SlideShare a Scribd company logo

Adversary ROI: Evaluating Security from the Threat Actor’s Perspective

David Etue
David Etue

This is a current version of a presentation that @JoshCorman and I have given at RSA US 2012, GFIRST 2012 and RSA Europe 2012 on adversary centric security models. We've gotten a number of request for the slides, so we've posted them here. The security community has failed for years to determine return on investment (ROI) or Return on Security Investment (ROSI). It’s failed as you can’t evaluate security efficacy without assessing the adversary’s perspective. Updated from the highly rated RSA US 2012 session, we’ll discuss the “Adversary ROI” model and provide mappings for different threat actors, ranging from organized to chaotic. For more resources on Adversary ROI, visit http://elevatedsecurity.blogspot.com/2012/10/adversary-roi-resources.html

Technology
1 of 58
Adversary ROI: Evaluating Security from the Threat Actor’s Perspective Josh Corman David Etue Director, Security Intelligence VP, Corp Dev Strategy @joshcorman @djetue
About Joshua Corman @joshcorman – Director of Security Intelligence for Akamai Technologies • Former Research Director, Enterprise Security [The 451 Group] • Former Principal Security Strategist [IBM ISS] – Industry: • Faculty: The Institute for Applied Network Security (IANS) • 2009 NetworkWorld Top 10 Tech People to Know • Co-Founder of “Rugged Software” www.ruggedsoftware.org • BLOG: www.cognitivedissidents.com – Things I’ve been researching: • Compliance vs Security • Disruptive Security for Disruptive Innovations • Chaotic Actors • Espionage • Security Metrics
About David Etue @djetue – VP, Corporate Development Strategy at SafeNet • Former Cyber Security Practice Lead [PRTM Management Consultants] (now PwC) • Former VP Products and Markets [Fidelis Security Systems] • Former Manager, Information Security [General Electric Company] – Industry: • Faculty: The Institute for Applied Network Security (IANS) • Leads Washington Relations for Cyber Security Forum Initiative • Certified Information Privacy Professional (CIPP/G) – Cyber things that interest me: • Adversary innovation • Social media security • Applying intelligence cycle / OODA loop in cyber • Supply chain security
Agenda Context Why ROI and ROSI have failed us… Adversary ROI Categorizing Threat Actors Application in the Real World
CONTEXT
We Have Finite Resources…We Can Not Protect Everything! “Black Box” Lufthansa Airbus A380 D-AIMC with the name "Peking" at Stuttgart http://commons.wikimedia.org/wiki/File:Fdr_sidefront.jpg Lasse Fuss http://commons.wikimedia.org/wiki/File:Lufthansa_A380_D-AIMC.jpg
Consequences: Value & Replaceability http://blog.cognitivedissidents.com/2011/10/24/a-replaceability-continuum/
Misplaced Focus “With the breach-a-week over the last two years, the key determinate was nothing YOU did… but rather was WHO was after you.”
WHY ROI AND ROSI HAVE FAILED US…
Why ROI failed… Expected Returns Cost of Investment ROI Cost of Investment at Net Present Value for an organization’s required Rate of Return • Most security people aren’t finance experts • Typically applied in a vacuum • No actual no profit from security investments • Doesn’t determine efficacy of security investment or commensurate investment levels
From the Failure of ROI comes ROSI • Return on Security Investment (ROSI) created as a well intentioned way to apply risk metrics to ROI Risk Exposure % Risk Mitigated Solution Cost ROSI Solution Cost • Problems: – Attack surface is approaching infinity (not a real number) – “Risk Mitigated” can be both subjective and objective – Lacks accuracy (see @djbphaedrus Accuracy vs. Precision…)
Practical Application of ROSI
Examples of Failures...
The Adversary Doesn’t Care About Your ROI/ROSI • Adversaries don’t care if you spend 4% or 12% of your IT budget on security • Adversaries are results oriented • Adversaries care if *they* can get a return on investment from an attack, not you…
ADVERSARY ROI
Why Adversary ROI • Adversaries want assets - vulnerabilities are a means • Our attack surface is approaching infinity • Adversaries have scarce resources too
Adversary ROI Came About By Looking at Risk A risk requires a threat and a vulnerability that results in a negative consequence Current State Proposed State? Threat Vulnerability Consequence We have finite resources, and must optimize the entire risk equation for our success!
What is a “Threat”? A Threat is an Actor with a Capability and a Motive Threats Are A “Who”, Not a “What”
Solely Managing Vulnerabilities Will Never Win Exploit for New Vulnerability Attacker Adoption Early Adopters Early Majority Late Majority Laggards
