Welcome!

Release Management Authors: Liz McMillan, Jnan Dash, Lori MacVittie, Gilad Parann-Nissany, Carmen Gonzalez

Related Topics: Cloud Security, Industrial IoT, Agile Computing, Release Management

Cloud Security: Article

Victim-nomics: Estimating the “Costs” of Compromise

Should you pay now or pay later?

Since launching ThreatConnect.com, Cyber Squared's Intelligence Support Team has become more effective in managing, analyzing and sharing our Threat Intelligence. While understanding the threat remains one of our core requirements, we have also begun to fill a key gap that, we feel, many within the industry are failing to address.

Providing effective Threat Intelligence requires more than just characterizing the threat from a technical perspective.  Instead, you must strike a balance between providing technical context as well as non-technical relevancy to the victim.  Industry report authors will often admire the cyber espionage problem all the while promoting their technical talents.  Unfortunately, these overly technical threat details are not easily interpreted or acted upon by today's non-technical business leaders.  So, ultimately, this shortcoming often overwhelms and distances the customer from the reality of the issue. It also reduces their ability to fully appreciate and understand how an investment toward Threat Intelligence can protect their business operations and enhance their overall corporate risk mitigation strategy.

Caveats
In the following scenario, we have masked the possible victim companies in an effort to protect their identities and have addressed the threat and its infrastructure in very general terms to acknowledge operational equities without contextually identifying the possible victim companies. We have used the data obtained in our recent discovery to walk through several hypothetical scenarios while making assumptions that give the reader a better understanding of the potential financial impact of dealing with a targeted attack.  Finally, we have notified the appropriate authorities and possible victim companies, so that they are aware of the threat and the tailored infrastructure which we believe may be directed against them or their customers.

The Facts
While recently researching a known threat group within ThreatConnect.com, we identified several interesting observables associated with targets of a single Chinese-based Advanced Persistent Threat (APT) group.  Over the course of seven days, we watched the adversary tailor their command and control infrastructure toward the specific target companies and industries.  Ten suspected targets were readily identified; they consisted of U.S. based, publicly and privately held companies across the following industries:

  • Mining & Metals
  • Aerospace & Defense
  • Manufacturing & Fabrication
  • Construction & Engineering

We researched the collective group of target organizations and found that the sum of the companies' annual revenues was approximately $54 Billion dollars.  The relative size of each company and specific industries give us insights into what the intelligence collections requirements of the attackers may have been at the time of compromise.

Company

Rounded Revenue

U.S. Company 1

$26,000,000,000

U.S. Company 2

$11,000,000,000

U.S. Company 3

$6,000,000,000

U.S. Company 4

$5,000,000,000

U.S. Company 5

$4,000,000,000

U.S. Company 6

$1,500,000,000

U.S. Company 7

$600,000,000

U.S. Company 8

$20,000,000

U.S. Company 9

$20,000,000

U.S. Company 10

$2,500,000

Total:

$54,142,500,000

In this use case, we made some assumptions based on the information available to us.  Our first assumption was that the victim companies were likely committed to making a short to mid-term investment in mitigating the immediate risk and eradicating the threat from their network.  Unfortunately, we did not have any data available to us that revealed the severity of the compromise nor did we have access to the actual budgets or investments toward a response and future threat mitigation efforts in which these respective companies may choose to make.

The cost of getting "RSA'ed":
When making assumptions, it is important that we compare apples to apples.  We can assess with a high level of confidence that the threat we are monitoring in this case is an APT of Chinese origin.  We can confidently assess that the threat is most likely persisting within the respective enterprises with the intent of conducting long term data exfiltration of proprietary information from the respective organizations.

One example that helped us put the scenario in perspective is from the 2011 RSA breach.  Between April and June 2011, RSA spent $66 million dollars in the aftermath of a March 2011 APT breach, which also resulted in the compromise of information associated with RSA's SecurID two-factor authentication technology.   It is important to note that the $66 million cleanup figure did not include the post breach expenses from the first quarter of 2011 when EMC began investigating the breach, nor does it account for any of the long-term associated costs.  EMC's 2011 earnings statement cited a consolidated revenue of $20 billion dollars.  The $66 million cleanup figure would account for 0.33% of EMC's overall $20 billion dollar revenue.  However, if we apply the same $66 million cleanup costs for RSA's total revenue of $828.2 million for 2011, we find that the intrusion had a direct impact of 7.96% of RSA's 2011 revenue.

