Welcome!

Release Management Authors: Liz McMillan, Jnan Dash, Lori MacVittie, Gilad Parann-Nissany, Carmen Gonzalez

Related Topics: Cloud Security, Industrial IoT, Agile Computing, Release Management

Cloud Security: Article

Victim-nomics: Estimating the “Costs” of Compromise

Should you pay now or pay later?

Since launching ThreatConnect.com, Cyber Squared's Intelligence Support Team has become more effective in managing, analyzing and sharing our Threat Intelligence. While understanding the threat remains one of our core requirements, we have also begun to fill a key gap that, we feel, many within the industry are failing to address.

Providing effective Threat Intelligence requires more than just characterizing the threat from a technical perspective.  Instead, you must strike a balance between providing technical context as well as non-technical relevancy to the victim.  Industry report authors will often admire the cyber espionage problem all the while promoting their technical talents.  Unfortunately, these overly technical threat details are not easily interpreted or acted upon by today's non-technical business leaders.  So, ultimately, this shortcoming often overwhelms and distances the customer from the reality of the issue. It also reduces their ability to fully appreciate and understand how an investment toward Threat Intelligence can protect their business operations and enhance their overall corporate risk mitigation strategy.

Caveats
In the following scenario, we have masked the possible victim companies in an effort to protect their identities and have addressed the threat and its infrastructure in very general terms to acknowledge operational equities without contextually identifying the possible victim companies. We have used the data obtained in our recent discovery to walk through several hypothetical scenarios while making assumptions that give the reader a better understanding of the potential financial impact of dealing with a targeted attack.  Finally, we have notified the appropriate authorities and possible victim companies, so that they are aware of the threat and the tailored infrastructure which we believe may be directed against them or their customers.

The Facts
While recently researching a known threat group within ThreatConnect.com, we identified several interesting observables associated with targets of a single Chinese-based Advanced Persistent Threat (APT) group.  Over the course of seven days, we watched the adversary tailor their command and control infrastructure toward the specific target companies and industries.  Ten suspected targets were readily identified; they consisted of U.S. based, publicly and privately held companies across the following industries:

  • Mining & Metals
  • Aerospace & Defense
  • Manufacturing & Fabrication
  • Construction & Engineering

We researched the collective group of target organizations and found that the sum of the companies' annual revenues was approximately $54 Billion dollars.  The relative size of each company and specific industries give us insights into what the intelligence collections requirements of the attackers may have been at the time of compromise.

Company

Rounded Revenue

U.S. Company 1

$26,000,000,000

U.S. Company 2

$11,000,000,000

U.S. Company 3

$6,000,000,000

U.S. Company 4

$5,000,000,000

U.S. Company 5

$4,000,000,000

U.S. Company 6

$1,500,000,000

U.S. Company 7

$600,000,000

U.S. Company 8

$20,000,000

U.S. Company 9

$20,000,000

U.S. Company 10

$2,500,000

Total:

$54,142,500,000

In this use case, we made some assumptions based on the information available to us.  Our first assumption was that the victim companies were likely committed to making a short to mid-term investment in mitigating the immediate risk and eradicating the threat from their network.  Unfortunately, we did not have any data available to us that revealed the severity of the compromise nor did we have access to the actual budgets or investments toward a response and future threat mitigation efforts in which these respective companies may choose to make.

The cost of getting "RSA'ed":
When making assumptions, it is important that we compare apples to apples.  We can assess with a high level of confidence that the threat we are monitoring in this case is an APT of Chinese origin.  We can confidently assess that the threat is most likely persisting within the respective enterprises with the intent of conducting long term data exfiltration of proprietary information from the respective organizations.

One example that helped us put the scenario in perspective is from the 2011 RSA breach.  Between April and June 2011, RSA spent $66 million dollars in the aftermath of a March 2011 APT breach, which also resulted in the compromise of information associated with RSA's SecurID two-factor authentication technology.   It is important to note that the $66 million cleanup figure did not include the post breach expenses from the first quarter of 2011 when EMC began investigating the breach, nor does it account for any of the long-term associated costs.  EMC's 2011 earnings statement cited a consolidated revenue of $20 billion dollars.  The $66 million cleanup figure would account for 0.33% of EMC's overall $20 billion dollar revenue.  However, if we apply the same $66 million cleanup costs for RSA's total revenue of $828.2 million for 2011, we find that the intrusion had a direct impact of 7.96% of RSA's 2011 revenue.

