Click here to close now.

Welcome!

Web 2.0 Authors: Ian Khan, Carmen Gonzalez, Aria Blog, Elizabeth White, Plutora Blog

Related Topics: Security, XML, Web 2.0, Open Web

Security: Article

Victim-nomics: Estimating the “Costs” of Compromise

Should you pay now or pay later?

Since launching ThreatConnect.com, Cyber Squared's Intelligence Support Team has become more effective in managing, analyzing and sharing our Threat Intelligence. While understanding the threat remains one of our core requirements, we have also begun to fill a key gap that, we feel, many within the industry are failing to address.

Providing effective Threat Intelligence requires more than just characterizing the threat from a technical perspective.  Instead, you must strike a balance between providing technical context as well as non-technical relevancy to the victim.  Industry report authors will often admire the cyber espionage problem all the while promoting their technical talents.  Unfortunately, these overly technical threat details are not easily interpreted or acted upon by today's non-technical business leaders.  So, ultimately, this shortcoming often overwhelms and distances the customer from the reality of the issue. It also reduces their ability to fully appreciate and understand how an investment toward Threat Intelligence can protect their business operations and enhance their overall corporate risk mitigation strategy.

Caveats
In the following scenario, we have masked the possible victim companies in an effort to protect their identities and have addressed the threat and its infrastructure in very general terms to acknowledge operational equities without contextually identifying the possible victim companies. We have used the data obtained in our recent discovery to walk through several hypothetical scenarios while making assumptions that give the reader a better understanding of the potential financial impact of dealing with a targeted attack.  Finally, we have notified the appropriate authorities and possible victim companies, so that they are aware of the threat and the tailored infrastructure which we believe may be directed against them or their customers.

The Facts
While recently researching a known threat group within ThreatConnect.com, we identified several interesting observables associated with targets of a single Chinese-based Advanced Persistent Threat (APT) group.  Over the course of seven days, we watched the adversary tailor their command and control infrastructure toward the specific target companies and industries.  Ten suspected targets were readily identified; they consisted of U.S. based, publicly and privately held companies across the following industries:

  • Mining & Metals
  • Aerospace & Defense
  • Manufacturing & Fabrication
  • Construction & Engineering

We researched the collective group of target organizations and found that the sum of the companies' annual revenues was approximately $54 Billion dollars.  The relative size of each company and specific industries give us insights into what the intelligence collections requirements of the attackers may have been at the time of compromise.

Company

Rounded Revenue

U.S. Company 1

$26,000,000,000

U.S. Company 2

$11,000,000,000

U.S. Company 3

$6,000,000,000

U.S. Company 4

$5,000,000,000

U.S. Company 5

$4,000,000,000

U.S. Company 6

$1,500,000,000

U.S. Company 7

$600,000,000

U.S. Company 8

$20,000,000

U.S. Company 9

$20,000,000

U.S. Company 10

$2,500,000

Total:

$54,142,500,000

In this use case, we made some assumptions based on the information available to us.  Our first assumption was that the victim companies were likely committed to making a short to mid-term investment in mitigating the immediate risk and eradicating the threat from their network.  Unfortunately, we did not have any data available to us that revealed the severity of the compromise nor did we have access to the actual budgets or investments toward a response and future threat mitigation efforts in which these respective companies may choose to make.

The cost of getting "RSA'ed":
When making assumptions, it is important that we compare apples to apples.  We can assess with a high level of confidence that the threat we are monitoring in this case is an APT of Chinese origin.  We can confidently assess that the threat is most likely persisting within the respective enterprises with the intent of conducting long term data exfiltration of proprietary information from the respective organizations.

One example that helped us put the scenario in perspective is from the 2011 RSA breach.  Between April and June 2011, RSA spent $66 million dollars in the aftermath of a March 2011 APT breach, which also resulted in the compromise of information associated with RSA's SecurID two-factor authentication technology.   It is important to note that the $66 million cleanup figure did not include the post breach expenses from the first quarter of 2011 when EMC began investigating the breach, nor does it account for any of the long-term associated costs.  EMC's 2011 earnings statement cited a consolidated revenue of $20 billion dollars.  The $66 million cleanup figure would account for 0.33% of EMC's overall $20 billion dollar revenue.  However, if we apply the same $66 million cleanup costs for RSA's total revenue of $828.2 million for 2011, we find that the intrusion had a direct impact of 7.96% of RSA's 2011 revenue.

