Preface: This blog is a recast of an article that I wrote and posted on Linked-in in January 2017.
I recall an interesting and informative article written by Paul Mazzucco, CTO at TierPoint, on Radware’s blog entitled, “See Through the DDOS Smoke-Screen to Protect Sensitive Data“. The article raises an interesting revisit to an attack behavior that TierPoint is now witnessing in real-time involving bad guys who initiate a distributed denial-of-service attack as a decoy to divert attention from their activities while affecting a completely different but simultaneous attack. From here on out we’ll call this the deceptive distributed denial-of-service attack (or 3DoS for short).
TierPoint is witnessing a growing trend of using such attacks as the means to another, potentially more devastating, end: stealing sensitive data. ~Radware blog
The article made me wonder about the sort of “cost benefit analysis” that bad guys may look at when formulating their plans and paths they might take in carrying out their attack, all of which pertains to some form of prize beyond LULZ. It is not a mystery that current behaviors and attacks by bad actors are seldom for amusement. Rather cybercrime is a thriving multi-billion dollar business and a formidable weapon of nation-states actors. Paul’s article incorporates previous research from McAfee regarding the dollar value placed on stolen personal data. Given the aggregate value of stolen data (in large quantities), the possibility is highly likely that a denial of service would serve as a diversion from the bad guy’s actual intention to steal valuable data. I’m going to briefly paraphrase these metrics (below) from Paul’s article and McAfee’s research, to simply expand upon these values in order apply additional perspective in context further within my article.
According to McAfee, the Value of Stolen Data
- Stolen Credit and Debit cards are valued from $5 to $45 each, depending where in the world they are, and perhaps who owns them.
- Stolen Bank Account login credentials, based on accounts with balance of $2,200 are valued at $190 each. The greater the account balance, the greater the value.
- Stolen PHI (Patient Health Information), depending on the age and insurance coverage of the patient each record is valued from $500 to $1,800 each.
- Stolen Online Payment Service (e.g. PayPal) login credentials, are valued from $20 to $300, depending on the account balance. The greater the account balance, the greater the value.
Value of a Denial-of Service Attack
Now I’d like for us to look at the cost impact of a DDOS outage. The Atlantic recently published an article entitled, “How Much Will Today’s Internet Outage Cost?“, where they referenced much of the 2014 Imperva Incapsula Survey: What DDoS Attacks Really Cost Businesses, and further stated that “some companies could lose thousands of dollars for every minute of a DDoS attack.” That’s every minute!
“For more than one-third of companies, a single hour of a DDoS attack can cost up to $20,000, according to a 2014 report by the security firm Imperva Incapsula. (For some companies, the cost of an attack can exceed $100,000 per hour.)” ~theAtlantic
Now let’s consider that two-thirds of sustained DDoS attacks ran between 6 hours and 24 hours. This indicates that the total cost impact for just a 6-hour outage could range between $120,000 and $600,000 per each company.
On the extreme side, the cumulative impact of a single-victim attack could potentially be lot greater, as was the case in the eleven day period of IT outages, resulting in $15 – $20 million in reported losses caused by DDoS attack against budget airline Virgin Blue in 2010.
By knowing the value of data compared to the impact potential for a denial of service, can we predict the attack path that a bad guy might take? Yes, I think we can.
Now let’s compare the impact values.
In cases of stand-alone businesses, predicting a bad guy’s path becomes quite obvious: steal and sell the data. The potential exists that a greedy bad guy may attempt to carry out all: both DDoS and a targeted data theft as follows:
- Launch a DDoS to take out the victim’s e-business, and demand a ransom to restore the service, and also
- Exploit discovered weaknesses (while using the DDoS attack as a decoy) to steal data records, then threaten to sell the stolen data if x-amount ransom isn’t paid, and also
- Sell the stolen data in the dark-market, regardless of whether a ransom is paid or not.
Note: depending on the type of data stolen, a really bad guy may swap #3 and #2 above, sell the data first, then demand a ransom for the return of the records where the victim may think the data hasn’t already been sold.
Using the metrics (described previously) from previous McAfee research, let’s assume a bad guy targets a victim-company with at least one million data records and let’s assign a calculated value for data of each category as below. Let’s also assume that the assigned values pertain to “freshly stolen information” since value of certain data deteriorates rapidly once a breach has been detected by the victim-company because they will trigger incident response countermeasures to do things such as change victim passwords and account numbers, immediately flag and monitor activities pertaining to victims, etc., rendering the stolen data less valuable.
