Cost of Attack
Prioritize security investments by the
cost and impact on attacker operations
https://aka.ms/markslist | @MarkSimos
Security is complex and challenging
Attackers have a lot of options
Forcing security into a holistic
Regulatory Sprawl - 200+ daily updates from 750 regulatory bodies
Threats – Continuously changing threat landscape
Security Tools – dozens or hundreds of tools at customers
Must secure across everything
Brand New - IoT, DevOps, and Cloud services, devices and products
Current/Aging - 5-25 year old enterprise IT servers, products, etc.
Legacy/Ancient - 30+ year old Operational Technology (OT) systems
Nothing gets retired!
Usually for fear of breaking
something (& getting blamed)
Hybrid of Everything, Everywhere, All at Once
‘Data swamp’ accumulates
managed data + unmanaged ‘dark’ data
10 Laws of Cybersecurity Risk
Not keeping up is falling
Productivity always wins
Attackers don't care
Ruthless Prioritization is a
Cybersecurity is a team sport
Your network isn’t as
trustworthy as you think it is
Isolated networks aren’t
Encryption alone isn’t a data
Technology doesn't solve
people & process problems
Security success is ruining the
attacker ROI (return on investment)
Cost of Attack
What it is – Analysis of the relative cost / friction to attack your
assets & overall attacker return on investment (ROI)
Prevalence – Relatively new concept that builds on
existing security ROI concept
Primary Use Cases –
• Helps remove biases in defender thinking by requiring consideration of attacker perspective (and triggering
them to see attackers as adaptable and pragmatic humans)
• Increases accuracy of security defense prioritization – by allowing defenders to better predict changes in
attacker behavior (in response to planned/potential defense changes)
Known limitations –
• Prioritization also needs to consider other factors including implementation cost, value of assets, ability to
effectively implement and operate defenses, etc.
• Estimation typically restricted to ordinal numbers (can’t be used accurately to add/multiply/etc.)
Defenders must focus on
A. Strong security controls + effective placement
B. Rapid response to attacks
C. Continuously testing & monitoring controls
Phishing email to admin
Looks like they have
NGFW, IDS/IPS, and DLP
I bet their admins
1. Check email from
2. Click on links for
higher paying jobs
Now, let’s see if admins save
service account passwords
in a spreadsheet…
• Workload identities
Sensitive Data Protection & Monitoring
• Discover business critical assets with business,
technology, and security teams
• Increase security protections and monitoring processes
• Encrypt data with Azure Information Protection
Modernize Security Operations
• Add XDR for identity, endpoint (EDR),
cloud apps, and other paths
• Train SecOps analysts on endpoints and
identity authentication flows
Protect Privileged Accounts
Require separate accounts for Admins
and enforce MFA/passwordless
Privileged Access Workstations (PAWs)
+ enforce with Conditional Access
Rigorous Security Hygiene
• Rapid Patching
• Secure Configuration
• Secure Operational Practices
• Insider Coercion/Extortion
• Impersonate via Device/
• Insider Coercion/Extortion • Insider Coercion/Extortion
with sophisticated execution
For more details, see https://aka.ms/spa-account
Example: Account Security
• Password spray / brute force
• Password theft
• Insider Coercion/Extortion
• Impersonate via Device/
Your budget spend should result in
increased attacker cost/friction
Disrupting Attacker Return on Investment (ROI)
• Attackers invest into attacks to get a return (money,
prestige, promotions, etc.)
• Disrupt attackers from getting to their goals with
A. Strong security controls + rapid response
B. Effective placement of controls
C. Continuously testing & monitoring controls
• Prioritize security investments (time, money, attention)
using attacker cost and your cost
• Attacker Cost / Disruption - increase attack friction/cost and reduce
likelihood of success (past some attackers’ breaking points)
• Defender Cost – Practical, effective, and cost-effective (cheap) defenses
These slides are excerpts from Microsoft Security Architecture
Design Session (ADS) Module 1 available through Microsoft Unified
Key Takeaway: These 10 Laws of Cybersecurity Risk provides a good guideline for security architecture and design
Security success is ruining the attacker ROISecurity can’t achieve an absolutely secure state so deter attackers by disrupting and degrading their ability to realize Return on Investment (ROI). Increase the attacker’s cost and decreasing the attacker’s return for your most important assets.
