12

Richard Bejtlich wrote in July 2009 the following:

"I submit that for $1 million per year an adversary could fund a Western-salaried black hat team that could penetrate and persist in roughly any target it chose to attack."
(from http://taosecurity.blogspot.com/2009/06/black-hat-budgeting.html)

Questions:

Have the costs changed significantly? Why?
Are the costs going down or up? Why?
What are the costs to defend against a well-funded black hat team targeting your business? Is requesting government assistance the last line of defense against a well-funded team?

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
Tate Hansen
  • 13,714
  • 3
  • 40
  • 83
  • I would say the hackers' salaries look pretty low assuming they are from developed countries. – Olivier Lalonde Nov 15 '10 at 06:41
  • @Olivier - Their salaries may be low, but they more than make up for it in "commissions" and "bonuses" I imagine. – Iszi Jan 29 '11 at 08:04
  • You don't state what the goal of this black hat team is. That will cause the cost to vary widely. Targeted attacks against a savvy attacker? Mass exploitation of easy targets? – Kurt Jun 20 '13 at 01:48
  • @Kurt, Richard's blog post inspired this question, and though now it is a bit dated, it was purposely kept non-specific. Richard's setup was "Let's start by defining the mission of this organization, called Project Intrusion (PI). PI is in 'business' to steal intellectual property from organizations and sell it to the highest bidders." – Tate Hansen Jun 20 '13 at 03:47

3 Answers3

17

$2500 is all it takes to get a black-hat operation started

In 2009, it was reported that US banks lost more than $140M from Internet heists, as quickly as $10M in one 24-hour period.

I believe it is possible to start a criminal operation with as little as 2500 US dollars.

  • Cloud servers: 300 US dollars for 3 months
  • LAMP stack: 0 US dollars

  • Malware that can steal money from banks: 700 US dollars (ZeuS, although sub Meterpreter)

  • Web exploit delivery/management system: 800 US dollars (Fragus, although sub Drivesploit)
  • An affiliate system using advertising to drive traffic/eyeballs: 700 US dollars (or a nice SQLi or RFI botnet)

Total: 2500 US dollars

My proof

Brian Krebs runs articles on Security Fix focused on fraud. There are countless examples, but let me pick on this one regarding the county of Kentucky, who lost 415000 US dollars in 2009 to the exact situation I created above. This particular one involved 45 or so wire transfers in amounts just under 10000 US dollars. Considering mules were paid about 500 dollars each, and the whole operation involved 2-4 UKR scammers, you are still looking at a 391k score split 2-4 ways, with almost no investment other than the time to babysit the money mules and grease over the affiliates (oh and that initial 2500, lest I forget that!).

The skills of these scammers can also be very, very low. This isn't even college level system administration. Anyone with a summer interest in Linux could get this operation going. Yes, there is also the money mule piece, which perhaps takes a good scammer with some experience and way above average charisma -- but we assume that at least one of out every 3 criminals already has these skills.

Go back to any of those articles and reverse engineer what you think it took the criminals/scammers to get their job done.

The Cost of Defense: 6-7 percent of IT budget

You've seen the cost of PCI DSS compliance numbers no doubt; ignore those for a second. Gartner says that the security budget should be in between 6 and 7 percent of the total IT budget. UMD professors Lawrence Gordon and Martin Loeb say not to spend more than 37 percent of the asset you are trying to protect.

Staff your org with incident handlers to the number of incidents

I say that we need to hire to the incidents. If you have 1-400 incidents a year, you are going to need somewhere in between 1-400 security incident handlers. Calculate the time involved in handling the incidents and hire accordingly. I am perfectly fine with staffing taking up the entire information security budget and so should your IT finance decision-makers. People play the most important role in an information security management program.

If you haven't had any incidents, perhaps now is a good time to hire an incident response and forensics / malware research company to come in and determine if you have actually had an incident or not (let's say this is a 20k one-time assessment). While that's going on, stay on the safe side and hire at least one FTE incident response manager (100k/year) -- especially assuming you have at least 250k worth of stuff to steal, or brand damage to be done.