This implies that many types of data are most valuable immediately after it is stolen and that response time to an incident is most crucial. An exception is PHI or any other form of Personally Identifiable Information (PII) because this type of data specifically pertains to the victim as an individual, versus their bank account numbers, credit card information, or account login credentials. All data pertaining to account numbers, usernames and passwords can be disabled and changed within moments of discovering a breach, except for PHI and/or PII. I believe this is the reason PII data has such a significantly higher dollar value assigned to it than versus other data types presented here. The permanency of this information is also the reason environments who store personal identifiable information and personal health information are appropriately subjected to global regulation such as HIPAA, NIST SP 800-122, FISMA, EU Directive 95/46/EC, GDPR, AU Privacy Act of 1988 all of which define and prescribe requirements to protect this information by law.
Let’s total the value of one million stolen records
- Credit and Debit Cards: If a victim-company possesses at least one million records, valued by bad guys at $5 to $45 per each record, then the value of the stolen data is obviously within the range of $5 million to $45 million dollars.
- Bank Account Login Credentials: If a victim-company possesses at least one million records, valued by bad guys at $190 per each record, then the value of the stolen data is $190 million.
- Stolen PHI: If a victim-company company possesses at least one million records, valued by bad guys at $500 to $1,800 per each record, then the value of the stolen data is $500 million to $1.8 billion.
- Online Payment Service (e.g. PayPal) Login Credentials: If a victim-company company possesses at least one million records, valued by bad guys at $20 to $300 per each record, then the value of the stolen data is $20 million to $300 million.
Compared to the value placed on a sustained six-hour DDoS attack against an individual company, the value of stolen data is clearly the greater prize, at least immediately after it is stolen.
What About Cloud Services and Cloud Application Businesses?
The impact of a DDOS attack against a Cloud-based business or Cloud-service provider may be multiplied a thousand-fold based, thus representing a different scenario than attacking a single business. In the case of Cloud businesses, bad guys might solely choose a DDoS attack to knock out theirs and their customers’ cloud services and communications, and demand a ransom proportional to number of affected Cloud customers.
McAfee is among the industry’s most comprehensive and consistently accurate predictors of future attack types and expected cost for losses in the industry among other topics. McAfee Labs 2017 Threats Predictions (November 2016) report cites “Denial of service for ransom” will become a common attack against cloud service providers and cloud-based organizations” emphasizing the impact on Cloud providers and their Cloud-dependent customers.
“”Denial of Service for ransom” will become a common attack against cloud service providers and cloud-based organizations” ~ McAfee Labs
Contrary to the cost impact of a massive denial of service attack levied against a single business, a similar DDoS attack against a Cloud Services or Cloud Application provider is a different matter.
Fortunately, Cloud providers understand their market and the inherent risks of infrastructure attacks. They invest proportionally more budget and resources toward vulnerability and penetration testing, remediation processes, as well as technological infrastructure countermeasures designed to deflect distributed denial of service attacks, dropping and dead-ending bad traffic, blacklisting of bad-actor addresses, and effective incident response practices.
It is clear that Cloud Services businesses will indeed remain a target of DDoS attacks, as cited the McAfee report, and they should continue to focus proportional attention to their network infrastructure countermeasures as they do with their data protection practices for their customers. Because Cloud-service businesses are ideally better prepared for network impacts caused by denials of services, they will be less susceptible to bad actors using a deceptive distributed denial of service attack (DDDoS, or 3DoS) and will likely “not fall for the trick”. Their agility in handling DDoS attacks as routine will help them deal with those incidents, while never taking their eyes off data security, intrusion detection and prevention, and access control systems that surround their customers’ data records.
For all businesses, I hope this supplement is helpful and that it illustrates the importance and priority for protecting the data that you store, specifically as it pertains to account access records and personally identifiable information. I also hope this adds value to to the previous well-written publications that I referenced within this article; that a denial of service attack may not be directed at your business for the sole purpose of disrupting your business communications. Rather, a denial of service attack could be a planned diversion tactic designed to take your protective eyes off the highly-valuable target (the data) that you hold while you exhaust all of your resources as you triage the deceptive distributed denial-of-service (3DoS) attack.