Advertisement
Cost of Attack
Cost of Attack
Cost of Attack
Cost of Attack
Cost of Attack
Cost of Attack
Cost of Attack
Cost of Attack
Cost of Attack
Cost of Attack

Check these out next

New trends in video analytics and surveillance systems for the mining industry
New trends in video analytics and surveillance systems for the mining industry
Schneider Electric
Business Continuity And Disaster Recovery Notes
Business Continuity And Disaster Recovery Notes
Alan McSweeney
High availability of azure applications(paas)
High availability of azure applications(paas)
Himanshu Sahu
Secure your M365 resources using Azure AD Identity Governance
Secure your M365 resources using Azure AD Identity Governance
Vignesh Ganesan I Microsoft MVP
Securing sensitive data with Azure Key Vault
Securing sensitive data with Azure Key Vault
Tom Kerkhove
06. security concept
06. security concept
Muhammad Ahad
CISSP Cheatsheet.pdf
CISSP Cheatsheet.pdf
shyedshahriar
CISSP - Software Development Security
CISSP - Software Development Security
Karthikeyan Dhayalan
1 of 10

Cost of Attack

Mar. 23, 2023
Download to read offline
Technology

Slides describing using Cost of Attack to prioritize cybersecurity investments. This visually illustrates the concept using Age of Empires II screenshots.

Mark Simos
Advertisement
Advertisement
Advertisement

Recommended

CISA Training - Chapter 4 - 2016CISA Training - Chapter 4 - 2016
CISA Training - Chapter 4 - 2016Hafiz Sheikh Adnan Ahmed3.6K views71 slides
Data Center SecurityData Center Security
Data Center Securitydevalnaik3K views24 slides
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersDevOps.com1.8K views33 slides
Office 365 Security Best PracticesOffice 365 Security Best Practices
Office 365 Security Best PracticesCommunity IT Innovators1.7K views34 slides
Imds Comp CreationImds Comp Creation
Imds Comp CreationOscar Padilla936 views11 slides
A complete guide to azure storageA complete guide to azure storage
A complete guide to azure storageHimanshu Sahu1.5K views30 slides

More Related Content

Slideshows for you(20)

New trends in video analytics and surveillance systems for the mining industryNew trends in video analytics and surveillance systems for the mining industry
New trends in video analytics and surveillance systems for the mining industry
Schneider Electric2.2K views
Business Continuity And Disaster Recovery NotesBusiness Continuity And Disaster Recovery Notes
Business Continuity And Disaster Recovery Notes
Alan McSweeney11.5K views
High availability of azure applications(paas)High availability of azure applications(paas)
High availability of azure applications(paas)
Himanshu Sahu1.4K views
Secure your M365 resources using Azure AD Identity GovernanceSecure your M365 resources using Azure AD Identity Governance
Secure your M365 resources using Azure AD Identity Governance
Vignesh Ganesan I Microsoft MVP306 views
Securing sensitive data with Azure Key VaultSecuring sensitive data with Azure Key Vault
Securing sensitive data with Azure Key Vault
Tom Kerkhove3.4K views
06. security concept06. security concept
06. security concept
Muhammad Ahad1.8K views
CISSP Cheatsheet.pdfCISSP Cheatsheet.pdf
CISSP Cheatsheet.pdf
shyedshahriar199 views
CISSP - Software Development SecurityCISSP - Software Development Security
CISSP - Software Development Security
Karthikeyan Dhayalan4.1K views
IQBBA® - Foundation Level Business AnalystIQBBA® - Foundation Level Business Analyst
IQBBA® - Foundation Level Business Analyst
Mirosław Dąbrowski C-level IT manager, CEO, Agile, ICF Coach, Speaker5.4K views
Cism course pptCism course ppt
Cism course ppt
sophiarock1235.6K views
Security and Compliance for Exchange Online in Office 365Security and Compliance for Exchange Online in Office 365
Security and Compliance for Exchange Online in Office 365
Quentin Christensen2.1K views
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud Security
Alert Logic 540 views
Azure Key Vault - Getting StartedAzure Key Vault - Getting Started
Azure Key Vault - Getting Started
Taswar Bhatti4.5K views
Cloud securityCloud security
Cloud security
François Boucher2.4K views
MISRA Safety Case Guidelines - MISRA Safety Case Guidelines -
MISRA Safety Case Guidelines -
Automotive IQ6K views
ISO 22301 Business Continuity ManagementISO 22301 Business Continuity Management
ISO 22301 Business Continuity Management
Ramiro Cid21.6K views
CMMC 2.0 Explained: Impact for SMBsCMMC 2.0 Explained: Impact for SMBs
CMMC 2.0 Explained: Impact for SMBs
Ignyte Assurance Platform197 views
Cloud governance - theory and toolsCloud governance - theory and tools
Cloud governance - theory and tools
Antti Arnell798 views
Data Center SecurityData Center Security
Data Center Security
Cisco Canada5.8K views
63 Requirements for CASB63 Requirements for CASB
63 Requirements for CASB
Kyle Watson2.9K views