What if?
All of the target organizations are not the same.  Their roles, sizes and revenues within their respective industries all differ.  Furthermore, many of these companies do not have a parent company the size of EMC which could absorb the cost of a $66 million dollar incident. However, each organization could respond and invest in a similar manner as RSA.  If we theorize that each company identified were to invest 7.96%, of their annual revenues to mitigate the effects of this persistent APT, the effect would be:

Company

Rounded Revenues

Cost of getting "RSA'ed"

U.S. Company 1

$26,000,000,000

$2,069,600,000

U.S. Company 2

$11,000,000,000

$875,600,000

U.S. Company 3

$6,000,000,000

$477,600,000

U.S. Company 4

$5,000,000,000

$398,000,000

U.S. Company 5

$4,000,000,000

$318,400,000

U.S. Company 6

$1,500,000,000

$119,400,000

U.S. Company 7

$600,000,000

$47,760,000

U.S. Company 8

$20,000,000

$1,592,000

U.S. Company 9

$20,000,000

$1,592,000

U.S. Company 10

$2,500,000

$199,000

Total:

$54,142,500,000

$4,309,743,000

Irrespective of size, could these companies really all afford a 7.96% hit in response to a major enterprise breach? Considering that many of the victims are either publicly traded or provide direct support to U.S. Government funded programs, most would be compelled to notify various stakeholders, such as investors, the U.S. Security Exchange Commission, and their primary customers or government contract managers.

Based on our long term understanding of this threat group, we are almost certain that a resourced Chinese state sanctioned or sponsored threat group is responsible for establishing and using the observed command and control infrastructure we have detected within ThreatConnect.com.  We also conclude that the threat group is likely conducting economic espionage on behalf of an unknown Chinese benefactor who may be in an advantageous position to operationalize and monetize the information.  What we do not know is who, when or how the information may be employed.

The targeted and persistent nature of the threat suggests that the threat actor knows what type of information they want to acquire and are concentrating their collection by targeting multiple victims within overlapping industries.  Left unchecked, enterprise compromises could facilitate access to corporate intellectual property such as research and development, confidential corporate insights, and operational plans.  Access to confidential information regarding the mining and metals industry, as well as U.S. defense aerospace, engineering and fabrication could allow the attacker to enable the manipulation of markets, conduct restricted defense related technology transfers and or obtain unfair advantages within international business or trade negotiations.

Conclusion
Until more companies come forward with details of Chinese corporate espionage, little data will be available to us regarding the associated short and long term costs. In 2011 the U.S. International Trade Commission issued a report titled "China: Effects of Intellectual Property Infringement and Indigenous Innovation Policies on the U.S. Economy".  The report details estimates of Chinese Intellectual Property Rights (IPR) infringement had cost the U.S. economy approximately $48 billion in 2009 alone, caveating the $48 billion figure that many companies were unable to quantify their losses.  The ITC report also highlighted that if China improved their current international obligations to protect and enforce IPR, 2.1 million jobs could have been created in the U.S.

Although there are numerous variables that cannot be accounted for with the data available to us, we can apply a simple model based on the RSA data that supports our hypothetical scenario and begin to see what the financial and economic effects would be across ten companies of various industries and revenues.  It is important to understand the scenario outlined above is associated with a real threat that has tailored their infrastructure and is likely exploiting the U.S. companies. Any associated enterprise exploitation would have an obvious direct and indirect effect to each company's respective annual revenues.   All of the threat data obtained is based on real-world data collected and analyzed within ThreatConnect.com.

More Stories By Rich Barger

Rich is the Chief Intelligence Officer for Cyber Squared and the ThreatConnect Intelligence Research Team (TCIRT) Director.

