Companies spend big to defend their networks and assets from cyber threats. Kaspersky Labs has found security budgets within enterprises average around $9 million per year. On top of that, data breaches cost companies millions of dollars. Yet, cheap, relatively easy-to-use off-the-shelf hacking tools make the barrier to entry for cybercriminals incredibly low.
Cyber attacks are cheaper than cybersecurity
The math of attack versus defense are simply unfair. Attackers can afford to sell records for peanuts, yet the cost to both the business (and the individual victim if their information is exploited) is much higher.
Top10VPN estimated the cost of person’s entire digital identity – including log-ins for online staples such as Amazon, Uber, Spotify, Gmail, Paypal, Twitter and even GrubHub and match.com – is barely worth $1,000 if a criminal wanted everything. Individually, everything except an online shopping or finance account such as PayPal is worth less than $100.
Armour’s Black Market report found personally identifiable information (PII), while costlier, is still worth less than $200 per record on the dark web. Visa and Mastercard credit card information available for $10 per record. Even banking information for whole accounts is only worth $1,000, even if said account has up to $15,000 in it. In many cases, old information is simply given away for free. This contrasts sharply with the penalties to businesses of losing records. According to IBM’s latest Cost of a Data Breach report, the average cost to a business per record lost is $233 and can be much higher in tightly-regulated industries.
Top10VPN’s Hacking Tools Price Index found malware available for as little as $45, while tutorials on how to construct attacks are available for just $5. The rare times criminals will be required to pay more than $1,000 for any single component would be for a zero-day exploit (as little as $3,000) or a cell tower simulator kit to intercept call data, which would cost over $28,000.
But buying an individual piece of malware or even a full phishing kit isn’t enough to launch an attack: attacks require hosting, distribution channels, obfuscation for malware, account checkers and more. In a new report, Black-market ecosystem: Estimating the cost of “Pwnership,” Deloitte has gone beyond just listing the piecemeal costs and instead calculated the total cost of operations — from malware and keyloggers to things like domain hosting, proxies, VPNs, email distribution, code obfuscation and more — for threat actors to launch a full campaign against organizations.
“The groups behind these types of large campaigns need multiple layers of services,” says Loucif Kharouni, threat intelligence leader at Deloitte Cyber Risk Services. For an operation to deliver a banking Trojan, you would need to use at least five or six services.”
What does a cyber attack cost?
The report found that the dark web is awash with a variety of readily accessible services to suit the individual needs of the attacker, with pricing that accommodates all levels of investment. Need a compromised server to launch a keylogging phishing attack? Easy. Want to run your own remote access Trojan campaign? Not a problem.
Entire campaigns can, in some cases, cost the same as a good meal. Here are some examples:
- A total phishing campaign including hosting, phishing kit: $500 per month on average with prices starting $30 per month.
- An information-stealing/keylogging campaign (malware, hosting and distribution): $723 on average with prices as low as $183
- Ransomware and remote access Trojan attacks: $1,000 average for a campaign
- Banking Trojan campaign: an initial outlay of around $1,400 but could go as high as $3,500
Cyber crime barrier to entry getting lower
Deloitte estimated even a low-end cyber attack costing just $34 per month could return $25,000, while the more expensive and sophisticated attacks costing a few thousand dollars could return as much as $1 million per month. Meanwhile, IBM estimates the average cost to a business of a data breach is $3.86 million.
The low cost of entry, relative ease with which attacks can be deployed, and the high returns means the potential pool of threat actors isn’t limited by technical skill level. “If we look at the barrier to entry three years ago versus the barriers to entry now, a lot of these very focused services really didn’t exist or were just starting to kind of really come into the market,” says Keith Brogan, managed threat services leader at Deloitte Cyber Risk Services.
“It really isn’t that expensive or hard for cybercriminals to go out and make some money very easily. The barrier to entry is very low; you could very easily get access to these different services and enablers and really turn a profit pretty easily. You are in some cases limited by your own imagination,” Brogan adds.
