How much does it cost technically proficient adversaries to conduct successful attacks, and how much do they earn? The research study from Ponemon Institute, commissioned by Palo Alto Networks, looks at the relationships between the time spend and compensation of today’s adversaries and how organisations can thwart attacks.
As revealed in this research, while some attackers may be motivated by non-pecuniary reasons, such as those that are geopolitical or reputational, an average of 69 percent of respondents say they are in it for the money.
In this study, we surveyed 304 threat experts in the United States, United Kingdom and Germany. We built this panel of experts based on their participation in Ponemon Institute activities and IT security conferences. They were assured their identity would remain anonymous. Twenty-one percent of respondents say they are very involved, and 79 percent of respondents are involved in the threat community. They are all familiar with present-day hacking methods.
Attackers are opportunistic. Adversaries go after the easiest targets first. They won’t waste time on an attack that will not quickly result in a treasure trove of high-value information, according to 72 percent of respondents. Further, attackers will quit when the targeted company has a strong defense, according to 69 percent of respondents.
Cost and time to plan and execute attacks are decreasing. According to 53 percent of respondents, the total cost of a successful attack has decreased, driving even more attacks across the industry. Similarly, 53 percent of respondents say the time to plan and execute an attack has decreased. Of these 53 percent of respondents who say it takes less time, 67 percent agree the number of known exploits and vulnerabilities has increased, 52 percent agree attacker skills have improved and 46 percent agree hacking tools have improved.
Increased usage of low-cost and effective toolkits drives attacks. Technically proficient attackers are spending an average of $1,367 for specialised toolkits to execute attack. In the past two years, 63 percent of respondents say their use of hacker tools has increased and 64 percent of respondents say these tools are highly effective.
Time to deter the majority of attacks is less than two days. The longer an organisation can keep the attacker from executing a successful attack the stronger its ability to safeguard its sensitive and confidential information. The inflection point for deterring the majority of attacks is less than two days (40 hours) resulting in more than 60 percent of all attackers moving on to another target.
Adversaries make less than IT security professionals. On average, attackers earn $28,744 per year in annual compensation, which is about one-quarter of a cybersecurity professional’s average yearly wage.
Organisations with strong defenses take adversaries more than double the time to plan and execute attacks. The average number of hours a technically proficient attacker takes to plan and execute an attack against an organisation with a ‘typical’ IT security infrastructure is less than three days (70 hours). However, when the company has an ‘excellent’ IT infrastructure the time doubles to an average of slightly more than six days (147 hours).
Threat intelligence sharing is considered the most effective in preventing attacks. According to respondents, an average of 39 percent of all hacks can be thwarted because the targeted organisation engaged in the sharing of threat intelligence with its peers.
Investments in security effectiveness can reduce successful attacks significantly. As an organisation strengthens its security effectiveness, the ability to deter attacks increases, as shown in this report. The following are recommendations to harden organisations against malicious actors:
- Create a holistic approach to cyber security, which includes focusing on the three important components of a security programme: people, process and technology.
- Implement training and awareness programmes that educate employees on how to identify and protect their organisation from such attacks as phishing.
- Build a strong security operations team with clear policies in place to respond effectively to security incidents.
- Leverage shared threat intelligence in order to identify and prevent attacks seen by your peers.
- Invest in next-generation technology such as threat intelligence sharing and integrated security platforms that can prevent attacks and other advanced security technologies.
The economic motivation of attackers
- What motivates an attacker? 69 percent of respondents in this study are motivated by money. While many attackers may be hoping for a big ‘payout,’ reality can be quite different. The findings reveal that attackers on average receive $28,744 for an average of 705 hours spent on attacks annually.
- Of course, some attackers do ‘earn’ more than the average. However, this compensation is 38.8 percent less than the average hourly rate of IT security practitioners employed in the private and public sector.
Inflection point: When malicious actors call it quits
Time to deter the majority of attacks is less than two days. The survey asked respondents how much time it takes to plan and execute web-based and malicious code attacks and if the time has increased, decreased or stayed the same. The study also examines how many of these attacks are successful and when does an attacker call it quits.
The longer an organisation can keep the attacker from executing a successful attack, the stronger its ability to safeguard its sensitive and confidential information. While no organisation has unlimited resources to spend hardening itself against malicious actors, understanding the amount of time until attackers’ efforts are no longer potentially profitable will help the leadership prioritise investments in the appropriate technologies.
Time is the enemy of an attacker. The more time that passes before a successful attack can execute, the more likely an organisation can stop it. For example, a delay of five hours in conducting a successful attack deters 13 percent of attacks, a delay of 10 hours can reduce 24 percent of attacks, and 20 hours deters 36 percent of attacks. On average, a technically proficient hacker will quit an attack and move to another target after spending less than nine days without success.
Hardening the organisation against attackers
Threat intelligence sharing is considered most effective in preventing attacks. To make it more difficult to execute a successful attack, the solution is to exchange threat intelligence with peers and to invest in the appropriate technologies to strengthen an organisation’s security posture. An average of 39 percent of all hacks can be thwarted because the targeted organisation engaged in the sharing of threat intelligence with its peers. Additionally, out of all technologies available, threat intelligence sharing was cited by 55 percent of respondents as the most likely to prevent or curtail successful attacks.
It is clear the attack landscape has changed. Each day we see more successful data breaches against organisations around the globe. This study has exposed as important element of this criminal underground, which can often be missed when headlines about the next Big Data breach dominate the front page: the economic motivation of cybercriminals and how we can use this information to turn the tables on them. The findings clearly show the profit-based motivation of attackers, which means the same economic forces are at work for them as for major businesses. Adversaries are in it for the quick and easy payday, with the majority of them making far less than comparable IT security professionals.
Ponemon Institute expects the cost of attacks to continue to decrease, as attackers become more skilled and automated toolkits are improved and in widespread use, as well as other factors examined in this survey. There is another side to the cost equation though, which the security community can use to keep it safe. We can change the economics of attacks, by putting up a better defense, which takes attackers much longer to overcome.
This survey has shown how attackers will divert their attention to other targets after an increase in the time it takes to breach an organisation of less than two days. Like many businesses, adversaries are constantly weighing the potential profit versus cost, which includes the time it takes them to be successful. As a security community, we must take into account the motivation and economic environment surround attacks, not just technical solutions to the problem.