Skip to main content

Total Cost of 0wn3r$h!p

December 23, 2014

It is becoming both difficult and boring to keep up with all of the breaches hitting the headlines these days. It is difficult because of the ever increasing volume and boring because it is generally a rinse and repeat of the same methods of exploitation used again and again across companies.

I am always hoping to see something new, hoping that the bad guys had to do something exotic to get in. But usually companies get compromised because of a combination of lack of patches, lack of visibility and lack of access controls. Attackers seldom bring their “A” game, simply because they don’t need to. Generally all it takes is social engineering, persistence, recycling similar attack methods and maybe some freshly packed malicious code to avoid the risk of AV detection. Voila! You have a recipe for the next big breach!

Further, the bad guys are so successful, it is changing entire economies and creating what is probably the most successful industry in world history. Think about it. The barrier to entry is low, there are plenty of easily accessible and often free tools and other resources to assist you, and it is a lot less work for a lot more money than doing something legitimate.

People often ask, “If they are going to go through all this effort, why don’t they start a real business?!” Well, the answer is simple, it doesn’t pay as well, and it is a lot more effort. If one is in the business to make money and has no scruples, cybercrime is definitely where it’s at. Where else are you going to find a gig where you can charge up credit cards en masse until they get maxed out or shut down with little or no out of pocket money on your part?

When you combine the massive ROI of cybercrime and the extremely cheap labor force in countries that get a large share of the blame for it (like China), it is really easy to staff a huge cyber army and “offer” dedicated, advanced persistent threat “service” to every meaningful company on the globe. Let’s look at the finances of that. As of 2013, the average wage in China was about $84 per week, and it is estimated that cyber-attacks from China cost the U.S. economy as much as $2 trillion in lost and stolen property.

How many people can you hire and what kind of technology could you develop with that kind of business model? And, think about the scale of trying to defend against it.

The bad guys are essential building a shopping mall. We will call it, the mall of badness. In the mall of badness, you have access to every company of interest in the U.S. and abroad. They have the funding, the manpower and the technology to gain access to every organization of interest and use this access for their own purposes or to grant access to others who would like to obtain such for whatever reason.

There are lots of estimates out there regarding how many companies are compromised (or 0wn3d). Estimates usually vary from 80% to 97% of companies are or have been compromised. Based on my experience, that sounds about right. We perform hundreds of incident response investigations and scores of proactive breach discovery investigations each year, and the number of companies that have no sign of compromise is next to nothing. At this point, I pretty much assume that every company is compromised, and the main difference between them is whether they know it and have the visibility to identify it.

Related Blogs

July 06, 2017

Indicators of Compromise (IOCs) are Not Intelligence

When discussing the topic of cyber threat intelligence, I frequently hear questions about Indicators of Compromise (IOCs). IOCs are not intelligence b...

See Details

June 28, 2017

Petya / Petna / NotPetya Ransomware Recommendations from the Trenches

Here we go again. Not long ago I updated a blog post containing actionable recommendations to protect your environment from ransomware threats, includ...

See Details

October 31, 2013

CryptoLocker - The Latest in a Long Line of Ransomware

Since early September 2013, a new version of ransomware has been spreading around the globe using email attachments, embedded internet links and/or bo...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

April 09, 2014

The Evolution of Malware and Security Compromise

Malware is evolving and changing at an unprecedented rate. The fact is that 95% of all organizations have been compromised, without their knowledge, i...

See Details

June 16, 2014

Planning for a DDoS Attack

Last week several prominent DDoS (distributed denial of service) attacks were in the news, specifically targeting the popular note-taking app Evernote...

See Details

February 23, 2016

Security Incident Management Solution Primer

Learn how to increase focus on incident response activities and create an enterprise security incident management program.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.