What if?
All of the target organizations are not the same.  Their roles, sizes and revenues within their respective industries all differ.  Furthermore, many of these companies do not have a parent company the size of EMC which could absorb the cost of a $66 million dollar incident. However, each organization could respond and invest in a similar manner as RSA.  If we theorize that each company identified were to invest 7.96%, of their annual revenues to mitigate the effects of this persistent APT, the effect would be:

Company

Rounded Revenues

Cost of getting "RSA'ed"

U.S. Company 1

$26,000,000,000

$2,069,600,000

U.S. Company 2

$11,000,000,000

$875,600,000

U.S. Company 3

$6,000,000,000

$477,600,000

U.S. Company 4

$5,000,000,000

$398,000,000

U.S. Company 5

$4,000,000,000

$318,400,000

U.S. Company 6

$1,500,000,000

$119,400,000

U.S. Company 7

$600,000,000

$47,760,000

U.S. Company 8

$20,000,000

$1,592,000

U.S. Company 9

$20,000,000

$1,592,000

U.S. Company 10

$2,500,000

$199,000

Total:

$54,142,500,000

$4,309,743,000

Irrespective of size, could these companies really all afford a 7.96% hit in response to a major enterprise breach? Considering that many of the victims are either publicly traded or provide direct support to U.S. Government funded programs, most would be compelled to notify various stakeholders, such as investors, the U.S. Security Exchange Commission, and their primary customers or government contract managers.

Based on our long term understanding of this threat group, we are almost certain that a resourced Chinese state sanctioned or sponsored threat group is responsible for establishing and using the observed command and control infrastructure we have detected within ThreatConnect.com.  We also conclude that the threat group is likely conducting economic espionage on behalf of an unknown Chinese benefactor who may be in an advantageous position to operationalize and monetize the information.  What we do not know is who, when or how the information may be employed.

The targeted and persistent nature of the threat suggests that the threat actor knows what type of information they want to acquire and are concentrating their collection by targeting multiple victims within overlapping industries.  Left unchecked, enterprise compromises could facilitate access to corporate intellectual property such as research and development, confidential corporate insights, and operational plans.  Access to confidential information regarding the mining and metals industry, as well as U.S. defense aerospace, engineering and fabrication could allow the attacker to enable the manipulation of markets, conduct restricted defense related technology transfers and or obtain unfair advantages within international business or trade negotiations.

Conclusion
Until more companies come forward with details of Chinese corporate espionage, little data will be available to us regarding the associated short and long term costs. In 2011 the U.S. International Trade Commission issued a report titled "China: Effects of Intellectual Property Infringement and Indigenous Innovation Policies on the U.S. Economy".  The report details estimates of Chinese Intellectual Property Rights (IPR) infringement had cost the U.S. economy approximately $48 billion in 2009 alone, caveating the $48 billion figure that many companies were unable to quantify their losses.  The ITC report also highlighted that if China improved their current international obligations to protect and enforce IPR, 2.1 million jobs could have been created in the U.S.

Although there are numerous variables that cannot be accounted for with the data available to us, we can apply a simple model based on the RSA data that supports our hypothetical scenario and begin to see what the financial and economic effects would be across ten companies of various industries and revenues.  It is important to understand the scenario outlined above is associated with a real threat that has tailored their infrastructure and is likely exploiting the U.S. companies. Any associated enterprise exploitation would have an obvious direct and indirect effect to each company's respective annual revenues.   All of the threat data obtained is based on real-world data collected and analyzed within ThreatConnect.com.

More Stories By Rich Barger

Rich is the Chief Intelligence Officer for Cyber Squared and the ThreatConnect Intelligence Research Team (TCIRT) Director.