What if?
All of the target organizations are not the same.  Their roles, sizes and revenues within their respective industries all differ.  Furthermore, many of these companies do not have a parent company the size of EMC which could absorb the cost of a $66 million dollar incident. However, each organization could respond and invest in a similar manner as RSA.  If we theorize that each company identified were to invest 7.96%, of their annual revenues to mitigate the effects of this persistent APT, the effect would be:

Company

Rounded Revenues

Cost of getting "RSA'ed"

U.S. Company 1

$26,000,000,000

$2,069,600,000

U.S. Company 2

$11,000,000,000

$875,600,000

U.S. Company 3

$6,000,000,000

$477,600,000

U.S. Company 4

$5,000,000,000

$398,000,000

U.S. Company 5

$4,000,000,000

$318,400,000

U.S. Company 6

$1,500,000,000

$119,400,000

U.S. Company 7

$600,000,000

$47,760,000

U.S. Company 8

$20,000,000

$1,592,000

U.S. Company 9

$20,000,000

$1,592,000

U.S. Company 10

$2,500,000

$199,000

Total:

$54,142,500,000

$4,309,743,000

Irrespective of size, could these companies really all afford a 7.96% hit in response to a major enterprise breach? Considering that many of the victims are either publicly traded or provide direct support to U.S. Government funded programs, most would be compelled to notify various stakeholders, such as investors, the U.S. Security Exchange Commission, and their primary customers or government contract managers.

Based on our long term understanding of this threat group, we are almost certain that a resourced Chinese state sanctioned or sponsored threat group is responsible for establishing and using the observed command and control infrastructure we have detected within ThreatConnect.com.  We also conclude that the threat group is likely conducting economic espionage on behalf of an unknown Chinese benefactor who may be in an advantageous position to operationalize and monetize the information.  What we do not know is who, when or how the information may be employed.

The targeted and persistent nature of the threat suggests that the threat actor knows what type of information they want to acquire and are concentrating their collection by targeting multiple victims within overlapping industries.  Left unchecked, enterprise compromises could facilitate access to corporate intellectual property such as research and development, confidential corporate insights, and operational plans.  Access to confidential information regarding the mining and metals industry, as well as U.S. defense aerospace, engineering and fabrication could allow the attacker to enable the manipulation of markets, conduct restricted defense related technology transfers and or obtain unfair advantages within international business or trade negotiations.

Conclusion
Until more companies come forward with details of Chinese corporate espionage, little data will be available to us regarding the associated short and long term costs. In 2011 the U.S. International Trade Commission issued a report titled "China: Effects of Intellectual Property Infringement and Indigenous Innovation Policies on the U.S. Economy".  The report details estimates of Chinese Intellectual Property Rights (IPR) infringement had cost the U.S. economy approximately $48 billion in 2009 alone, caveating the $48 billion figure that many companies were unable to quantify their losses.  The ITC report also highlighted that if China improved their current international obligations to protect and enforce IPR, 2.1 million jobs could have been created in the U.S.

Although there are numerous variables that cannot be accounted for with the data available to us, we can apply a simple model based on the RSA data that supports our hypothetical scenario and begin to see what the financial and economic effects would be across ten companies of various industries and revenues.  It is important to understand the scenario outlined above is associated with a real threat that has tailored their infrastructure and is likely exploiting the U.S. companies. Any associated enterprise exploitation would have an obvious direct and indirect effect to each company's respective annual revenues.   All of the threat data obtained is based on real-world data collected and analyzed within ThreatConnect.com.

More Stories By Rich Barger

Rich is the Chief Intelligence Officer for Cyber Squared and the ThreatConnect Intelligence Research Team (TCIRT) Director. Rich has over 17 years of experience supporting the commercial sector, defense industry, and intelligence community with threat intelligence and computer network operations. Rich is a passionate and creative thought leader that has led talented teams of researchers in producing quality analysis and actionable intelligence. After his commitment to the United States Army, Rich has supported the U.S. Army Command and Control Support Agency, the U.S. Army 1st Information Operations Command, the Joint Task Force Global Network Operations, and the NSA/CSS Threat Operations Center. Rich possesses a variety of industry certifications and a BS in Information Systems Security with Honors from American Military University.

