinese benefactor who may be in an advantageous position to operationalize and monetize the information. What we do not know is who, when or how the information may be employed.
The targeted and persistent nature of the threat suggests that the threat actor knows what type of information they want to acquire and are concentrating their collection by targeting multiple victims within overlapping industries. Left unchecked, enterprise compromises could facilitate access to corporate intellectual property such as research and development, confidential corporate insights, and operational plans. Access to confidential information regarding the mining and metals industry, as well as U.S. defense aerospace, engineering and fabrication could allow the attacker to enable the manipulation of markets, conduct restricted defense related technology transfers and or obtain unfair advantages within international business or trade negotiations.
Although there are numerous variables that cannot be accounted for with the data available to us, we can apply a simple model based on the RSA data that supports our hypothetical scenario and begin to see what the financial and economic effects would be across ten companies of various industries and revenues. It is important to understand the scenario outlined above is associated with a real threat that has tailored their infrastructure and is likely exploiting the U.S. companies. Any associated enterprise exploitation would have an obvious direct and indirect effect to each company's respective annual revenues. All of the threat data obtained is based on real-world data collected and analyzed within ThreatConnect.com.
Web 2.0 Latest News
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
SYS-CON Featured Whitepapers
Most Read This Week