What does this mean for IT governance and policy?
First, this means that by taking countermeasures that reduce the cybercriminal’s ROI, not only do you decrease the probability that any attack will be successful, but you decrease the chance an economic actor will attack in the first place. This is an additional “force multiplier” and governance and IT strategy needs to reflect that. There is a tendency to think that we live in a dangerous world and there is nothing that we can do to affect the attacks on our IT systems. But by changing the economic conditions, we can make some portion of the distribution of attackers “give up.” This makes security event analysis easier and you can shift your effort to protecting other things.
We all know that information security governance decisions need to be based on the economic conditions of your business. The most valuable assets for your organization are your information assets, whether that be PII, IP, or corporate strategy documents. An effective information governance program is the secret to preserving these, and the first step is creating a baseline of the data that is valuable to you and attractive to attackers. This inventory is key to then setting a policy prioritized on the economic value of the information. Since the information, the values and priorities change with time, this process must be revisited periodically, or better, done continuously.
In the underground economy1 documented in the ISTR, a stolen identity is worth $0.10-1.50, RDP login credentials are worth $3-30, and a full ID package is worth $30-100. But this underestimates what this information is worth to you. How much would you pay to keep a set of RDP credentials to a critical server away from a malicious actor? from your competitor? This points out that there are two information valuation methods which are used in different ways when determining information governance policy. First there’s the value to the attacker which goes into the attacker’s ROI and therefore their probability to attempt an exploit. And next there is the value to you if the data is lost - whether that be reputational, legal, or competitive. This value at risk is factored into the analysis of the financial impact.
The “targeted attack groups” (economic or political espionage groups) skew this number. While a rising number of them (8%, up 25% from last year1) are using destructive malware with a scorched earth policy to directly impact your business efficiency, most are intelligence gathering. These groups have a great deal more financial discipline than the average cybercriminal who simply uses “snatch and grab” - this may have something to do with the 78% increase in supply chain attacks1. Information is far more valuable to them than to the cybercriminal who is only really interested in commodifying it.
The Targeted Attack Group’s information value may be derived in underbidding you in a major contract, beating you to market with a new product, or just keeping tabs on the whereabouts of your customers. The first two of these change the attacker ROI and affect your financial impact. The third mostly affects the attacker ROI, though it does also affect your customer reputation/relationships. These groups attack strategically to affect you (and their) bottom line, This means their threat even more necessitates an awareness of them in an effective information governance program. Whatever the source of an attack, if you don’t know the value of something to you and your adversaries, it’s hard to effectively manage and decide on the key mitigations.
Another way to say all of this is that cybercriminals are changing to something that “works better”. The problem with this perspective is that it takes a crude engineering perspective of the criminal. And, to be honest, the economic calculations even of real engineers are usually more sophisticated than this. Understanding that to make a target more valuable changes the ROI and therefore the percentage of cybercriminals that will attempt an exploit – this has more predictive power than just saying “it works better”. In addition, your information governance program and information security governance strategy will benefit from this economic perspective. So aside from tactical information on the latest attack techniques and popular malware types, there is really a great deal more behind the scenes in this report. If applying a more economics-based approach to your information security governance is something you are interested in for your organization, don’t hesitate to get in touch!
1Internet Security Threat Report (ISTR) 2019, Symantec, February 2019