Total Cost of 0wn3r$h!p

By Colby Clark ·

It is becoming both difficult and boring to keep up with all of the breaches hitting the headlines these days. It is difficult because of the ever increasing volume and boring because it is generally a rinse and repeat of the same methods of exploitation used again and again across companies.

I am always hoping to see something new, hoping that the bad guys had to do something exotic to get in. But usually companies get compromised because of a combination of lack of patches, lack of visibility and lack of access controls. Attackers seldom bring their “A” game, simply because they don’t need to. Generally all it takes is social engineering, persistence, recycling similar attack methods and maybe some freshly packed malicious code to avoid the risk of AV detection. Voila! You have a recipe for the next big breach!

Further, the bad guys are so successful, it is changing entire economies and creating what is probably the most successful industry in world history. Think about it. The barrier to entry is low, there are plenty of easily accessible and often free tools and other resources to assist you, and it is a lot less work for a lot more money than doing something legitimate.

People often ask, “If they are going to go through all this effort, why don’t they start a real business?!” Well, the answer is simple, it doesn’t pay as well, and it is a lot more effort. If one is in the business to make money and has no scruples, cybercrime is definitely where it’s at. Where else are you going to find a gig where you can charge up credit cards en masse until they get maxed out or shut down with little or no out of pocket money on your part?

When you combine the massive ROI of cybercrime and the extremely cheap labor force in countries that get a large share of the blame for it (like China), it is really easy to staff a huge cyber army and “offer” dedicated, advanced persistent threat “service” to every meaningful company on the globe. Let’s look at the finances of that. As of 2013, the average wage in China was about $84 per week, and it is estimated that cyber-attacks from China cost the U.S. economy as much as $2 trillion in lost and stolen property.

How many people can you hire and what kind of technology could you develop with that kind of business model? And, think about the scale of trying to defend against it.

The bad guys are essential building a shopping mall. We will call it, the mall of badness. In the mall of badness, you have access to every company of interest in the U.S. and abroad. They have the funding, the manpower and the technology to gain access to every organization of interest and use this access for their own purposes or to grant access to others who would like to obtain such for whatever reason.

There are lots of estimates out there regarding how many companies are compromised (or 0wn3d). Estimates usually vary from 80% to 97% of companies are or have been compromised. Based on my experience, that sounds about right. We perform hundreds of incident response investigations and scores of proactive breach discovery investigations each year, and the number of companies that have no sign of compromise is next to nothing. At this point, I pretty much assume that every company is compromised, and the main difference between them is whether they know it and have the visibility to identify it.