@ThingsExpo Stories
Internet of @ThingsExpo, taking place November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with the 19th International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world and ThingsExpo Silicon Valley Call for Papers is now open.
Cognitive Computing is becoming the foundation for a new generation of solutions that have the potential to transform business. Unlike traditional approaches to building solutions, a cognitive computing approach allows the data to help determine the way applications are designed. This contrasts with conventional software development that begins with defining logic based on the current way a business operates. In her session at 18th Cloud Expo, Judith S. Hurwitz, President and CEO of Hurwitz & ...
SYS-CON Events announced today that ReadyTalk, a leading provider of online conferencing and webinar services, has been named Vendor Presentation Sponsor at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. ReadyTalk delivers audio and web conferencing services that inspire collaboration and enable the Future of Work for today’s increasingly digital and mobile workforce. By combining intuitive, innovative tec...
There is growing need for data-driven applications and the need for digital platforms to build these apps. In his session at 19th Cloud Expo, Muddu Sudhakar, VP and GM of Security & IoT at Splunk, will cover different PaaS solutions and Big Data platforms that are available to build applications. In addition, AI and machine learning are creating new requirements that developers need in the building of next-gen apps. The next-generation digital platforms have some of the past platform needs a...
Almost two-thirds of companies either have or soon will have IoT as the backbone of their business in 2016. However, IoT is far more complex than most firms expected. How can you not get trapped in the pitfalls? In his session at @ThingsExpo, Tony Shan, a renowned visionary and thought leader, will introduce a holistic method of IoTification, which is the process of IoTifying the existing technology and business models to adopt and leverage IoT. He will drill down to the components in this fra...
SYS-CON Events announced today that Pulzze Systems will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Pulzze Systems, Inc. provides infrastructure products for the Internet of Things to enable any connected device and system to carry out matched operations without programming. For more information, visit http://www.pulzzesystems.com.
I'm a lonely sensor. I spend all day telling the world how I'm feeling, but none of the other sensors seem to care. I want to be connected. I want to build relationships with other sensors to be more useful for my human. I want my human to understand that when my friends next door are too hot for a while, I'll soon be flaming. And when all my friends go outside without me, I may be left behind. Don't just log my data; use the relationship graph. In his session at @ThingsExpo, Ryan Boyd, Engi...
The Transparent Cloud-computing Consortium (abbreviation: T-Cloud Consortium) will conduct research activities into changes in the computing model as a result of collaboration between "device" and "cloud" and the creation of new value and markets through organic data processing High speed and high quality networks, and dramatic improvements in computer processing capabilities, have greatly changed the nature of applications and made the storing and processing of data on the network commonplace.
From wearable activity trackers to fantasy e-sports, data and technology are transforming the way athletes train for the game and fans engage with their teams. In his session at @ThingsExpo, will present key data findings from leading sports organizations San Francisco 49ers, Orlando Magic NBA team. By utilizing data analytics these sports orgs have recognized new revenue streams, doubled its fan base and streamlined costs at its stadiums. John Paul is the CEO and Founder of VenueNext. Prior ...
In his general session at 18th Cloud Expo, Lee Atchison, Principal Cloud Architect and Advocate at New Relic, discussed cloud as a ‘better data center’ and how it adds new capacity (faster) and improves application availability (redundancy). The cloud is a ‘Dynamic Tool for Dynamic Apps’ and resource allocation is an integral part of your application architecture, so use only the resources you need and allocate /de-allocate resources on the fly.
SYS-CON Events announced today that Numerex Corp, a leading provider of managed enterprise solutions enabling the Internet of Things (IoT), will exhibit at the 19th International Cloud Expo | @ThingsExpo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Numerex Corp. (NASDAQ:NMRX) is a leading provider of managed enterprise solutions enabling the Internet of Things (IoT). The Company's solutions produce new revenue streams or create operating...
WebRTC adoption has generated a wave of creative uses of communications and collaboration through websites, sales apps, customer care and business applications. As WebRTC has become more mainstream it has evolved to use cases beyond the original peer-to-peer case, which has led to a repeating requirement for interoperability with existing infrastructures. In his session at @ThingsExpo, Graham Holt, Executive Vice President of Daitan Group, will cover implementation examples that have enabled ea...
IoT offers a value of almost $4 trillion to the manufacturing industry through platforms that can improve margins, optimize operations & drive high performance work teams. By using IoT technologies as a foundation, manufacturing customers are integrating worker safety with manufacturing systems, driving deep collaboration and utilizing analytics to exponentially increased per-unit margins. However, as Benoit Lheureux, the VP for Research at Gartner points out, “IoT project implementers often ...
The Jevons Paradox suggests that when technological advances increase efficiency of a resource, it results in an overall increase in consumption. Writing on the increased use of coal as a result of technological improvements, 19th-century economist William Stanley Jevons found that these improvements led to the development of new ways to utilize coal. In his session at 19th Cloud Expo, Mark Thiele, Chief Strategy Officer for Apcera, will compare the Jevons Paradox to modern-day enterprise IT, e...
Complete Internet of Things (IoT) embedded device security is not just about the device but involves the entire product’s identity, data and control integrity, and services traversing the cloud. A device can no longer be looked at as an island; it is a part of a system. In fact, given the cross-domain interactions enabled by IoT it could be a part of many systems. Also, depending on where the device is deployed, for example, in the office building versus a factory floor or oil field, security ha...
SYS-CON Events announced today the Enterprise IoT Bootcamp, being held November 1-2, 2016, in conjunction with 19th Cloud Expo | @ThingsExpo at the Santa Clara Convention Center in Santa Clara, CA. Combined with real-world scenarios and use cases, the Enterprise IoT Bootcamp is not just based on presentations but with hands-on demos and detailed walkthroughs. We will introduce you to a variety of real world use cases prototyped using Arduino, Raspberry Pi, BeagleBone, Spark, and Intel Edison. Y...
Is your aging software platform suffering from technical debt while the market changes and demands new solutions at a faster clip? It’s a bold move, but you might consider walking away from your core platform and starting fresh. ReadyTalk did exactly that. In his General Session at 19th Cloud Expo, Michael Chambliss, Head of Engineering at ReadyTalk, will discuss why and how ReadyTalk diverted from healthy revenue and over a decade of audio conferencing product development to start an innovati...
Fifty billion connected devices and still no winning protocols standards. HTTP, WebSockets, MQTT, and CoAP seem to be leading in the IoT protocol race at the moment but many more protocols are getting introduced on a regular basis. Each protocol has its pros and cons depending on the nature of the communications. Does there really need to be only one protocol to rule them all? Of course not. In his session at @ThingsExpo, Chris Matthieu, co-founder and CTO of Octoblu, walk you through how Oct...
SYS-CON Events announced today that Bsquare has been named “Silver Sponsor” of SYS-CON's @ThingsExpo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. For more than two decades, Bsquare has helped its customers extract business value from a broad array of physical assets by making them intelligent, connecting them, and using the data they generate to optimize business processes.
Identity is in everything and customers are looking to their providers to ensure the security of their identities, transactions and data. With the increased reliance on cloud-based services, service providers must build security and trust into their offerings, adding value to customers and improving the user experience. Making identity, security and privacy easy for customers provides a unique advantage over the competition.