@ThingsExpo Stories
The industrial software market has treated data with the mentality of “collect everything now, worry about how to use it later.” We now find ourselves buried in data, with the pervasive connectivity of the (Industrial) Internet of Things only piling on more numbers. There’s too much data and not enough information. In his session at @ThingsExpo, Bob Gates, Global Marketing Director, GE’s Intelligent Platforms business, to discuss how realizing the power of IoT, software developers are now focused on understanding how industrial data can create intelligence for industrial operations. Imagine ...
Every innovation or invention was originally a daydream. You like to imagine a “what-if” scenario. And with all the attention being paid to the so-called Internet of Things (IoT) you don’t have to stretch the imagination too much to see how this may impact commercial and homeowners insurance. We’re beyond the point of accepting this as a leap of faith. The groundwork is laid. Now it’s just a matter of time. We can thank the inventors of smart thermostats for developing a practical business application that everyone can relate to. Gone are the salad days of smart home apps, the early chalkb...
We certainly live in interesting technological times. And no more interesting than the current competing IoT standards for connectivity. Various standards bodies, approaches, and ecosystems are vying for mindshare and positioning for a competitive edge. It is clear that when the dust settles, we will have new protocols, evolved protocols, that will change the way we interact with devices and infrastructure. We will also have evolved web protocols, like HTTP/2, that will be changing the very core of our infrastructures. At the same time, we have old approaches made new again like micro-services...
Operational Hadoop and the Lambda Architecture for Streaming Data Apache Hadoop is emerging as a distributed platform for handling large and fast incoming streams of data. Predictive maintenance, supply chain optimization, and Internet-of-Things analysis are examples where Hadoop provides the scalable storage, processing, and analytics platform to gain meaningful insights from granular data that is typically only valuable from a large-scale, aggregate view. One architecture useful for capturing and analyzing streaming data is the Lambda Architecture, representing a model of how to analyze rea...
Today’s enterprise is being driven by disruptive competitive and human capital requirements to provide enterprise application access through not only desktops, but also mobile devices. To retrofit existing programs across all these devices using traditional programming methods is very costly and time consuming – often prohibitively so. In his session at @ThingsExpo, Jesse Shiah, CEO, President, and Co-Founder of AgilePoint Inc., discussed how you can create applications that run on all mobile devices as well as laptops and desktops using a visual drag-and-drop application – and eForms-buildi...
SYS-CON Events announced today that Vitria Technology, Inc. will exhibit at SYS-CON’s @ThingsExpo, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Vitria will showcase the company’s new IoT Analytics Platform through live demonstrations at booth #330. Vitria’s IoT Analytics Platform, fully integrated and powered by an operational intelligence engine, enables customers to rapidly build and operationalize advanced analytics to deliver timely business outcomes for use cases across the industrial, enterprise, and consumer segments.
SYS-CON Events announced today that Dyn, the worldwide leader in Internet Performance, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Dyn is a cloud-based Internet Performance company. Dyn helps companies monitor, control, and optimize online infrastructure for an exceptional end-user experience. Through a world-class network and unrivaled, objective intelligence into Internet conditions, Dyn ensures traffic gets delivered faster, safer, and more reliably than ever.
Containers and microservices have become topics of intense interest throughout the cloud developer and enterprise IT communities. Accordingly, attendees at the upcoming 16th Cloud Expo at the Javits Center in New York June 9-11 will find fresh new content in a new track called PaaS | Containers & Microservices Containers are not being considered for the first time by the cloud community, but a current era of re-consideration has pushed them to the top of the cloud agenda. With the launch of Docker's initial release in March of 2013, interest was revved up several notches. Then late last...
CommVault has announced that top industry technology visionaries have joined its leadership team. The addition of leaders from companies such as Oracle, SAP, Microsoft, Cisco, PwC and EMC signals the continuation of CommVault Next, the company's business transformation for sales, go-to-market strategies, pricing and packaging and technology innovation. The company also announced that it had realigned its structure to create business units to more directly match how customers evaluate, deploy, operate, and purchase technology.
In their session at @ThingsExpo, Shyam Varan Nath, Principal Architect at GE, and Ibrahim Gokcen, who leads GE's advanced IoT analytics, focused on the Internet of Things / Industrial Internet and how to make it operational for business end-users. Learn about the challenges posed by machine and sensor data and how to marry it with enterprise data. They also discussed the tips and tricks to provide the Industrial Internet as an end-user consumable service using Big Data Analytics and Industrial Cloud.
