In my previous post, I discussed cybersecurity, primarily from the defensive point of view, and provided a simplistic explanation of Pareto Optimality.
Defense isn’t the only side at play. However, we tend to think in terms of defense, which leans toward a linear thought process. The malicious actors are imaginative and in the business of making monetary gains. They apply business models to reap the most gains by the easiest, fastest means.
By casting a wide net to catch numerous fish, they allocate as few resources as possible toward a single target. This approach strikes me as a classic example of the ends justifying the means. The malicious actors are focused on the business goals, while the defenders are focusing on the means by which the attacks happen and not the end goals.
Individually, these fish may not be incredibly valuable; based on a blog by Dell Secureworks, the value of card data or personal data can vary widely by geography and content. The low end is $4, but the high is around $40. This is only for personal and card data, and not for access to machines or services. If you take the lowest value of data and multiply it by the scale of a successful breach of 100 million card records, you could stand to make $400 million from a single successful breach. This, of course, assumes a 100 percent success rate selling the stolen data or records and you only sell the information once.
Given their focus on the business side of crime, today’s malicious groups have taken steps to reduce expenditure of resources through automated processes, whether refining binaries to thwart signature-based defenses or adjusting malware’s internal clock to wait until after a detonation attempt in a virtual machine or appliance. We also cannot forget they have 24/7 support and services that will help them subvert antivirus (AV), next-generation firewalls (NGFW) or Intrusion Detection Systems /Intrusion Protection Systems (IDS/IPS) entirely.
Bringing this back to the Pareto principles of optimality and efficiency, the malicious actors are capturing 80 percent of their successes with only 20 percent of their capabilities. In other words, they’re extremely efficient and still have new technology waiting to be deployed once defenses are updated.
If criminal groups can snatch 200 million records through simple social engineering, why should they show their hand early and attempt thefts via more sophisticated means? That just isn’t efficient and doesn’t make business sense.
How do you disrupt this efficiency? If you apply diminishing returns against the somewhat constrained resources of the malicious actors, you may create an unappetizing target. Your organization’s goal is to make the expenditure of resources higher for the malicious actors than they used on previous attacks. The logic is to make less well-defended targets more appealing by reducing the potential gains your organization offers.
One way of accomplishing this is by augmenting your traditional defensive measures, with a simple investment in proven identity-based security methods. Cybercriminals are motivated by easy money. Some groups will have different desires and goals, but they will all target and attack the least-defended sources for money, identities and information. Make the cybercriminals invest more into an attack by decreasing the attack surface area and ultimately they will be likely to find an easier target. In Pareto-speak, the defenders can unbalance the offensive efficiency.
This strategy should not be read as advocating an immediate divestment of traditional perimeter defenses. They have a place in a greater layered security approach.
Organizations need to start thinking more in terms of cybereconomics; understanding the true motivations of malicious actors and assigning risk-appropriate valuations to protected assets and intellectual property. This would allow us to find an optimal position that isn’t favoring malicious actors.
The most important takeaway? If malicious actors can achieve their business goals with an 80 percent success rate and only 20 percent exertion, they win. Once diminishing returns enter the equation, resulting in a loss of the criminals’ optimal position, they will find an easier, less-protected path or expend increasing resources.
As a colleague pointed out, the offense only needs to be successful once. The defense needs to be on their game 100 percent of the time. Let’s plan and invest properly with a modern view of the cybersecurity world we live in and put the economics back in our favor.