Solely Managing Vulnerabilities Will Never Win Vendor Starts Technology Added to Exploit for New Solution Solution Declared “Best Compliance Vulnerability Development Available Practice” Regulations Attacker Defender Adoption Adoption 0 Early Adopters Early Majority Late Majority Laggards Extensive Lag Between Attack Innovation, Solution, and Adoption
Value Favors the Attacker Are you prepared to address a funded nation state targeting your highest value intellectual property? Attacker Gains Typical IT Security Budget (1-12% of IT Budget) Information Classification Public Sensitive Sensitive Highly Replicable Irreplaceable
The Adversary ROI Equation Adversary ROI = ( ) Value of Assets Compromised + Cost of Attack Value [ Adversary Value of Operational Impact ] - the Attack Cost of the Attack Probability of X Success Deterrence - Measures (% Chance of Getting Caught x Cost of Getting Caught)
Adversary ROI Example: Bicycle Theft OR
CATEGORIZING THREAT ACTORS
Dogma: You Don’t Need To Be Faster Than the Bear… 25
A Modern Pantheon of Adversary Classes Actor Classes Organized Script States Competitors Terrorists “Hactivists” Insiders Auditors Crime Kiddies Motivations Financial Industrial Military Ideological Political Prestige Target Assets Intellectual Cyber Core Business Credit Card #s Web Properties PII / Identity Property Infrastructure Processes Impacts Reputational Personal Confidentiality Integrity Availability Methods “MetaSploit” DoS Phishing Rootkit SQLi Auth Exfiltration Malware Physical
Profiling a Particular Actor Actor Classes Organized Script States Competitors Terrorists “Hactivists” Insiders Auditors Crime Kiddies Motivations Financial Industrial Military Ideological Political Prestige Target Assets Intellectual Cyber Core Business Credit Card #s Web Properties PII / Identity Property Infrastructure Processes Impacts Reputational Personal Confidentiality Integrity Availability Methods “MetaSploit” DoS Phishing Rootkit SQLi Auth Exfiltration Malware Physical
Script Kiddies (aka Casual Adversary) Skiddie Profit, Prestige CCN/Fungible Confidentially, Reputat ion “MetaSploit”, SQLi, Phi shing 28
Organized Crime Organized Crime Profit Fungible, Banking Confidentially Malware, Botnets, Rootkits
Adaptive Persistent Adversaries State/Espionage Industrial/Military Confidentially, Reputation Intellectual Property Trade Secrets Infrastructure Custom Malware, SpearPhishing, Physical, ++
Hactivists Chaotic Actors Chaotic Actor Ideological and/or LULZ Web Properties, Individuals, Polic y Availability, Confidentiality, Reputation, Personal DoS, SQLi, Phishing
Auditors Auditor QSA Profit Credit Card #s Distraction, Fines CheckList
Compare and Contrast Threat Actors Casual State QSA Chaotic Actor Org Crime Attacker APT/APA Reputation, IP, Trade CCNs Dirty Laundry Secrets, Asset Focus CCNs CCNs… Banking DDoS/Availabi National Fungible $ lity Security Data Timeframe Annual Anytime Flash Mobs Continuous Long Cons Target NA LOW HIGH LOW HIGH Stickiness Probability 100% MED ? HIGH ? “Impact” Annual $ 1 and done Relentless Varies Varies
Attacker Power - HD Moore’s Law • Moore’s Law: Compute power doubles every 18 months • HDMoore’s Law: Casual Attacker Strength grows at the rate of MetaSploit
HDMoore’s Law 100 90 80 Success Rate (%) 70 Adversary Classes 60 Espionage Organized Crime 50 APT/APA Chaotic Actors 40 Organized Crime Casual Attacker Anon/Lulz Auditor/Assessor 30 Casual 20 QSA 10 x 1 2 3 4 5 6 7 8 9 10 11 12 Defender “SecureOns” http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/
HDMoore’s Law (continued) HDMoore’s Law 100 90 80 Success Rate (%) 70 Adversary Classes 60 Espionage Organized Crime 50 APT/APA Chaotic Actors 40 Organized Crime Casual Attacker Anon/Lulz Auditor/Assessor 30 Casual 20 QSA 10 x 1 2 3 4 5 6 7 8 9 10 11 12 Defender “SecureOns” http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/
HDMoore’s Law (continued) HDMoore’s Law 100 90 80 Success Rate (%) 70 Adversary Classes 60 Espionage Organized Crime 50 APT/APA Chaotic Actors 40 Organized Crime Casual Attacker Anon/Lulz Auditor/Assessor 30 Casual 20 QSA 10 x 1 2 3 4 5 6 7 8 9 10 11 12 Defender “SecureOns” http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/
HDMoore’s Law (continued) HDMoore’s Law 100 90 80 Success Rate (%) 70 Adversary Classes 60 Espionage Organized Crime 50 APT/APA Chaotic Actors 40 Organized Crime Casual Attacker Anon/Lulz Auditor/Assessor 30 Casual 20 QSA 10 x 1 2 3 4 5 6 7 8 9 10 11 12 Defender “SecureOns” http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/
HDMoore’s Law (continued) HDMoore’s Law 100 90 80 Success Rate (%) 70 Adversary Classes 60 Espionage Organized Crime 50 APT/APA Chaotic Actors 40 Organized Crime Casual Attacker Anon/Lulz Auditor/Assessor 30 Casual 20 QSA 10 x 1 2 3 4 5 6 7 8 9 10 11 12 Defender “SecureOns” http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/