@ThingsExpo Stories
Internet-of-Things discussions can end up either going down the consumer gadget rabbit hole or focused on the sort of data logging that industrial manufacturers have been doing forever. However, in fact, companies today are already using IoT data both to optimize their operational technology and to improve the experience of customer interactions in novel ways. In his session at @ThingsExpo, Gordon Haff, Red Hat Technology Evangelist, will share examples from a wide range of industries – includin...
Unless your company can spend a lot of money on new technology, re-engineering your environment and hiring a comprehensive cybersecurity team, you will most likely move to the cloud or seek external service partnerships. In his session at 18th Cloud Expo, Darren Guccione, CEO of Keeper Security, revealed what you need to know when it comes to encryption in the cloud.
We're entering the post-smartphone era, where wearable gadgets from watches and fitness bands to glasses and health aids will power the next technological revolution. With mass adoption of wearable devices comes a new data ecosystem that must be protected. Wearables open new pathways that facilitate the tracking, sharing and storing of consumers’ personal health, location and daily activity data. Consumers have some idea of the data these devices capture, but most don’t realize how revealing and...
"We build IoT infrastructure products - when you have to integrate different devices, different systems and cloud you have to build an application to do that but we eliminate the need to build an application. Our products can integrate any device, any system, any cloud regardless of protocol," explained Peter Jung, Chief Product Officer at Pulzze Systems, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
Data is the fuel that drives the machine learning algorithmic engines and ultimately provides the business value. In his session at 20th Cloud Expo, Ed Featherston, director/senior enterprise architect at Collaborative Consulting, will discuss the key considerations around quality, volume, timeliness, and pedigree that must be dealt with in order to properly fuel that engine.
In addition to all the benefits, IoT is also bringing new kind of customer experience challenges - cars that unlock themselves, thermostats turning houses into saunas and baby video monitors broadcasting over the internet. This list can only increase because while IoT services should be intuitive and simple to use, the delivery ecosystem is a myriad of potential problems as IoT explodes complexity. So finding a performance issue is like finding the proverbial needle in the haystack.
According to Forrester Research, every business will become either a digital predator or digital prey by 2020. To avoid demise, organizations must rapidly create new sources of value in their end-to-end customer experiences. True digital predators also must break down information and process silos and extend digital transformation initiatives to empower employees with the digital resources needed to win, serve, and retain customers.
"Once customers get a year into their IoT deployments, they start to realize that they may have been shortsighted in the ways they built out their deployment and the key thing I see a lot of people looking at is - how can I take equipment data, pull it back in an IoT solution and show it in a dashboard," stated Dave McCarthy, Director of Products at Bsquare Corporation, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
Fact is, enterprises have significant legacy voice infrastructure that’s costly to replace with pure IP solutions. How can we bring this analog infrastructure into our shiny new cloud applications? There are proven methods to bind both legacy voice applications and traditional PSTN audio into cloud-based applications and services at a carrier scale. Some of the most successful implementations leverage WebRTC, WebSockets, SIP and other open source technologies. In his session at @ThingsExpo, Da...
Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more business becomes digital the more stakeholders are interested in this data including how it relates to business. Some of these people have never used a monitoring tool before. They have a question on their mind like “How is my application doing” but no id...
@GonzalezCarmen has been ranked the Number One Influencer and @ThingsExpo has been named the Number One Brand in the “M2M 2016: Top 100 Influencers and Brands” by Onalytica. Onalytica analyzed tweets over the last 6 months mentioning the keywords M2M OR “Machine to Machine.” They then identified the top 100 most influential brands and individuals leading the discussion on Twitter.
As data explodes in quantity, importance and from new sources, the need for managing and protecting data residing across physical, virtual, and cloud environments grow with it. Managing data includes protecting it, indexing and classifying it for true, long-term management, compliance and E-Discovery. Commvault can ensure this with a single pane of glass solution – whether in a private cloud, a Service Provider delivered public cloud or a hybrid cloud environment – across the heterogeneous enter...
"IoT is going to be a huge industry with a lot of value for end users, for industries, for consumers, for manufacturers. How can we use cloud to effectively manage IoT applications," stated Ian Khan, Innovation & Marketing Manager at Solgeniakhela, in this SYS-CON.tv interview at @ThingsExpo, held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA.
"We're a cybersecurity firm that specializes in engineering security solutions both at the software and hardware level. Security cannot be an after-the-fact afterthought, which is what it's become," stated Richard Blech, Chief Executive Officer at Secure Channels, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
Information technology is an industry that has always experienced change, and the dramatic change sweeping across the industry today could not be truthfully described as the first time we've seen such widespread change impacting customer investments. However, the rate of the change, and the potential outcomes from today's digital transformation has the distinct potential to separate the industry into two camps: Organizations that see the change coming, embrace it, and successful leverage it; and...
Data is the fuel that drives the machine learning algorithmic engines and ultimately provides the business value. In his session at Cloud Expo, Ed Featherston, a director and senior enterprise architect at Collaborative Consulting, discussed the key considerations around quality, volume, timeliness, and pedigree that must be dealt with in order to properly fuel that engine.
What happens when the different parts of a vehicle become smarter than the vehicle itself? As we move toward the era of smart everything, hundreds of entities in a vehicle that communicate with each other, the vehicle and external systems create a need for identity orchestration so that all entities work as a conglomerate. Much like an orchestra without a conductor, without the ability to secure, control, and connect the link between a vehicle’s head unit, devices, and systems and to manage the ...
We are always online. We access our data, our finances, work, and various services on the Internet. But we live in a congested world of information in which the roads were built two decades ago. The quest for better, faster Internet routing has been around for a decade, but nobody solved this problem. We’ve seen band-aid approaches like CDNs that attack a niche's slice of static content part of the Internet, but that’s it. It does not address the dynamic services-based Internet of today. It does...
Internet of @ThingsExpo, taking place June 6-8, 2017 at the Javits Center in New York City, New York, is co-located with the 20th International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. @ThingsExpo New York Call for Papers is now open.