Similar to Cost of Attack(20)

How To Secure MISHow To Secure MIS
How To Secure MIS
AaDi Malik782 views
Management Information System PresentationManagement Information System Presentation
Management Information System Presentation
AaDi Malik458 views
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
rbrockway2.2K views
InsiderAttack_p3.pptInsiderAttack_p3.ppt
InsiderAttack_p3.ppt
VaishnavGhadge15 views
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative World
SafeNet1.7K views
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …
Andris Soroka1.1K views
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
ParishSummer23 views
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CloudIDSummit689 views
Core.co.enterprise.deck.06.16.10Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10
Core Security Technologies277 views
Daniel Grabski | Microsofts cybersecurity storyDaniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity story
Microsoft Österreich218 views
Microsoft - Human-Operated Ransomware Mitigation Project Plan #nice #template...Microsoft - Human-Operated Ransomware Mitigation Project Plan #nice #template...
Microsoft - Human-Operated Ransomware Mitigation Project Plan #nice #template...
powerofgametest48 views
Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...
Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...
Sreejesh Madonandy403 views
Webinar: Microsoft 365 - Your Gateway to Data Loss PreventionWebinar: Microsoft 365 - Your Gateway to Data Loss Prevention
Webinar: Microsoft 365 - Your Gateway to Data Loss Prevention
WithumSmith+Brown, formerly Portal Solutions220 views
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
Digital Bond1.6K views
Cloud Security Zen: Principles to Meditate OnCloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate On
Samuel Reed165 views
Just Trust Everyone and We Will Be Fine, Right?Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?
Scott Carlson207 views
NZISF Talk: Six essential security servicesNZISF Talk: Six essential security services
NZISF Talk: Six essential security services
Hinne Hettema349 views
PPT for CEO.pptxPPT for CEO.pptx
PPT for CEO.pptx
ConsultantPartha4 views
Top reasons why Endpoint Security should move to Cloud | SysforeTop reasons why Endpoint Security should move to Cloud | Sysfore
Top reasons why Endpoint Security should move to Cloud | Sysfore
Sysfore Technologies29 views
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale445 views
Advertisement

Recently uploaded(20)