HDMoore’s Law (continued) HDMoore’s Law 100 90 80 Success Rate (%) 70 Adversary Classes 60 Espionage Organized Crime 50 APT/APA Chaotic Actors 40 Organized Crime Casual Attacker Anon/Lulz Auditor/Assessor 30 Casual 20 QSA 10 x 1 2 3 4 5 6 7 8 9 10 11 12 Defender “SecureOns” http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/
APPLICATION IN THE REAL WORLD
Does it Matter Who is Attacking? Was #18 in overall DBIR Top Threat Action Types used to steal INTELLECTUAL PROPERTY AND CLASSIFIED INFORMATION by number of breaches - (excludes breaches only involving payment card data, bank account information, personal information, etc) Source: Verizon Business Security Blog (post-DBIR), 2011 http://securityblog.verizonbusiness.com/2011/06/23/new-views-into-the-2011-dbir/
Impacting Adversary ROI It is typically not desirable to make your assets less Adversary ROI = valuable ( ) Value of Assets Compromised + Cost of Attack Value ( Adversary Value of Operational Impact )- the Attack Cost of the Attack Probability of X Increase adversary Success “Work Effort” Deterrence - Measures (% Chance of Getting Caught x Cost of Getting Caught) Impact of getting caught is Ability to respond typically a government issue and recover key
Who Are You Playing Against?
False Flags http://www.flickr.com/photos/pierre_tourigny/367078204/
VZ DBIR Patching: Evolving Adversary TTPs “Let’s Patch Faster!” 2008 2009 2010 22% Patchable 6 of 90 Patchable ZERO Patchable (not 90%) 6.66% [0] Barking up the wrong tree? Source: Verizon Business Data Breach Investigations Report (DBIR), Years 2009-2011
SQLi We spend under $500m Source: 2011 Verizon Business Data Breach Investigations Report (DBIR)
2011: Attacks Density (4Realz DBIR Style) “Only 55 of the 630 possible events have a value greater than 0…90% of the threat space was not in play at all” Source: 2011 Verizon Business Data Breach Investigations Report (DBIR)
2012: Attacks Density (4Realz DBIR Style) “Only 22 of the 315 possible events have a value greater than 0…93.1% of the threat space was not in play at all” Source: 2012 Verizon Business Data Breach Investigations Report (DBIR)
2011 VZ DBIR: Non-CCN Asset Type Breakdown 2009 2010 Delta 141 incidents 761 incidents Intellectual Property 10 41 + 31 National Security Data 1 20 + 19 Sensitive Organizational 13 81 + 68 System Information ZERO 41 + 41 Source: 2010 & 2011 Verizon Business Data Breach Investigations Report (DBIR)
2012 VZ DBIR: Non-CCN Asset Type Breakdown 2009 2010 Delta 141 incidents 761 incidents Intellectual Property 10 41 + 31 National Security Data 1 20 + 19 Sensitive Organizational 13 81 + 68 System Information ZERO 41 + 41 Source: 2012 Verizon Business Data Breach Investigations Report (DBIR)
Think About Work Effort/Factor What Do You Look Like To Different Adversaries?
Real Life Example from a Defense Industrial Base Company Who Are The Threats? What Do They Want? What Are Their TTPs? Deployed Specific Technology and Processes—Forced Adversary to Change TTPs Or Target Other Organizations
Real Life Technology Examples Work Effort Respond and Recover • WebLabyrinth • FOG Computing http://code.google.com/p/weblabyrinth/ http://sneakers.cs.columbia.edu:8080/fog/ • SCIT: Self Cleansing • Honeyports Intrusion Tolerance http://honeyports.sourceforge.net/ http://cs.gmu.edu/~asood/scit/ Photo - http://www.flickr.com/photos/shannonholman/2138613419 *Neither presenter has any affiliation with these technologies*
Adversary ROI – Getting Non-Security Executives Involved • What protected or sensitive information do we have? • What adversaries desire the information and why? • What is the value of the information to the organization? • How would the adversary value it? • What are the adversaries capabilities? • What controls protect the information?
How To Apply To Enrich Current Security Investments • Enrich incident response – Increase aim of incident responders – Detect false flags • Enrich Security Information and Event Management (SIEM) – Cluster assets or methods by adversary class - new "pivots" to interpret security events • Enrich Budgeting – More precision in how you apply investment
Apply: Final Thoughts • Start with a blank slate! • Engage non-security people • Identify your most likely adversaries • Obtain/share adversary centric intel – Threat Intelligence – Brand/chatter monitoring – Information sharing • Simulate adversary-driven scenarios – Table tops/roll playing (w/ Crisis Management) – Adversary-Centric Penetration Testing
Thank You / Contact Josh Corman David Etue @joshcorman @djetue blog.cognitivedissidents.com profile.david.etue.net Actor Classes Motivations Target Assets Impacts Methods

