Adversary ROI: Why Spend $40B Developing It, When You Can Steal It for $1M?

Transcription

1 Adversary ROI: Why Spend $40B Developing It, When You Can Steal It for $1M? Joshua Corman Akamai Technologies David Etue SafeNet Session ID: GRC-202 Session Classification: Intermediate

2 About Joshua Corman Director of Security Intelligence for Akamai Technologies Former Research Director, Enterprise Security [The 451 Group] Former Principal Security Strategist [IBM ISS] Industry: Expert Faculty: The Institute for Applied Network Security (IANS) 2009 NetworkWorld Top 10 Tech People to Know Co Founder of Rugged Software BLOG: Things I ve been researching: Compliance vs Security Disruptive Security for Disruptive Innovations Chaotic Actors Espionage Security Metrics 2

3 About David Etue Vice President, Corporate Development Strategy, SafeNet Former Cyber Security Practice Lead [PRTM Management Consultants] (now PwC) Former VP Products and Markets [Fidelis Security Systems] Former Manager, Information Security [General Electric Company] Industry: Expert Faculty: The Institute for Applied Network Security (IANS) Leads Washington Relations for Cyber Security Forum Initiative Certified Information Privacy Professional (CIPP/G) Cyber things that interest me: Adversary innovation Social media security Applying intelligence cycle / OODA loop in cyber Supply chain security 3

4 Agenda Why ROI and ROSI has failed us Adversary ROI Categorizing Threat Actors Application in the Real World

5 Why ROI and ROSI has failed us 5

6 How We Got Here A well managed Info/Cyber/Security/Assurance program requires intelligent allocation of scarce resources we can not protect everything Most organizations, especially large corporations, use Return on Investment (ROI) to make investment decisions ROI gave us a framework to talk to non-security people about the benefits of security investments 6

7 Why ROI failed ROI= Expected Returns Cost of Investment Cost of Investment at Net Present Value for an organization s required Rate of Return Seems simple, but how many people are experts in time value of money AND the OSI model? Typically applied in a vacuum Is a subscription or a perpetual license better? No actual gains the organization doesn t often profit from security investments Doesn t determine efficacy of security investment or commensurate investment levels 7

8 Does The Club have great ROI? No Help For Image from mroach on flickr Image from mlinksva on flickr 8

9 From the Failure of ROI comes ROSI Return on Security Investment (ROSI) created as a well intentioned way to apply risk metrics to ROI ROSI = ( Risk Exposure % Risk Mitigated ) Solution Cost Solution Cost Problems: Attack surface is approaching infinity (which is not a real number) Risk Mitigated can be both subjective and objective Practical application is: 9

10 Examples of Failures... 10

11 Thought Provoking Question: How Much Would You Spend To Protect This Bike? 11

12 The Adversary Doesn t Care About Your ROI/ROSI Adversaries don t care if you spend 4% or 12% of your IT budget on security Adversaries are object oriented Adversaries care if *they* can get a return on investment from an attack, not you 12

13 Adversary ROI 13

14 Why Adversary ROI Current approaches have too much focus on vulnerability Our attack surface is approaching infinity We cannot prioritize what to protect Adversaries have scarce resources too 14

15 Adversary ROI Came About By Looking at Risk A risk requires a threat and a vulnerability that results in a negative consequence Current State Proposed State? Threat Vulnerability Consequence We have finite resources, and must optimize the entire risk equation for our success!

16 Solely Managing Vulnerabilities Will Never Win New Vulnerability Vendor Starts Solution Development Technology Solution Available Declared Best Practice Added to Compliance Regulations Attacker Adoption Defender Adoption 0 Early Adopters Early Adopters Early Majority Late Majority Laggards Extensive Lag Between Attack, Innovation, Solution, and Adoption 16

17 What is a Threat? A Threat is an Actor with a Capability and a Motive Threats Are A Who, Not a What

18 Consequences: Value & Replaceability 18

19 Value Favors the Attacker Are you prepared to address a funded nation state targeting your highest value intellectual property? Attacker Gains Typical IT Security Budget (1-12% of IT Budget) Public Sensitive Highly Replicable Sensitive Irreplaceable Information Classification 19

20 The Adversary ROI Equation Adversary ROI = ( ( Value of Assets Compromised + ) Cost of ) Attack Value Adversary Value of Operational Impact - the Attack Cost of the Attack X Probability of Success - Deterrence Measures (% Chance of Getting Caught x Cost of Getting Caught)

21 How the Adversary Thinks About the Bike Top 10 Cities for Bike Theft According to Kryptonite OR 21

22 Why Adversary ROI In 2011, the single greatest factor in a the success of a breach was who was targeting you? 22

23 Categorizing Threat Actors 23

24 Dogma: You Don t Need To Be Faster Than the Bear 24

25 A Modern Pantheon of Adversary Classes Actors States Competitors Organized Crime Script Kiddies Terrorists Hactivists Insiders Auditors Motivations Financial Industrial Military Ideological Political Prestige Impacts Reputational Personal Confidentiality Integrity Availability Targets Credit Card #s Web Properties Intellectual Property PII / Identity Cyber Infrastructure Core Business Processes 25