Not keeping up is falling behindSecurity is a continuous journey and if you aren't staying current, it will continually get cheaper and cheaper for attackers to successfully take control of your assets. You must continually update your security patches, security strategies, threat awareness, inventory, security tooling, security hygiene, security monitoring, permission models, and anything else that changes over time.
Productivity always winsIf security isn’t easy for users, they will work around it to get their job done. Always make sure solutions are secure and usable.
Attackers don't careAttackers are willing to use any available method to get into your environment and increase control over it including compromising a networked printer, a fish tank thermometer, a cloud service, a PC, a Server, a Mac, a mobile device, use of a malicious insider, use of a configuration mistake, or just asking for passwords in a phishing email. Your job is to understand and take away the easiest and cheapest options as well as the most useful ones (e.g. anything that leads to administrative privileges across many systems).
Ruthless Prioritization is a survival skillNobody has enough time and resources to eliminate all risks to all resources. Always start with what is most important to the organization, most interesting to attackers, and continuously update this prioritization. CLICK 1
Cybersecurity is a team sportNobody can do it all, so always focus on the things that only you (or your organization) can do to protect the organization's mission. For things that others can do better or cheaper, have them do it (security vendors, cloud providers, community)
Your network isn’t a trustworthy as you think it isA security strategy that relies on passwords and trusting any intranet device is only marginally better than no security strategy at all. Attackers easily evade these defenses so the trust level of each device, user, and application must be proven and validated continuously starting with a level of zero trust
Isolated networks aren’t automatically secureWhile air-gapped networks can offer strong security when maintained correctly, successful examples are extremely rare because each node must be completely isolated from outside risk. If security is critical enough to place resources on an isolated network, you should invest in mitigations to address potential connectivity via methods such as USB media (e.g. required for patches), bridges to intranet network, and external devices (e.g. vendor laptops on a production line), and insider threats that could circumvent all technical controls.
Encryption alone isn’t a data protection solutionEncryption protects against out of band attacks (on network packets, files, storage, etc.), but data is only as secure as the decryption key (key strength + protections from theft/copying) and other authorized means of access.
Technology doesn't solve people and process problemsWhile machine learning, artificial intelligence, and other technologies offer amazing leaps forward in security (if applied correctly), cybersecurity is a human challenge and will never be solved by technology alone.
For reference, these are the Immutable Laws of Security v2.1 (Technical Focus)
Law #1: If a bad actor can persuade you to run their program on your computer, it's not solely your computer anymore. Law #2: If a bad actor can alter the operating system on your computer, it's not your computer anymore. Law #3: If a bad actor has unrestricted physical access to your computer, it's not your computer anymore. Law #4: If you allow a bad actor to run active content in your website, it's not your website any more. Law #5: Weak passwords trump strong security. Law #6: A computer is only as secure as the administrator is trustworthy. Law #7: Encrypted data is only as secure as its decryption key. Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all. Law #9: Absolute anonymity isn't practically achievable, online or offline. Law #10: Technology is not a panacea.
UNFINISHED SLIDE NOTES
Security does require strong controls, but it also requires you to carefully place those controls on all paths that attackers can use.
You must also be ready to rapidly respond to attacks so that you can contain any success as they have very quickly.
And you must constantly test and validate your controls to ensure that they will work when attackers attack.
Security is all about disrupting attackers return on investment (ROI)
increase attacker cost/friction
lower the returns on investment for an attack (access/change less data, less sensitive data or gain access to less valuable systems
Most of the time via cost of attack?
Let’s take a look at this through the eyes of an attacker and use real examples.
Attackers will quickly figure out that an organization has NexGen firewalls (NGFW), intrusion detection/prevention systems (IDS/IPS), Xxxxxxxxx
Going directly after these resources is generally a high cost of attack for them (unless your organization isn’t applying security updates and configuration best practices to your edge devices)
A common tactic that attackers use to get around this is to target IT administrators with fishing attacks. Who wouldn’t be tempted to click on the link that promised hire pay for a similar job role at another company?
Most IT admin‘s at most organizations use their administrative desktop for day-to-day email and web browsing, meaning that a successful attack or compromise through that fishing link would actually lead to control of the administrative desktop and all the credentials on it(including the administrative credentials that have privileges throughout the environment).
