Criminal Actions and Motivations, the ROI of Cybercrime: Part 1 - Three Reference Scenarios

Posted by Steven Zafonte on May 2, 2019 9:39:13 AM

Symantec just released its 2019 Internet Security Threat Report (ISTR). It is largely a comparison of malware trends and cybercriminal activity over the last 1-3 years. A quick look into the data reveals that many of the report’s findings are aimed at the end user or environments with a small IT footprint. Despite this, there are valuable insights can be taken from it about enterprise IT governance and IT risk modeling. This two-part series talks about the economic motivations of cybercriminals and how their actions change as a result. It then talks about how these should influence your IT risk modeling efforts.


The ISTR focuses on two types of cybercrime, that done by the average cybercriminal trying to monetize their efforts by simple means, and that done by the “targeted attack group” (economic and political espionage actors). The two have different motivations and levels of discipline, but they are largely working from the same toolbox. The first group often seems faceless and inscrutable. Representations that model the cybercriminal attack as a random event characterized only by the rate of attack can be used as a first approximation, but more insight can be derived by seeing them as economic actors. They attempt to obtain the most valuable cyber resources possible with the least possible investment. While the expected return varies from criminal to criminal, each has a minimum expected ROI required before they undertake a given attack. They are therefore not random forces of destruction, but, instead, are tractably predictable and influenceable. Factoring their reactive behavior into your allocation decisions and IT governance strategies makes those strategies and decisions even more effective.

Let’s look at three examples of cybercriminals as economic actors that are covered in the ISTR report. First case is about the correlation between the frequency of cryptojacking attacks and the price of monero, a common cryptocurrency that cryptojackers mine. As the value of the monero fell by a factor of seven over the course of a year, the total cryptojacking events rate fell by a factor of two (1). This is a clear case of cybercriminals having a distribution of acceptable ROIs for launching attacks. Incentives decreased, a smaller percentage of the criminals were willing to launch this sort of attack (the number of monero mined per hour was largely a constant). Complicating this picture is the fact that once the cryptojacking infrastructure is developed, there is less of a cost to launch additional attacks. Nevertheless, a simple economic model can be used to make sense of the cybercriminal’s strategy.

As a second example, cybercriminals, after cutting their teeth on ransomware for consumer computers, moved to enterprise computer ransomware. The barrier for entry for consumer ransomware is lower and it takes less planning, so it makes sense that it was the first place it became a threat. Once the tools were developed, however, they could be used against the enterprise in coordinated attacks. The inelastic pricing of the ransom of enterprise ransomware drove the price up and hence increased the motivation for enterprise malware attacks. This is seen in the data because even though general ransomware decreased by 20%, enterprise ransomware frequency increased by 12% (1).

A third example of the economics of cybercriminals is their adoption of powershell as an attack vector. Recently browsers, operating systems, and anti-malware software have improved so that the yield of a brute force “through the front door” attack has become prohibitive. The response is to “live off the land” with native OS utilities instead of breaking down the front door. This is seen by a 1000% increase in the use of powershell in attacks (1). FYI, the standard vector is an office document with a macro that calls powershell to load the malware payload (1). Macro limiting strategies may be useful in some cases.

In each of these three examples, a simple economic model could be developed to understand how cybercrime attacks rose or fell based on optimizing the ROI to the cybercriminal. Part 2 of this blog series looks at the ROI of counter-measures embodied in good IT governance and policy.

(1) Internet Security Threat Report (ISTR) 2019, Symantec, February 2019

Topics: cybersecurity, GRC

Visitor comments