Designing and Managing IoT Devices for Rapid Deployment - Webinar.pdfDesigning and Managing IoT Devices for Rapid Deployment - Webinar.pdf
Designing and Managing IoT Devices for Rapid Deployment - Webinar.pdf
ICS0 views
Unlock the power of MLOps.pdfUnlock the power of MLOps.pdf
Unlock the power of MLOps.pdf
StephenAmell40 views
UV Printers Are Able to Create Children's Educational Toys.docxUV Printers Are Able to Create Children's Educational Toys.docx
UV Printers Are Able to Create Children's Educational Toys.docx
Fei Yue Digital Technology Co., Limited.0 views
technology-140611171318-phpapp02 (1).pptxtechnology-140611171318-phpapp02 (1).pptx
technology-140611171318-phpapp02 (1).pptx
jaspreetkaur9080490 views
Ion Sources and BeamsIon Sources and Beams
Ion Sources and Beams
DrAlirezaGanjovi0 views
Phrase break prediction with bidirectional encoder representations in Japanes...Phrase break prediction with bidirectional encoder representations in Japanes...
Phrase break prediction with bidirectional encoder representations in Japanes...
Kosuke Futamata0 views
GIGALIGHT-Optical Transceiver SiPh MZ Quad Operating Point LockingGIGALIGHT-Optical Transceiver SiPh MZ Quad Operating Point Locking
GIGALIGHT-Optical Transceiver SiPh MZ Quad Operating Point Locking
Gigalight0 views
3.5.+Core+Concepts+and+the+Business+Analyst's+Role.pdf3.5.+Core+Concepts+and+the+Business+Analyst's+Role.pdf
3.5.+Core+Concepts+and+the+Business+Analyst's+Role.pdf
Jess Rodriguez0 views
The Benefits of Adopting the Lamp Tech Stack: A Comprehensive Guide:The Benefits of Adopting the Lamp Tech Stack: A Comprehensive Guide:
The Benefits of Adopting the Lamp Tech Stack: A Comprehensive Guide:
Brain Inventory0 views
CRYPTO-BIKE Pitch deck.pdfCRYPTO-BIKE Pitch deck.pdf
CRYPTO-BIKE Pitch deck.pdf
CryptoBikeMailer0 views
Cloud Forensics and Incident Response Training.pdfCloud Forensics and Incident Response Training.pdf
Cloud Forensics and Incident Response Training.pdf
Christopher Doman0 views
5G New Radio Architecture.pdf5G New Radio Architecture.pdf
5G New Radio Architecture.pdf
Karthick Rajagopal0 views
W-6-7-Ch-5-Tank Suspension system.pptxW-6-7-Ch-5-Tank Suspension system.pptx
W-6-7-Ch-5-Tank Suspension system.pptx
vishnoo70 views
synthesisofevidenceresource.pdfsynthesisofevidenceresource.pdf
synthesisofevidenceresource.pdf
abdelkhaleqelhaddad50 views
Temporary Tattoo.pdfTemporary Tattoo.pdf
Temporary Tattoo.pdf
DevDeshpande20 views
trackingSpoofedIp.pptxtrackingSpoofedIp.pptx
trackingSpoofedIp.pptx
BincySam20 views
Ultimate list of IT Services that can be outsourced.pptxUltimate list of IT Services that can be outsourced.pptx
Ultimate list of IT Services that can be outsourced.pptx
Sagar Salvi0 views
Change your architecture during deploymentChange your architecture during deployment
Change your architecture during deployment
Dennis van der Stelt0 views
Trane THT2212-SPST Therm Cutoff; 265Op 35C-PartsHnC.pdfTrane THT2212-SPST Therm Cutoff; 265Op 35C-PartsHnC.pdf
Trane THT2212-SPST Therm Cutoff; 265Op 35C-PartsHnC.pdf
PartsHnC Hvac Parts0 views
wasp_2023.pdfwasp_2023.pdf
wasp_2023.pdf
Felix Dobslaw0 views