26 Script Kiddies Skiddie Prestige/Profit Confidentially, Reputation CCN/Fungible 26

27 Organized Crime Organized Crime Profit Confidentially, Reputation CCN/Fungible 27

28 Espionage: Adaptive Persistent Adversaries State/Espionage Industrial/Military Confidentially, Reputation Intellectual Property Trade Secrets Infrastructure 28

29 Hactivists Chaotic Hactivist Ideological and/or LULZ Availability Reputation Personal Web Properties Personal/Family Exposure 29

30 Auditors Auditor QSA Profit Distraction Fines Credit Card #s 30

31 Compare and Contrast Threat Actors QSA Casual Attacker Chaotic Actor Org Crime State APT/APA Asset Focus CCNs CCNs Reputation, Dirty Laundry DDoS/Availabi lity CCNs Banking Fungible $ IP, Trade Secrets, National Security Data Timeframe Annual Anytime Flash Mobs Continuous Long Cons Target Stickiness NA LOW HIGH LOW HIGH Probability 100% MED? HIGH? Impact Annual $ 1 and done Relentless Varies Varies

32 Attacker Power - HD Moore s Law Moore s Law: Compute power doubles every 18 months HDMoore s Law: Casual Attacker Strength grows at the rate of MetaSploit

33 HDMoore s Law Success Rate (%) Adversary Classes Espionage Organized Crime APT/APA Chaotic Actors Organized Casual Crime Attacker Anon/Lulz Auditor/Assessor Casual QSA 10 x Defender SecureOns

34 HDMoore s Law (continued) HDMoore s Law Success Rate (%) Adversary Classes Espionage Organized Crime APT/APA Chaotic Actors Organized Casual Crime Attacker Anon/Lulz Auditor/Assessor Casual QSA 10 x Defender SecureOns

35 HDMoore s Law (continued) HDMoore s Law Success Rate (%) Adversary Classes Espionage Organized Crime APT/APA Chaotic Actors Organized Casual Crime Attacker Anon/Lulz Auditor/Assessor Casual QSA 10 x Defender SecureOns

36 HDMoore s Law (continued) HDMoore s Law Success Rate (%) Adversary Classes Espionage Organized Crime APT/APA Chaotic Actors Organized Casual Crime Attacker Anon/Lulz Auditor/Assessor Casual QSA 10 x Defender SecureOns

37 HDMoore s Law (continued) HDMoore s Law Success Rate (%) Adversary Classes Espionage Organized Crime APT/APA Chaotic Actors Organized Casual Crime Attacker Anon/Lulz Auditor/Assessor Casual QSA 10 x Defender SecureOns

38 HDMoore s Law (continued) HDMoore s Law Success Rate (%) Adversary Classes Espionage Organized Crime APT/APA Chaotic Actors Organized Casual Crime Attacker Anon/Lulz Auditor/Assessor Casual QSA 10 x Defender SecureOns

39 Situational Awareness 39

40 Does it Matter Who is Attacking? Was #18 in overall DBIR Top Threat Action Types used to steal INTELLECTUAL PROPERTY AND CLASSIFIED INFORMATION by number of breaches - (excludes breaches only involving payment card data, bank account information, personal information, etc)

41 Application in the Real World 41

42 Impacting Adversary ROI Adversary ROI = X - Probability of Success Deterrence Measures Ability to respond and recover key It is typically not desirable to make your assets less valuable ( ( Value of Assets Compromised + ) Cost of ) Attack Value Adversary Value of Operational Impact - the Attack Cost of the Attack Increase adversary Work Effort (% Chance of Getting Caught x Cost of Getting Caught) Impact of getting caught is typically a government issue

43 Who Are You Playing Against? 43

44 OODA Loop: A Great Fit With Adversary ROI Observe * Patterns of Conflict Act Orient Decide * 44

45 VZ DBIR Patching: Evolving Adversary TTPs Let s Patch Faster! % Patchable (not 90%) of 90 Patchable 6.66% 2010 ZERO Patchable [0] Barking up the wrong tree? 45

46 SQLi We spend under $500m 46

47 Attacks Density (4Realz DBIR Style) Only 55 of the 630 possible events have a value greater than 0 90% of the threat space was not in play at all 47

48 Mission Accomplished (no, not really) 2011 VZ DBIR Is Organized Crime Failing Online? Doubtful

49 VZ DBIR: Non CCN Asset Type Breakdown incidents incidents Delta Intellectual Property National Security Data Sensitive Organizational System Information ZERO

50 Think About Work Effort What Do You Look Like To Different Adversaries? 50

51 Real Life Example from a Defense Industrial Base Company Who Are The Threats? What Do They Want? What Are There TTPs? Deployed Specific Technology and Processes Forced Adversary to Change TTPs Or Target Other Organizations 51

52 Adversary ROI Getting Non-Security Executives Involved What protected or sensitive information do we have? What adversaries desire the information and why? What is the value of the information to the organization? How would the adversary value it? What are the adversaries capabilities? What controls protect the information? Slide 52

53 Apply Start with a blank slate! Engage non-security people Identify your most likely adversaries Obtain/share adversary centric intel Threat Intelligence ISACs Brand/chatter monitoring Simulate adversary-driven scenarios Table tops/roll playing (w/ Crisis Management) Adversary-Centric Penetration Testing 53