Recommended

Risk Analysis and Mitigation in Virtualized Environments
Risk Analysis and Mitigation in Virtualized EnvironmentsRisk Analysis and Mitigation in Virtualized Environments
Risk Analysis and Mitigation in Virtualized EnvironmentsSiddharth Coontoor
 
Multiple Classifier Systems for Adversarial Classification Tasks
Multiple Classifier Systems for Adversarial Classification TasksMultiple Classifier Systems for Adversarial Classification Tasks
Multiple Classifier Systems for Adversarial Classification TasksPluribus One
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementMel Drews
 
IBM Cyber Threat Analysis
IBM Cyber Threat AnalysisIBM Cyber Threat Analysis
IBM Cyber Threat AnalysisIBM Government
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & StrategyTony Hauxwell
 
U402 B Engaging in Justice
U402 B Engaging in Justice U402 B Engaging in Justice
U402 B Engaging in Justice Crystal Delosa
 
IBM Security Strategy Overview
IBM Security Strategy OverviewIBM Security Strategy Overview
IBM Security Strategy Overviewxband
 
National Cybersecurity - Roadmap and Action Plan
National Cybersecurity - Roadmap and Action PlanNational Cybersecurity - Roadmap and Action Plan
National Cybersecurity - Roadmap and Action PlanDr David Probert
 

Recommended

Risk Analysis and Mitigation in Virtualized Environments
Risk Analysis and Mitigation in Virtualized EnvironmentsRisk Analysis and Mitigation in Virtualized Environments
Risk Analysis and Mitigation in Virtualized EnvironmentsSiddharth Coontoor
 
Multiple Classifier Systems for Adversarial Classification Tasks
Multiple Classifier Systems for Adversarial Classification TasksMultiple Classifier Systems for Adversarial Classification Tasks
Multiple Classifier Systems for Adversarial Classification TasksPluribus One
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementMel Drews
 