Now let’s say that they don’t get admin accounts right away the attacker would go ahead and explore the local system and search for things like “passwords.XLS“, which is a common way that IT admin‘s use to store service account and other credentials
Once the attackers have access to this, it is fairly easy for them to silently access all of the business systems and data that they want for stealing it, altering it, or encrypting it for the purposes of a ransomware extortion payment. Most organizations do not have (rigorous) monitoring of these accounts and how they are used, making them blind to anomalous usage like this.
UNFINISHED SLIDE NOTES
So what kinds of technical controls can help an organization mitigate these risks?
First, applying security controls to the Business Critical assets that matter most to the organization so that they have elevated preventive controls and monitoring/response processes to quickly block, detect, and recover from attacks on them.
Next, focusing on privileged accounts that has access to all assets across the organization and all of the means to gain control of them (such as compromising the admin‘s desktop, The storage of service account passwords, etc.)
Applying security hygiene like patching, configuration validation, and establishing safe standard processes for administrative practices.
Updating security operations tools, skills, and processes so that they are monitoring anomalies at the identity, application, data, and other layers in addition to monitoring for Network layer anomalies
Think of all controls as “parts of a whole” defense
Flip the “get 99% right and do one thing wrong” onto the attacker
Highlight ADS is built to show how to do this with identiy/access, SOC, infra, etc.
Key Takeaway – Defenders should be focusing on ruining the attacker's model by raising the cost of attack.
The example here describes how to increase the cost of attacking a users or admin‘s account.
Increasing the cost of attack is designed to shift the landscape of security and the return on investment for attackers
This changes the:
“Defenders dilemma” – one mistake in your defenses and the adversary will be successful anyways, sending defenders ‘back to the drawing board’
“Attackers Dilemma” – one mistake in your attack campaign will undo the hard work put into the attack - planning, researching, finding/purchasing vulnerabilities, etc. and send the attackers ‘back to the drawing board’
You should block the cheapest path to techniques first. These are attack techniques that have been used against you, your industry peers in others in industry.
Blocking these will rapidly raise the cost to attack your environment
You need good detection and response processes/capabilities to limit the time and freedom of attackers to conduct attacks while on your environment and to explore while they are there.
These capabilities will also quickly raise the cost to attack your environment
Other investments should default to a lower priority than known attacks and detection/response. Once you have solid detection/response in place and key defenses against known attacks, your investments can start shifting toward potential and future attacks, but this is not a luxury most organizations can afford in their security budget or as an acceptable risk.
Consider your full return on investment - When evaluating security investments, you should also consider the level of effort required. Consider if the security activity will consume a high amount of team time and resources (e.g. manual certificate management) that would be better spent on more effective defenses (e.g. applying patches, hunting for threats, implementing a different solution for device identity, etc.)
Key Takeaway –focusing on raising cost of attack for attackers makes your organization more resilient to cybersecurity risk
Various types of attackers have different thresholds of cost of attack that they can withstand in the pursuit of their objectives (mission and money driven alike)
A defender’s budget should raise the cost of attack for all types of attackers (who may be specifically targeting the organization or opportunistically targeting many organizations)
Microsoft is focusing on simplifying the application and integration of advanced security techniques so that many organizations can benefit from these capabilities and help increase attacker cost.
Organized crime (especially ransomware/extortion gangs) can have a budget in excess of many nation state actors, but they are focused on profit opportunities so they are often less determined to compromise a specific organization than a nation state actor.
Key Takeaway: Cost of attack is a useful and powerful tool for guiding decisions despite some serious limitations on precisely measuring it.
While the term “cost” in cost of attack frequently makes people expect that it is a clear “ratio” measurement like any other business costs in a budget spreadsheet, the precise number is actually very difficult to obtain and calculate. This is because attackers rarely publish these numbers (except occasionally in secretive dark markets / online forums). Additionally, the cost of attack for any given organization can vary considerably from another one and wouldn’t normally be posted in these markets.
Despite this limitation, cost of attack can be very useful for organization as they consider and select security initiatives and capabilities to invest in.
Many organizations purchase security products for advanced features and capabilities (which often require further investment in training and operational staff). These organizations rarely ask whether these capabilities will add more friction/cost to for the top attack profiles vs. other alternatives such as
investment into security hygiene (like applying security patches)
lower cost initiative that uses existing security data/tools
Consolidate technical solutions to lower the burden on analysts and increase their ability to detect and respond to threats
A business may find it more effective (and cost effective) to implement business processes for employees handling money transfers (e.g. phone call with someone who recognizes the CFO’s voice) vs. investing in expensive technical controls.