This low cost of doing business and high rate of return means disparity between the profit criminals make versus the cost of repairing the damage is huge, says Oliver Rochford, director of research at Tenable. With ransomware, for example, he says even with a payment rate of 0.05% the ROI is estimated to be over 500%. While estimated global revenue of cybercrime is around $1.5 trillion, Rochford says the cost of damage is thought to be upwards of $6 trillion. Considering Gartner estimates the total size of the cybersecurity market in 2019 was $136 billion, that means $11 to $12 of cybercrime revenue drives just $1 of cybersecurity spend.
Much like in the security vender space, the cybercrime services market is full of small boutique operators. The dark web, according the Deloitte report, is a “very efficient underground economy where threat actors specialize in a product or service, instead of trying to diversify their proficiency in several disparate and highly technical disciplines.”
“It’s less expensive and less work for them to really focus on doing a few things really, really well,” adds Brogan, “and they need to have less connections kind of in the cybercriminal underground in order to do that, and they also probably have less leaks and so are less likely to get shut down as well.”
Different actors provide different grades of product and service. Cheaper, less sophisticated options are available — some ransomware kits operate with no upfront cost and instead take a share of the profits, essentially reducing the upfront to zero — but offer less return and are more likely to thwarted by defenders, while splashing out for premium services increases the chances of success and a high return on investment. Often the most complicated factor for threat actors is stitching together the different components into one complete attack.
What the CISO needs to know about cyber crime markets
The cheap, simple attacks, Brogan says, shouldn’t worry IT teams too much. “If you’ve got your security operations running well the majority of those up-to-$100 type attacks are taken care of by mostly good IT hygiene and basic security controls. Then you can focus on making the decision of what are those more advanced threats that I really need to worry about? Then we get into who are [the] kind of threat actors that are after me as an organization, what might they be interested in, how do those threat actors use these types of enablers to launch attacks in the past and how might [they in] the future?”
According to Brogan, knowing as much as you can about the criminal service providers is just as important as knowing about the threat actors employing them against your network. “People aren’t focused at this level and in many cases have not made the connection that these small operations are out there are really a threat to them,” he says, “because they have not put together the fact these tools get laced together by cybercriminals in order to form an attack against them.”
“If I was a CSO, my intelligence team would be real focused on each one of these enabling services. I would want to know the major bulletproof hosters out there, all of the proxies, the traffic redirection services, how account checkers work. I want to know about all of the DDoS services that are out there,” Brogan says. “Then I would pair those things against my defenses — understand the ecosystem, understand how these services enablers work and organize your defenses and your visibility tools against that.”
Even if it’s hard to make the cost of doing business too high for criminals when it’s just so cheap, you can make your organization a less appealing target to the rank-and-file off-the-shelf attackers. An example would be looking at how account checkers, which automatically run credentials against login systems, work and then finding potential ways to block or reduce their effectiveness. “Time is money,” says Brogan, “and if you’re going to cost someone a lot of time to execute their threat, that’s the same as raising their costs.”
Tenable’s Rochford says increasing the cost of business for criminals inevitably reduces the ROI, which ultimately makes you a less attractive proposition in a “target-rich environment”. While he says greater action on the regulation side and by law enforcement might ultimately reduce the size of the criminal market, especially at the lower end, he says CSOs should look to be strategic around how their security posture, especially patching and retiring legacy or end of life products and applications, while bug bounties can disincentivize some hackers from acting illegally if they can make profit legally and also help highlight and plug vulnerabilities.
“It’s about smart lifecycle management. Eliminate all the privilege escalation vulnerabilities. Exploiting legacy or end-of-life products still yield a positive ROI, so make sure the likes of Flash and Internet Explorer are removed from devices. If you can’t, make sure they aren’t connected to the internet. Follow vendor advice around patching and retiring products.”