IBM Cyber Threat Analysis
IBM Cyber Threat AnalysisIBM Cyber Threat Analysis
IBM Cyber Threat AnalysisIBM Government
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & StrategyTony Hauxwell
 
U402 B Engaging in Justice
U402 B Engaging in Justice U402 B Engaging in Justice
U402 B Engaging in Justice Crystal Delosa
 
IBM Security Strategy Overview
IBM Security Strategy OverviewIBM Security Strategy Overview
IBM Security Strategy Overviewxband
 
National Cybersecurity - Roadmap and Action Plan
National Cybersecurity - Roadmap and Action PlanNational Cybersecurity - Roadmap and Action Plan
National Cybersecurity - Roadmap and Action PlanDr David Probert
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 

More Related Content

Recently uploaded

[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 

Recently uploaded (20)

[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 

Featured

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 

Featured (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

Adversary ROI: Evaluating Security from the Threat Actor’s Perspective

  • 1. Adversary ROI: Evaluating Security from the Threat Actor’s Perspective Josh Corman David Etue Director, Security Intelligence VP, Corp Dev Strategy @joshcorman @djetue
  • 2. About Joshua Corman @joshcorman – Director of Security Intelligence for Akamai Technologies • Former Research Director, Enterprise Security [The 451 Group] • Former Principal Security Strategist [IBM ISS] – Industry: • Faculty: The Institute for Applied Network Security (IANS) • 2009 NetworkWorld Top 10 Tech People to Know • Co-Founder of “Rugged Software” www.ruggedsoftware.org • BLOG: www.cognitivedissidents.com – Things I’ve been researching: • Compliance vs Security • Disruptive Security for Disruptive Innovations • Chaotic Actors • Espionage • Security Metrics
  • 3. About David Etue @djetue – VP, Corporate Development Strategy at SafeNet • Former Cyber Security Practice Lead [PRTM Management Consultants] (now PwC) • Former VP Products and Markets [Fidelis Security Systems] • Former Manager, Information Security [General Electric Company] – Industry: • Faculty: The Institute for Applied Network Security (IANS) • Leads Washington Relations for Cyber Security Forum Initiative • Certified Information Privacy Professional (CIPP/G) – Cyber things that interest me: • Adversary innovation • Social media security • Applying intelligence cycle / OODA loop in cyber • Supply chain security
  • 4. Agenda Context Why ROI and ROSI have failed us… Adversary ROI Categorizing Threat Actors Application in the Real World
  • 6. We Have Finite Resources…We Can Not Protect Everything! “Black Box” Lufthansa Airbus A380 D-AIMC with the name "Peking" at Stuttgart http://commons.wikimedia.org/wiki/File:Fdr_sidefront.jpg Lasse Fuss http://commons.wikimedia.org/wiki/File:Lufthansa_A380_D-AIMC.jpg
  • 7. Consequences: Value & Replaceability http://blog.cognitivedissidents.com/2011/10/24/a-replaceability-continuum/
  • 8. Misplaced Focus “With the breach-a-week over the last two years, the key determinate was nothing YOU did… but rather was WHO was after you.”
  • 9. WHY ROI AND ROSI HAVE FAILED US…
  • 10. Why ROI failed… Expected Returns Cost of Investment ROI Cost of Investment at Net Present Value for an organization’s required Rate of Return • Most security people aren’t finance experts • Typically applied in a vacuum • No actual no profit from security investments • Doesn’t determine efficacy of security investment or commensurate investment levels
  • 11. From the Failure of ROI comes ROSI • Return on Security Investment (ROSI) created as a well intentioned way to apply risk metrics to ROI Risk Exposure % Risk Mitigated Solution Cost ROSI Solution Cost • Problems: – Attack surface is approaching infinity (not a real number) – “Risk Mitigated” can be both subjective and objective – Lacks accuracy (see @djbphaedrus Accuracy vs. Precision…)
  • 14. The Adversary Doesn’t Care About Your ROI/ROSI • Adversaries don’t care if you spend 4% or 12% of your IT budget on security • Adversaries are results oriented • Adversaries care if *they* can get a return on investment from an attack, not you…
  • 16. Why Adversary ROI • Adversaries want assets - vulnerabilities are a means • Our attack surface is approaching infinity • Adversaries have scarce resources too
  • 17. Adversary ROI Came About By Looking at Risk A risk requires a threat and a vulnerability that results in a negative consequence Current State Proposed State? Threat Vulnerability Consequence We have finite resources, and must optimize the entire risk equation for our success!
  • 18. What is a “Threat”? A Threat is an Actor with a Capability and a Motive Threats Are A “Who”, Not a “What”
  • 19. Solely Managing Vulnerabilities Will Never Win Exploit for New Vulnerability Attacker Adoption Early Adopters Early Majority Late Majority Laggards
