I have been thinking a lot about the economics of cybercrime and how our defensive measures have impacted the fundamentals over the years. I am no economist but I have read many books on the subject and I can recognise Kai Ryssdal's voice; so I would like to think I could at least qualify to advise a small, already-wealthy, nation somewhere in, say, the Caribbean.
The cost to attack and exploit a system is orders of magnitude less than the cost to defend - the sorry state of affairs is that most of what we have done to secure our IT environments has failed to change the fundamental disparity that makes cybercrime so lucrative. Nothing that we have done so far has changed this; and the advancement of technology in many ways has increased this gap.
This disparity is rooted to the connected nature of the Internet itself. There is no real cost to launching a cyber attack; a single machine can attack thousands of targets searching for one with susceptible defences. The cost of acquiring a new target is only the cost of generating a new random number. On the other side of this, each new attack vector requires additional effort on the side of the defender; they must deploy and maintain numerous security controls, while at the same time keeping all of their systems updated with the latest security patches. This is a substantial cost that anyone in charge of security is all too familiar with.
The advantage is currently completely on the side of the attacker. While each defender must incur substantial cost to defend themselves, the attackers can easily find targets that have not paid that price. The question becomes, ‘how can we increase the cost that an attacker must pay for each target that they attack?' The potential for criminal prosecution is something the attacker incurs. However, the difficulty of attribution and the ease of crossing geo-political boundaries that complicates prosecution make this cost quite abstract.
It is with this line of thinking that I started looking at sharing intelligence in a new light. By allowing the information security community to share threat intelligence with one another, we have found a way to increase the cost of an attack. On hacker forums and other underground communities, attack tools and techniques are widely shared, discussed, vetted and promoted. This sharing gives attackers additional resources to be more effective in their efforts and adds plenty of weaponry to their arsenals. Why shouldn't the good guys do the same while at the same time making it more costly for the bad guys?
For example, once an attacker has targeted any member of the Open Threat Exchange, the source (IP address) of the attack is known to be malicious throughout the entire network. This means that attackers can no longer benefit from the isolation of their targets, they must use a new IP for each attack that they launch. Instead of being able to launch thousands of attacks from a single IP, they have to pay the cost of acquiring a number of IPs that is proportional to the number of attacks they wish to mount.
Improving our defences will help us; we will be able to do more to defend ourselves from the latest threats. But we must focus on the other side of the equation as well, increasing the cost that the attacker incurs. The progress in collaboration of international law enforcement has been highlighted by a number of headline prosecutions. But this ultimately depends on near-complete cooperation of international law-enforcement; I am not going to hold my breath. We must look to deploy defensive measures that increase the cost and Open Threat Exchange is a substantial step forward in that direction.
Contributed by Russ Spitler, VP product management, AlienVault