Performance is the intersection of power, agility, control, and choice. If you value performance, and more specifically consistent performance, you need to look beyond simple virtualized compute. Many factors need to be considered to create a truly performant environment. In his General Session at 15th Cloud Expo, Harold Hannon, Sr. Software Architect at SoftLayer, discussed how to take advantage of a multitude of compute options and platform features to make cloud the cornerstone of your online presence.
The explosion of connected devices / sensors is creating an ever-expanding set of new and valuable data. In parallel the emerging capability of Big Data technologies to store, access, analyze, and react to this data is producing changes in business models under the umbrella of the Internet of Things (IoT). In particular within the Insurance industry, IoT appears positioned to enable deep changes by altering relationships between insurers, distributors, and the insured. In his session at @ThingsExpo, Michael Sick, a Senior Manager and Big Data Architect within Ernst and Young's Financial Servi...
Almost everyone sees the potential of Internet of Things but how can businesses truly unlock that potential. The key will be in the ability to discover business insight in the midst of an ocean of Big Data generated from billions of embedded devices via Systems of Discover. Businesses will also need to ensure that they can sustain that insight by leveraging the cloud for global reach, scale and elasticity.
IoT is still a vague buzzword for many people. In his session at @ThingsExpo, Mike Kavis, Vice President & Principal Cloud Architect at Cloud Technology Partners, discussed the business value of IoT that goes far beyond the general public's perception that IoT is all about wearables and home consumer services. He also discussed how IoT is perceived by investors and how venture capitalist access this space. Other topics discussed were barriers to success, what is new, what is old, and what the future may hold. Mike Kavis is Vice President & Principal Cloud Architect at Cloud Technology Pa...
Even as cloud and managed services grow increasingly central to business strategy and performance, challenges remain. The biggest sticking point for companies seeking to capitalize on the cloud is data security. Keeping data safe is an issue in any computing environment, and it has been a focus since the earliest days of the cloud revolution. Understandably so: a lot can go wrong when you allow valuable information to live outside the firewall. Recent revelations about government snooping, along with a steady stream of well-publicized data breaches, only add to the uncertainty
The explosion of connected devices / sensors is creating an ever-expanding set of new and valuable data. In parallel the emerging capability of Big Data technologies to store, access, analyze, and react to this data is producing changes in business models under the umbrella of the Internet of Things (IoT). In particular within the Insurance industry, IoT appears positioned to enable deep changes by altering relationships between insurers, distributors, and the insured. In his session at @ThingsExpo, Michael Sick, a Senior Manager and Big Data Architect within Ernst and Young's Financial Servi...
PubNub on Monday has announced that it is partnering with IBM to bring its sophisticated real-time data streaming and messaging capabilities to Bluemix, IBM’s cloud development platform. “Today’s app and connected devices require an always-on connection, but building a secure, scalable solution from the ground up is time consuming, resource intensive, and error-prone,” said Todd Greene, CEO of PubNub. “PubNub enables web, mobile and IoT developers building apps on IBM Bluemix to quickly add scalable realtime functionality with minimal effort and cost.”
The Internet of Things (IoT) is rapidly in the process of breaking from its heretofore relatively obscure enterprise applications (such as plant floor control and supply chain management) and going mainstream into the consumer space. More and more creative folks are interconnecting everyday products such as household items, mobile devices, appliances and cars, and unleashing new and imaginative scenarios. We are seeing a lot of excitement around applications in home automation, personal fitness, and in-car entertainment and this excitement will bleed into other areas. On the commercial side, m...
Sensor-enabled things are becoming more commonplace, precursors to a larger and more complex framework that most consider the ultimate promise of the IoT: things connecting, interacting, sharing, storing, and over time perhaps learning and predicting based on habits, behaviors, location, preferences, purchases and more. In his session at @ThingsExpo, Tom Wesselman, Director of Communications Ecosystem Architecture at Plantronics, will examine the still nascent IoT as it is coalescing, including what it is today, what it might ultimately be, the role of wearable tech, and technology gaps stil...
In the consumer IoT, everything is new, and the IT world of bits and bytes holds sway. But industrial and commercial realms encompass operational technology (OT) that has been around for 25 or 50 years. This grittier, pre-IP, more hands-on world has much to gain from Industrial IoT (IIoT) applications and principles. But adding sensors and wireless connectivity won’t work in environments that demand unwavering reliability and performance. In his session at @ThingsExpo, Ron Sege, CEO of Echelon, will discuss how as enterprise IT embraces other IoT-related technology trends, enterprises with i...