  • 20. Solely Managing Vulnerabilities Will Never Win Vendor Starts Technology Added to Exploit for New Solution Solution Declared “Best Compliance Vulnerability Development Available Practice” Regulations Attacker Defender Adoption Adoption 0 Early Adopters Early Majority Late Majority Laggards Extensive Lag Between Attack Innovation, Solution, and Adoption
  • 21. Value Favors the Attacker Are you prepared to address a funded nation state targeting your highest value intellectual property? Attacker Gains Typical IT Security Budget (1-12% of IT Budget) Information Classification Public Sensitive Sensitive Highly Replicable Irreplaceable
  • 22. The Adversary ROI Equation Adversary ROI = ( ) Value of Assets Compromised + Cost of Attack Value [ Adversary Value of Operational Impact ] - the Attack Cost of the Attack Probability of X Success Deterrence - Measures (% Chance of Getting Caught x Cost of Getting Caught)
  • 23. Adversary ROI Example: Bicycle Theft OR
  • 25. Dogma: You Don’t Need To Be Faster Than the Bear… 25
  • 26. A Modern Pantheon of Adversary Classes Actor Classes Organized Script States Competitors Terrorists “Hactivists” Insiders Auditors Crime Kiddies Motivations Financial Industrial Military Ideological Political Prestige Target Assets Intellectual Cyber Core Business Credit Card #s Web Properties PII / Identity Property Infrastructure Processes Impacts Reputational Personal Confidentiality Integrity Availability Methods “MetaSploit” DoS Phishing Rootkit SQLi Auth Exfiltration Malware Physical
  • 27. Profiling a Particular Actor Actor Classes Organized Script States Competitors Terrorists “Hactivists” Insiders Auditors Crime Kiddies Motivations Financial Industrial Military Ideological Political Prestige Target Assets Intellectual Cyber Core Business Credit Card #s Web Properties PII / Identity Property Infrastructure Processes Impacts Reputational Personal Confidentiality Integrity Availability Methods “MetaSploit” DoS Phishing Rootkit SQLi Auth Exfiltration Malware Physical
  • 28. Script Kiddies (aka Casual Adversary) Skiddie Profit, Prestige CCN/Fungible Confidentially, Reputat ion “MetaSploit”, SQLi, Phi shing 28
  • 29. Organized Crime Organized Crime Profit Fungible, Banking Confidentially Malware, Botnets, Rootkits
  • 30. Adaptive Persistent Adversaries State/Espionage Industrial/Military Confidentially, Reputation Intellectual Property Trade Secrets Infrastructure Custom Malware, SpearPhishing, Physical, ++
  • 31. Hactivists Chaotic Actors Chaotic Actor Ideological and/or LULZ Web Properties, Individuals, Polic y Availability, Confidentiality, Reputation, Personal DoS, SQLi, Phishing
  • 32. Auditors Auditor QSA Profit Credit Card #s Distraction, Fines CheckList
  • 33. Compare and Contrast Threat Actors Casual State QSA Chaotic Actor Org Crime Attacker APT/APA Reputation, IP, Trade CCNs Dirty Laundry Secrets, Asset Focus CCNs CCNs… Banking DDoS/Availabi National Fungible $ lity Security Data Timeframe Annual Anytime Flash Mobs Continuous Long Cons Target NA LOW HIGH LOW HIGH Stickiness Probability 100% MED ? HIGH ? “Impact” Annual $ 1 and done Relentless Varies Varies
  • 34. Attacker Power - HD Moore’s Law • Moore’s Law: Compute power doubles every 18 months • HDMoore’s Law: Casual Attacker Strength grows at the rate of MetaSploit
  • 35. HDMoore’s Law 100 90 80 Success Rate (%) 70 Adversary Classes 60 Espionage Organized Crime 50 APT/APA Chaotic Actors 40 Organized Crime Casual Attacker Anon/Lulz Auditor/Assessor 30 Casual 20 QSA 10 x 1 2 3 4 5 6 7 8 9 10 11 12 Defender “SecureOns” http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/
  • 36. HDMoore’s Law (continued) HDMoore’s Law 100 90 80 Success Rate (%) 70 Adversary Classes 60 Espionage Organized Crime 50 APT/APA Chaotic Actors 40 Organized Crime Casual Attacker Anon/Lulz Auditor/Assessor 30 Casual 20 QSA 10 x 1 2 3 4 5 6 7 8 9 10 11 12 Defender “SecureOns” http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/
  • 37. HDMoore’s Law (continued) HDMoore’s Law 100 90 80 Success Rate (%) 70 Adversary Classes 60 Espionage Organized Crime 50 APT/APA Chaotic Actors 40 Organized Crime Casual Attacker Anon/Lulz Auditor/Assessor 30 Casual 20 QSA 10 x 1 2 3 4 5 6 7 8 9 10 11 12 Defender “SecureOns” http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/
  • 38. HDMoore’s Law (continued) HDMoore’s Law 100 90 80 Success Rate (%) 70 Adversary Classes 60 Espionage Organized Crime 50 APT/APA Chaotic Actors 40 Organized Crime Casual Attacker Anon/Lulz Auditor/Assessor 30 Casual 20 QSA 10 x 1 2 3 4 5 6 7 8 9 10 11 12 Defender “SecureOns” http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/
  • 39. HDMoore’s Law (continued) HDMoore’s Law 100 90 80 Success Rate (%) 70 Adversary Classes 60 Espionage Organized Crime 50 APT/APA Chaotic Actors 40 Organized Crime Casual Attacker Anon/Lulz Auditor/Assessor 30 Casual 20 QSA 10 x 1 2 3 4 5 6 7 8 9 10 11 12 Defender “SecureOns” http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/