Cost of Attack

  1. Cost of Attack Prioritize security investments by the cost and impact on attacker operations Mark Simos https://aka.ms/markslist | @MarkSimos
  2. Security is complex and challenging Infrastructure Application Data People Attackers have a lot of options  Forcing security into a holistic complex approach  Regulatory Sprawl - 200+ daily updates from 750 regulatory bodies  Threats – Continuously changing threat landscape  Security Tools – dozens or hundreds of tools at customers Must secure across everything  Brand New - IoT, DevOps, and Cloud services, devices and products  Current/Aging - 5-25 year old enterprise IT servers, products, etc.  Legacy/Ancient - 30+ year old Operational Technology (OT) systems Nothing gets retired! Usually for fear of breaking something (& getting blamed) Hybrid of Everything, Everywhere, All at Once ‘Data swamp’ accumulates managed data + unmanaged ‘dark’ data
  3. 10 Laws of Cybersecurity Risk Not keeping up is falling behind Productivity always wins Attackers don't care Ruthless Prioritization is a survival skill Cybersecurity is a team sport Your network isn’t as trustworthy as you think it is Isolated networks aren’t automatically secure Encryption alone isn’t a data protection solution Technology doesn't solve people & process problems http://aka.ms/SecurityLaws 10 9 8 7 6 5 4 3 2 Security success is ruining the attacker ROI (return on investment) 1
  4. Cost of Attack What it is – Analysis of the relative cost / friction to attack your assets & overall attacker return on investment (ROI) Prevalence – Relatively new concept that builds on existing security ROI concept Primary Use Cases – • Helps remove biases in defender thinking by requiring consideration of attacker perspective (and triggering them to see attackers as adaptable and pragmatic humans) • Increases accuracy of security defense prioritization – by allowing defenders to better predict changes in attacker behavior (in response to planned/potential defense changes) Known limitations – • Prioritization also needs to consider other factors including implementation cost, value of assets, ability to effectively implement and operate defenses, etc. • Estimation typically restricted to ordinal numbers (can’t be used accurately to add/multiply/etc.)
  5. Defenders must focus on A. Strong security controls + effective placement B. Rapid response to attacks C. Continuously testing & monitoring controls
  6. Phishing email to admin Looks like they have NGFW, IDS/IPS, and DLP I bet their admins 1. Check email from admin workstations 2. Click on links for higher paying jobs Low Found passwords.xls Now, let’s see if admins save service account passwords in a spreadsheet… High
  7. Replace password.xls ‘process’ with • PIM/PAM • Workload identities Sensitive Data Protection & Monitoring • Discover business critical assets with business, technology, and security teams • Increase security protections and monitoring processes • Encrypt data with Azure Information Protection Modernize Security Operations • Add XDR for identity, endpoint (EDR), cloud apps, and other paths • Train SecOps analysts on endpoints and identity authentication flows Protect Privileged Accounts Require separate accounts for Admins and enforce MFA/passwordless Privileged Access Workstations (PAWs) + enforce with Conditional Access Rigorous Security Hygiene • Rapid Patching • Secure Configuration • Secure Operational Practices
  8. • Insider Coercion/Extortion • Impersonate via Device/ Workstation Compromise • Insider Coercion/Extortion • Insider Coercion/Extortion with sophisticated execution For more details, see https://aka.ms/spa-account Example: Account Security • Password spray / brute force • Password theft • Insider Coercion/Extortion • Impersonate via Device/ Workstation Compromise
  9. Your budget spend should result in increased attacker cost/friction Measurability limitations
  10. Disrupting Attacker Return on Investment (ROI) • Attackers invest into attacks to get a return (money, prestige, promotions, etc.) • Disrupt attackers from getting to their goals with A. Strong security controls + rapid response B. Effective placement of controls C. Continuously testing & monitoring controls • Prioritize security investments (time, money, attention) using attacker cost and your cost • Attacker Cost / Disruption - increase attack friction/cost and reduce likelihood of success (past some attackers’ breaking points) • Defender Cost – Practical, effective, and cost-effective (cheap) defenses These slides are excerpts from Microsoft Security Architecture Design Session (ADS) Module 1 available through Microsoft Unified

