It Doesn’t Matter Who Is Doing It, Find out How It’s Getting Done
In an effort to expose and clarify the cost challenge of cyber criminals, Deloitte’s cyber risk services practice released today a threat study titled, “Black Market Ecosystem: Estimating the cost of ownership.” The study reinforces that attackers can execute a cyber attack for as little as $34 per month compared to the extraordinarily high impact and associated expense, thousands to millions of dollars, incurred by a victimized organization that needs to remediate and recover from it.
The study looks at cyber-crime from a business perspective using the most common and popular hacking tools, services and enablers, and seeks to answer questions such as:
- What are the most commonly used tools and services sold on underground markets?
- What are the average estimated costs of these tools and services?
- Which tools are required to operate real world criminal businesses?
- What are the estimated operating costs of various cyber-criminal businesses?
“If you haven’t noticed, criminals don’t file tax returns. And while challenging, it’s still important to be able to review and compare these criminal businesses to help identify which exploits are the most affordable and lucrative for them to pursue — both from a cost of entry and routine operations standpoint,” said Keith Brogan, managed threat services leader for Deloitte cyber risk services, and managing director with Deloitte & Touche LLP. “There’s a definite correlation to the investment level in terms of a sum cost. You have to spend money to make money even as a criminal.”
Deloitte estimates that some common criminal businesses can be operated for as little as $34 month and could return $25,000, while others may routinely require nearly $3,800 a month and could return up to $1 million per month. For example, phish kits continue to be the overall most affordable approach both in terms of low estimate and average cost, while banking trojans are costlier, on average. A multiple payload campaign, unsurprisingly, is potentially the most expensive criminal business modeled in the study. For every category of criminal, a product almost certainly exists which caters to their needs. The cost of these products does not necessarily correlate to the skill level of the threat actors who purchase them. Regardless, all are extraordinarily low cost compared to the resulting impact to the compromised organization.
The ingenuity of cyber-criminals practically guarantees that there are always exceptions to the findings, but organizations need to have some level of understanding as to how these incidents are occurring to effectively shift their cybersecurity posture. The impact of a cyberattack as experienced by the compromised organization is, in many ways, intangible and more difficult to quantify. This includes costs associated with loss of intellectual property (IP) or contracts, operational disruption, credit rating impact, or damage to the value of a trade name. Still, in dollars and cents, it is widely reported that the cost of a data breach is upwards of $4 million to an organization with the potential to cost hundreds of millions even billions of dollars in long-term resulting impact. The ratio of low cost to high impact and ease of access for the adversary, will continue to attract the novice criminal to the sophisticated attacker.
“In the realm of cyber everywhere, companies will only continue to introduce more digital innovations, which will require them to also continuously adopt and adapt cybersecurity measures commensurate with the growing threats they’ll face,” said Andrew Morrison, strategy, defense and response leader for Deloitte cyber risk services and principal with Deloitte & Touche LLP. “Cyberattacks are inevitable but the extent of their damage is not. Organizational transformation is needed to reprioritize and refocus investments on mitigating likely outcomes, based on a broad understanding of attackers’ motives and the ability to anticipate high-impact scenarios.”
The overall takeaway is that organizations should be monitoring with well-developed and well-defined use-cases driven by priority-based threat intelligence, and knowledge of the underground economy. Continuous monitoring can allow them to better detect and prevent malicious activity within the enterprise environment. Monitoring and tuning security controls based on tactics, techniques and procedures (TTPs) derived from threat intelligence — rather than atomic indicators — can have a direct impact on the underground market by forcing threat actors to reinvent their operations from scratch, which can take significant amounts of time, effort and money; and ultimately challenge the adversary’s cost-benefit scenario.
As part of Deloitte Risk and Financial Advisory‘s cyber risk services practice, threat intelligence and analytics solutions help organizations build and mature their threat intelligence capabilities by incorporating proactive insights into the cyber threat management ecosystem. Cyber adversaries exploit the unprecedented complexity and reality of today’s cyber everywhere environment. The ability to detect attacks is not a purely technical effort. It requires continuous awareness of threats on the horizon and the ability to distill vast amounts of data into practical, actionable insights for both business and technical teams. Deloitte’s cyber risk services practice helps organizations lead in a complex cyber landscape, navigate the risks and opportunities, and disrupt with innovative technologies to emerge stronger and more secure.