Recently, I have been thinking a lot about the economics of cybercrime and how our defensive measures have impacted the fundamentals over the years. The sorry state of affairs is that most of what we have done to secure our environments has failed to change the fundamental disparity that makes cybercrime so lucrative. The cost to attack and exploit a system is orders of magnitude less than the cost to defend. Nothing that we have done so far has changed this, and the advancement of technology in many ways has increased this disparity.
This disparity is rooted to the connected nature of the Internet itself. There is no real cost to launching an attack; a single machine can attack thousands of targets searching for one with susceptible defences. The cost of acquiring a new target is only the cost of generating a new random number. On the other side of this, each new attack vector requires additional effort on the side of the defender; they must deploy and maintain numerous security controls, while at the same time keeping all of their systems updated with the latest security patches. This is a substantial cost that anyone in charge of security is all too familiar with.
The advantage is completely on the side of the attacker at this point in time. While each defender must incur substantial cost to defend themselves the attackers can easily find targets that have not paid that price. The question becomes, ‘how can we increase the cost that an attacker must pay for each target that they attack?’ The potential for criminal prosecution is something the attacker incurs. However, the difficulty of attribution and the ease of crossing geo-political boundaries that complicates prosecution make this cost quite abstract.
It is with this line of thinking that I started looking at sharing intelligence in a new light. By allowing the information security community to share threat intelligence with one another we have found a way to increase the cost of an attack. Once an attacker has targeted any member of the Open Threat Exchange, the source (IP address) of the attack is known to be malicious throughout the network. This means that attackers can no longer benefit from the isolation of their targets, they must use a new IP for each attack that they launch. Instead of being able to launch thousands of attacks from a single IP, they have to pay the cost of acquiring a number of IPs that is proportional to the number of attacks they wish to mount.
Improving our defences will help us; we will be able to do more to defend ourselves from the latest threats. But we must focus on the other side of the equation as well, increasing the cost that the attacker incurs. The progress in collaboration of international law enforcement has been highlighted by a number of headline prosecutions. But this ultimately depends on near-complete cooperation of international law-enforcement; I am not going to hold my breath. We must look to deploy defensive measures that increase the cost and Open Threat Exchange is a substantial step forward in that direction.
By Russ Spitler, VP Product Management at AlienVault