The economics of hacking: Change your thinking

If you saw the film Wall Street, you undoubtedly recall the iconic character Gordon Gekko famously stating, “what’s worth doing is worth doing for money.” This perspective is increasingly making its way into the philosophy and mindset of the modern cyber-security attacker (or “hacker,” if you prefer). There are numerous recent examples, perhaps none more attention-grabbing that the trend toward ransomware attacks against healthcare providers, including hospitals.

A variety of conditions are coming together to make hacking a financially fruitful activity, driving something of a shift in the percentages around cyber attack motives.

A closer look at attack motives

Motives have evolved in conjunction with the evolution of hacking organizations, from individual script kiddies to more organized, better-funded professional operations often tied into other illegal activities. That’s not to suggest that criminal financial gain is a new motive for attackers. The foundation of attack motives was largely laid down in 2011 by Richard Clarke, former cyber-security advisor to the White House, when he introduced the CHEW acronym, which characterizes attacks as follows:

Cybercrime – Criminal attacks are typically motivated by money. Large in number and present in virtually every country around the globe, these groups range in skill level from basic to advanced.

Hacktivism – Hacktivists are primarily motivated not by money but by a desire to protest or seek revenge against an entity. As with criminals, there are a large number of hacktivist groups. However, most of these groups have basic skills. A few “standout” individuals possess advanced skills and motivate a potentially larger set of followers.

Espionage – These attacks are aimed at acquiring secrets to support national security, to obtain economic benefit, or both. A growing number of countries have the ability to use cyber-attacks for espionage – and a larger array of groups is being “supported” or “tolerated” with such activities.

War (cyber) – The fourth, and arguably most nefarious, type of attack: Those motivated by a desire to destroy, degrade, or deny. A growing number of countries have the ability to use this form of “politics by other means.” Further, non-state actors seem poised to undertake cyber-attacks as a form of war.

As you can see, the notion of financially motived cyber-criminal activity has been recognized from the beginning. Let’s take a look and some of the factors making it more appealing than ever for hackers.

The economic conditions favoring hackers

If the simple question is “why are economically motivated cyber-attacks on the rise?,” the equally simple answer is “because it pays.” Based on some recent estimates, an exploit kit can bring in over $25,000 a month or more if it is proven to be particularly effective.

It’s well known that the Dark Web has entire botnets – systems of compromised computers available to launch attacks – that can be rented for as little as $50 per month. The Dark Web is a term used to describe some of the shadowy corners of the Internet that are invisible to search engines and require special software to access. They are the trading grounds for many of the tools and services used within the hacker community.

In many cases, however, hackers want to be DIYers, meaning they want to launch their own attacks rather than leverage an existing botnet. To do so, they acquire an existing tool set typically for as little as $20. These tool sets will include the base code for targeting and compromising a large set of computers, which then becomes that hacker’s botnet.

There are a few motivating factors here. First, one downside to the existing botnets for rent is that many of them are well-known by the security industry and as such the IP address of many of their bots has been added to blacklists and other reputational databases that block access. The other major motivation would be for hackers that are looking to build their own businesses around botnets, and then look to modify the code in the tool sets.

This approach would leave them with one additional cost before opening shop: bandwidth, particularly for launching volumetric attacks that seek to overwhelm systems with traffic. This is another cost factor that is steadily on the decline. From 2010 to 2015, the cost of transit bandwidth has dropped nearly 90 percent and individual organizations typically pay less than $10,000 per month for 1 Gbps. Most estimates expect these costs to continue to drop 30-40 percent a year, further supporting the hacker’s business case.

The unfavorable conditions facing attack targets

For any organization, the economics of security generally follow a logic along these lines: likelihood of attack/breach multiplied by the cost of attack/breach, divided by the cost of security to mitigate. Basically it’s very difficult to truly and accurately calculate.

We do have some insights from IT and information security professionals on what they believe these costs to be. In our 2016 Global Application & Network Security Report, respondents to the survey said they believed the financial impact of an attack on their organization to average less than $100,000 per attack. However, this input varies widely by industry; for example, the financial services industry (no stranger to these types of attacks) is four times more likely to believe an attack can create more than $10 million of damage.

There are multiple factors to consider when estimating the costs. Immediate loss of revenue is the common thought. But longer term impacts such as brand/reputational damage, loss of customer trust, and service level agreement violations can add up significantly. There’s also an even deeper level of costs starting to emerge for many organizations, driven by the trend to network-enable more and more aspects of the business. As the Internet of Things (IoT) expands its footprint, the net effect (pun intended) is that the costs start to shift beyond financial gain to include more emotional or ethical impacts.

Consider the case of some of the recent attacks on hospitals, where systems and data essential to clinical care were effectively held hostage with a demand for ransom. One aspect of some of these attacks that surprised many was the seemingly small ransom demands, in one case as low as $17,000 worth of Bitcoin. What hospital administrator wants to be the one who put the lives of patients at risk to avoid making such a paltry payment?

Turning the tables on the economics

In the face of these unfortunate economic conditions, there are a few steps to take. These efforts can help turn the tables on the unfair advantage the hackers seem to enjoy.

First, a key part of an advanced security strategy is to leverage automation capabilities, and in so doing, fight bots with bots. Considering the bot-driven threat landscape represents the most lopsided aspect of the threat equation, it is essential to implement automated security technologies that can adapt quickly and reduce the need to scale the human side of security in conjunction with the threats. Secondly, effective protection from bots requires advanced bot detection and mitigation capabilities.

Malicious actors have made an art form out of spoofing IP addresses to evade some of the IP-based blocking previously discussed. Organizations should look for solutions that use more advanced, IP-agnostic capabilities, such as device fingerprinting technology to keep up with this evolution in the threat landscape.

The final step is more of a philosophy than a specific tactical step. Considering the increased economic focus of attacks, the logical strategy for protection is to make one’s self an uneconomical target. Pushing past compliance-level security and exploring and implementing advanced technologies makes you a more expensive organization to breach or bring down, which in most cases will cause more automated bot-driven attacks to turn their attention elsewhere. Essentially, make your organization one that Gordon Gekko would pass up.