  • 40. HDMoore’s Law (continued) HDMoore’s Law 100 90 80 Success Rate (%) 70 Adversary Classes 60 Espionage Organized Crime 50 APT/APA Chaotic Actors 40 Organized Crime Casual Attacker Anon/Lulz Auditor/Assessor 30 Casual 20 QSA 10 x 1 2 3 4 5 6 7 8 9 10 11 12 Defender “SecureOns” http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/
  • 41. APPLICATION IN THE REAL WORLD
  • 42. Does it Matter Who is Attacking? Was #18 in overall DBIR Top Threat Action Types used to steal INTELLECTUAL PROPERTY AND CLASSIFIED INFORMATION by number of breaches - (excludes breaches only involving payment card data, bank account information, personal information, etc) Source: Verizon Business Security Blog (post-DBIR), 2011 http://securityblog.verizonbusiness.com/2011/06/23/new-views-into-the-2011-dbir/
  • 43. Impacting Adversary ROI It is typically not desirable to make your assets less Adversary ROI = valuable ( ) Value of Assets Compromised + Cost of Attack Value ( Adversary Value of Operational Impact )- the Attack Cost of the Attack Probability of X Increase adversary Success “Work Effort” Deterrence - Measures (% Chance of Getting Caught x Cost of Getting Caught) Impact of getting caught is Ability to respond typically a government issue and recover key
  • 44. Who Are You Playing Against?
  • 45. False Flags http://www.flickr.com/photos/pierre_tourigny/367078204/
  • 46. VZ DBIR Patching: Evolving Adversary TTPs “Let’s Patch Faster!” 2008 2009 2010 22% Patchable 6 of 90 Patchable ZERO Patchable (not 90%) 6.66% [0] Barking up the wrong tree? Source: Verizon Business Data Breach Investigations Report (DBIR), Years 2009-2011
  • 47. SQLi We spend under $500m Source: 2011 Verizon Business Data Breach Investigations Report (DBIR)
  • 48. 2011: Attacks Density (4Realz DBIR Style) “Only 55 of the 630 possible events have a value greater than 0…90% of the threat space was not in play at all” Source: 2011 Verizon Business Data Breach Investigations Report (DBIR)
  • 49. 2012: Attacks Density (4Realz DBIR Style) “Only 22 of the 315 possible events have a value greater than 0…93.1% of the threat space was not in play at all” Source: 2012 Verizon Business Data Breach Investigations Report (DBIR)
  • 50. 2011 VZ DBIR: Non-CCN Asset Type Breakdown 2009 2010 Delta 141 incidents 761 incidents Intellectual Property 10 41 + 31 National Security Data 1 20 + 19 Sensitive Organizational 13 81 + 68 System Information ZERO 41 + 41 Source: 2010 & 2011 Verizon Business Data Breach Investigations Report (DBIR)
  • 51. 2012 VZ DBIR: Non-CCN Asset Type Breakdown 2009 2010 Delta 141 incidents 761 incidents Intellectual Property 10 41 + 31 National Security Data 1 20 + 19 Sensitive Organizational 13 81 + 68 System Information ZERO 41 + 41 Source: 2012 Verizon Business Data Breach Investigations Report (DBIR)
  • 52. Think About Work Effort/Factor What Do You Look Like To Different Adversaries?
  • 53. Real Life Example from a Defense Industrial Base Company Who Are The Threats? What Do They Want? What Are Their TTPs? Deployed Specific Technology and Processes—Forced Adversary to Change TTPs Or Target Other Organizations
  • 54. Real Life Technology Examples Work Effort Respond and Recover • WebLabyrinth • FOG Computing http://code.google.com/p/weblabyrinth/ http://sneakers.cs.columbia.edu:8080/fog/ • SCIT: Self Cleansing • Honeyports Intrusion Tolerance http://honeyports.sourceforge.net/ http://cs.gmu.edu/~asood/scit/ Photo - http://www.flickr.com/photos/shannonholman/2138613419 *Neither presenter has any affiliation with these technologies*
  • 55. Adversary ROI – Getting Non-Security Executives Involved • What protected or sensitive information do we have? • What adversaries desire the information and why? • What is the value of the information to the organization? • How would the adversary value it? • What are the adversaries capabilities? • What controls protect the information?
  • 56. How To Apply To Enrich Current Security Investments • Enrich incident response – Increase aim of incident responders – Detect false flags • Enrich Security Information and Event Management (SIEM) – Cluster assets or methods by adversary class - new "pivots" to interpret security events • Enrich Budgeting – More precision in how you apply investment
  • 57. Apply: Final Thoughts • Start with a blank slate! • Engage non-security people • Identify your most likely adversaries • Obtain/share adversary centric intel – Threat Intelligence – Brand/chatter monitoring – Information sharing • Simulate adversary-driven scenarios – Table tops/roll playing (w/ Crisis Management) – Adversary-Centric Penetration Testing
  • 58. Thank You / Contact Josh Corman David Etue @joshcorman @djetue blog.cognitivedissidents.com profile.david.etue.net Actor Classes Motivations Target Assets Impacts Methods