Monitor your apps, systems, and networks

Hand your new incident response manager an OSSIM CDROM to install in an AMI instance or whatever. Email can be sent to his or her GMail/GApps account for all I care. The point is that most companies overspend on firewalls, VPNs, and "security server hardware". I think most companies would be better served with an open firewall and access-list policy, but using the bogon filters and FATF Blacklist as null routes on every router or system with a public IP (or NAT/PAT'd to one). Give the manager at least enough budget to cover the cost of TruArx for the year if there is no other risk management portal in place already.

Give risky job roles safe tools and awareness training

Finally, equip any worker that is handling financial, banking, or payment card information (or anything else with a severe data classification) with a freaking iMac or Mac Pro and training to go with it. Make sure they have to complete some sort of SaaS-based security policy and awareness training with providers such as Cornerstone OnDemand. This may in fact be the cheapest answer to the problem, but this is the TRUST not the VERIFY. The incident manager/team provides the verification. There have been reports of targeted malware inside large-installation Mac-centric companies, although they are not hit quite as bad on the drive-by-download frontal assault. If Win7 is required, then implement a rollback-before-every-transaction VM-guest strategy.

The Cost of Application Security Defense

The real expense comes if your company or organization doesn't buy COTS, but instead rolls their own code (or outsources app development). In this situation, things can get really expensive in the long-term if the org doesn't start a very thorough appsec program before the design and coding starts. Even then, most co-ordination with application security consulting companies costs at least 1-4 million dollars over 2-3 years. If you have 10M US dollars worth of applications to protect, this should be a no-brainer -- it's going to also increase the quality of the apps and your business intelligence. It is also where the Gartner IT spending strategy tends to fall down for information security management programs, especially considering that firewalls still take up over 50 percent (and some as high as 90 percent) of Fortune/Global 2000 security budgets.

atdre
  • 18,885
  • 6
  • 58
  • 107
  • 2
    I suppose the question was about one target, not some "mass-hack" operation. With what you have pointed out, I would suggest starting costs are $0. All equipment you have listed is available also for zero price. Sure, quality would not be the best, but that is only the starting point. And the weakest point remains human - you can investigate in defense vast amount of money, but the whole security is as much strong as its weakest chain. –  Nov 15 '10 at 14:44
  • 1
    Yes, but to criminals -- it doesn't matter if they start with mass-hack operations or single targets. What matters is that they get a spreadsheet with lists of money values that they could steal from (or have stolen from) with which to sort by. – atdre Nov 15 '10 at 14:55
  • 1
    Why are you recommending a Mac? Just because Macs represent a smaller part of the computer world does NOT mean its bulletproof. For example: http://www.dvorak.org/blog/2010/03/26/71213/ and http://www.engadget.com/2008/03/27/pwn-2-own-over-macbook-air-gets-seized-in-2-minutes-flat/ . Linux is the only OS thats the most secure. – TheLQ Jan 09 '11 at 21:17
  • 4
    TheLQ: Metasploit and Exploit-DB do not agree with you, especially in the last few months. Linux is not security-friendly when it is also user-friendly. I never said Mac OS X was bulletproof, but it is less targeted and there are less exploits for it. – atdre Feb 19 '11 at 21:07
  • I would like to note that the price recently went down -- http://www.h-online.com/security/news/item/Professional-exploit-packs-freely-available-online-1249612.html -- Exploit kits are now free – atdre May 24 '11 at 15:48
6

Generally, it depends on the final goal - who is the target and what are the terms. I suppose nothing has drastically changed since that what Richard Bejtlich was talking about. Anyway, there is another one good presentation from Charlie Miller about cyber army, defense and attack investigation: https://www.defcon.org/html/links/dc-archives/dc-18-archive.html (Kim Jong-il and Me: How to Build a Cyber Army to Defeat the U.S.).

4

Interestingly, based on the team I ran for the last couple of years, a million could happily fund a reasonably successful attack on any major corporate entity, government department or agency.

The $10M heist that atdre referenced cost the attackers around $180k, based on some reasonable assumptions on the payoffs to the team including techies, mules, grunts etc. And broadly speaking, that should have been successful, if it wasn't for the usual "loose lips sink..." etc - but that was an attack on low hanging fruit + some reasonably clever work around account limits.

You can attack for much less than that, but if you want it to be successful, then you need some reasonable intelligence. $750k to $1M is a good ballpark, covering decent zero-day research, scanning teams, attack, money movement etc.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320