Editor's Notes

  1. Key Takeaway: These 10 Laws of Cybersecurity Risk provides a good guideline for security architecture and design Security success is ruining the attacker ROI Security can’t achieve an absolutely secure state so deter attackers by disrupting and degrading their ability to realize Return on Investment (ROI). Increase the attacker’s cost and decreasing the attacker’s return for your most important assets. Not keeping up is falling behind Security is a continuous journey and if you aren't staying current, it will continually get cheaper and cheaper for attackers to successfully take control of your assets.  You must continually update your security patches, security strategies, threat awareness, inventory, security tooling, security hygiene, security monitoring, permission models, and anything else that changes over time. Productivity always wins If security isn’t easy for users, they will work around it to get their job done. Always make sure solutions are secure and usable. Attackers don't care Attackers are willing to use any available method to get into your environment and increase control over it including compromising a networked printer, a fish tank thermometer, a cloud service, a PC, a Server, a Mac, a mobile device, use of a malicious insider, use of a configuration mistake, or just asking for passwords in a phishing email. Your job is to understand and take away the easiest and cheapest options as well as the most useful ones (e.g. anything that leads to administrative privileges across many systems). Ruthless Prioritization is a survival skill Nobody has enough time and resources to eliminate all risks to all resources. Always start with what is most important to the organization, most interesting to attackers, and continuously update this prioritization. CLICK 1 Cybersecurity is a team sport Nobody can do it all, so always focus on the things that only you (or your organization) can do to protect the organization's mission. For things that others can do better or cheaper, have them do it (security vendors, cloud providers, community) Your network isn’t a trustworthy as you think it is A security strategy that relies on passwords and trusting any intranet device is only marginally better than no security strategy at all. Attackers easily evade these defenses so the trust level of each device, user, and application must be proven and validated continuously starting with a level of zero trust Isolated networks aren’t automatically secure While air-gapped networks can offer strong security when maintained correctly, successful examples are extremely rare because each node must be completely isolated from outside risk. If security is critical enough to place resources on an isolated network, you should invest in mitigations to address potential connectivity via methods such as USB media (e.g. required for patches), bridges to intranet network, and external devices (e.g. vendor laptops on a production line), and insider threats that could circumvent all technical controls. Encryption alone isn’t a data protection solution Encryption protects against out of band attacks (on network packets, files, storage, etc.), but data is only as secure as the decryption key (key strength + protections from theft/copying) and other authorized means of access. Technology doesn't solve people and process problems While machine learning, artificial intelligence, and other technologies offer amazing leaps forward in security (if applied correctly), cybersecurity is a human challenge and will never be solved by technology alone. Additional Information For reference, these are the Immutable Laws of Security v2.1 (Technical Focus)  Law #1: If a bad actor can persuade you to run their program on your computer, it's not solely your computer anymore. Law #2: If a bad actor can alter the operating system on your computer, it's not your computer anymore. Law #3: If a bad actor has unrestricted physical access to your computer, it's not your computer anymore. Law #4: If you allow a bad actor to run active content in your website, it's not your website any more. Law #5: Weak passwords trump strong security. Law #6: A computer is only as secure as the administrator is trustworthy. Law #7: Encrypted data is only as secure as its decryption key. Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all. Law #9: Absolute anonymity isn't practically achievable, online or offline. Law #10: Technology is not a panacea.
  2. UNFINISHED SLIDE NOTES Security does require strong controls, but it also requires you to carefully place those controls on all paths that attackers can use. You must also be ready to rapidly respond to attacks so that you can contain any success as they have very quickly. And you must constantly test and validate your controls to ensure that they will work when attackers attack. Security is all about disrupting attackers return on investment (ROI) increase attacker cost/friction lower the returns on investment for an attack (access/change less data, less sensitive data or gain access to less valuable systems Most of the time via cost of attack?
  3. Let’s take a look at this through the eyes of an attacker and use real examples. Attackers will quickly figure out that an organization has NexGen firewalls (NGFW), intrusion detection/prevention systems (IDS/IPS), Xxxxxxxxx Going directly after these resources is generally a high cost of attack for them (unless your organization isn’t applying security updates and configuration best practices to your edge devices) A common tactic that attackers use to get around this is to target IT administrators with fishing attacks. Who wouldn’t be tempted to click on the link that promised hire pay for a similar job role at another company? Most IT admin‘s at most organizations use their administrative desktop for day-to-day email and web browsing, meaning that a successful attack or compromise through that fishing link would actually lead to control of the administrative desktop and all the credentials on it(including the administrative credentials that have privileges throughout the environment). Now let’s say that they don’t get admin accounts right away the attacker would go ahead and explore the local system and search for things like “passwords.XLS“, which is a common way that IT admin‘s use to store service account and other credentials Once the attackers have access to this, it is fairly easy for them to silently access all of the business systems and data that they want for stealing it, altering it, or encrypting it for the purposes of a ransomware extortion payment. Most organizations do not have (rigorous) monitoring of these accounts and how they are used, making them blind to anomalous usage like this.
