There’s definitely a feeling in InfoSec that the attackers are outpacing us. They’ve got all the creds, the vulns, and the shells, not to mention the possibility of huge monetary incentives. We, on the other hand, have a four-year project just to replace the servers on end-of-life operating systems. However, when contemplating this unfair advantage it’s sometimes easy for us to overlook the bigger picture. While it is true that attacks typically happen quickly (hours or less) when they are well aimed, and it is also true that when our organizations are successfully breached it often takes us months or more to learn of it, there is still room for optimism. In the paths section, we examined the route that attackers take to get from point A to point B. In this section, we take a look at those events that take place prior to the attack, and those required after the attack has ended in order for the attacker to realize their profit.
"Give me a place to stand and a lever long enough and I will move the world."
Like all good stories, attackers need somewhere to begin, and whether this starting point is with a list of vulnerable servers, phished emails, or stolen credentials, if the proverbial lever is long enough they will breach your perimeter. Therefore, it is wise to do all that you can to reduce the number of starting points that they are provided. After all, vulns can usually be patched and creds can be better protected with multi-factor authentication. Having said that, we do realize that even the best security departments can only do so much. Sixty-two percent of breaches not involving an Error, Misuse, or Physical action (in other words, wounds that weren’t self-inflicted) involved the use of stolen creds, brute force, or phishing. And all that malware doesn’t write itself. Admittedly, there’s not a lot you can do about the development, preparation, targeting, distribution, and other shenanigans that take place on the part of the bad guy before the breach.13 However, what goes down after the breach is another story altogether.
Just ask the axis
Let’s look at what’s being stolen. In Figure 37, we illustrate the analysis of the amount lost to attackers in two types of breaches: business email compromises and computer data breaches. This loss impact data comes courtesy of the Federal Bureau of Investigation Internet Crime Complaint Center (FBI IC3), who have offered some helpful hints in the breakout at the end of this section. When looking at the visualized distribution, the first thing to notice is the spike at zero. Not all incidents and breaches result in a loss. The second piece of good news is that the median loss for a business email compromise is approximately the same as the average cost of a used car. The bad news is that the dollar axis isn’t linear. There are about as many breaches resulting in the loss of between zero and the median as there are between the median and $100 million. We are no longer talking about used-car money at this point, unless you happen to be Jay Leno.