Editor's Notes

  1. Economics is the study of how society allocates scarce resources and goods. A well managed Info/Cyber/Security/Assurance program requires intelligent allocation of scarce resources–we can not protect everythingWe can’t build the entire airplane out of the “black box”
  2. Most organizations, especially large corporations, use Return on Investment (ROI) to make investment decisionsROI gave us a framework to talk to non-security people about the benefits of security investments
  3. When our attack surfaces approach infinity, its easier to manage threatsCONTROL QUOTIENTMost security programs focused solely on vulnerability management, which necessary but insufficientTechnology changes at high rate of speed making vulnerability a moving targetAdversary community changes faster than defendersAttacks quickly move to the most porous layerEnd users likely to remain a significant vulnerability
  4. Classes of actors can be identified (and even particular actors in some cases)Capabilities can be estimated (and potentially managed by working Governments and Law Enforcement)Motive can be analyzed via “Adversary ROI”
  5. Rorschach Test: http://en.wikipedia.org/wiki/Rorschach_testWe see in Anonymous what we WANT to see.. We project. Our perceptions say more about us than they do about the multitude of subgroups/causes in Anonymous.
  6. Serenity prayer
  7. The 2009 REPORT… has data from calendar year 2008… make sense?VERBALLY – or maybe add… the 2012 report on 2011 incidents… saw 3 or 5 or 6 (single digit) that were patchable