  4. UNFINISHED SLIDE NOTES So what kinds of technical controls can help an organization mitigate these risks? First, applying security controls to the Business Critical assets that matter most to the organization so that they have elevated preventive controls and monitoring/response processes to quickly block, detect, and recover from attacks on them. Next, focusing on privileged accounts that has access to all assets across the organization and all of the means to gain control of them (such as compromising the admin‘s desktop, The storage of service account passwords, etc.) Applying security hygiene like patching, configuration validation, and establishing safe standard processes for administrative practices. Updating security operations tools, skills, and processes so that they are monitoring anomalies at the identity, application, data, and other layers in addition to monitoring for Network layer anomalies Think of all controls as “parts of a whole” defense Flip the “get 99% right and do one thing wrong” onto the attacker Highlight ADS is built to show how to do this with identiy/access, SOC, infra, etc.
  5. Key Takeaway – Defenders should be focusing on ruining the attacker's model by raising the cost of attack. The example here describes how to increase the cost of attacking a users or admin‘s account. Increasing the cost of attack is designed to shift the landscape of security and the return on investment for attackers This changes the: “Defenders dilemma” – one mistake in your defenses and the adversary will be successful anyways, sending defenders ‘back to the drawing board’ To an “Attackers Dilemma” – one mistake in your attack campaign will undo the hard work put into the attack - planning, researching, finding/purchasing vulnerabilities, etc. and send the attackers ‘back to the drawing board’ CLICK 1 You should block the cheapest path to techniques first. These are attack techniques that have been used against you, your industry peers in others in industry. Blocking these will rapidly raise the cost to attack your environment CLICK 2 You need good detection and response processes/capabilities to limit the time and freedom of attackers to conduct attacks while on your environment and to explore while they are there. These capabilities will also quickly raise the cost to attack your environment CLICK 3 Other investments should default to a lower priority than known attacks and detection/response. Once you have solid detection/response in place and key defenses against known attacks, your investments can start shifting toward potential and future attacks, but this is not a luxury most organizations can afford in their security budget or as an acceptable risk. Consider your full return on investment - When evaluating security investments, you should also consider the level of effort required. Consider if the security activity will consume a high amount of team time and resources (e.g. manual certificate management) that would be better spent on more effective defenses (e.g. applying patches, hunting for threats, implementing a different solution for device identity, etc.)
  6. Key Takeaway –focusing on raising cost of attack for attackers makes your organization more resilient to cybersecurity risk Various types of attackers have different thresholds of cost of attack that they can withstand in the pursuit of their objectives (mission and money driven alike) CLICK 1 A defender’s budget should raise the cost of attack for all types of attackers (who may be specifically targeting the organization or opportunistically targeting many organizations) CLICK 2 Microsoft is focusing on simplifying the application and integration of advanced security techniques so that many organizations can benefit from these capabilities and help increase attacker cost. Additional Information Organized crime (especially ransomware/extortion gangs) can have a budget in excess of many nation state actors, but they are focused on profit opportunities so they are often less determined to compromise a specific organization than a nation state actor.
  7. Key Takeaway: Cost of attack is a useful and powerful tool for guiding decisions despite some serious limitations on precisely measuring it. While the term “cost” in cost of attack frequently makes people expect that it is a clear “ratio” measurement like any other business costs in a budget spreadsheet, the precise number is actually very difficult to obtain and calculate. This is because attackers rarely publish these numbers (except occasionally in secretive dark markets / online forums). Additionally, the cost of attack for any given organization can vary considerably from another one and wouldn’t normally be posted in these markets. Despite this limitation, cost of attack can be very useful for organization as they consider and select security initiatives and capabilities to invest in. Some examples Many organizations purchase security products for advanced features and capabilities (which often require further investment in training and operational staff). These organizations rarely ask whether these capabilities will add more friction/cost to for the top attack profiles vs. other alternatives such as investment into security hygiene (like applying security patches) lower cost initiative that uses existing security data/tools Consolidate technical solutions to lower the burden on analysts and increase their ability to detect and respond to threats A business may find it more effective (and cost effective) to implement business processes for employees handling money transfers (e.g. phone call with someone who recognizes the CFO’s voice) vs. investing in expensive technical controls.
Advertisement