Hacker economics: Three cost effective ways to tackle hackers

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.thestar.com.my/Tech/Tech-Opinion/2014/01/22/Hacker-Economics-Three-Cost-Effective-Ways-to-Tackle-Hackers/

When we think about criminal hackers, we picture a techie who lives and
breathes code. The game player, puzzle solver, master of manipulation. But
more recently, another picture comes to mind. When you get right down to
it, hackers are people, too.

Too often, we focus on the technical side of online threats. We head
straight down to the technique level of SQL injection, cross-site scripting
(XSS), cross-site request forgery (CSRF), you name it.

We think sessions, authorisation, authentication, proxies, or query string
manipulation. But we can tend too often to overlook the true root cause of
the exploitation—which is less about the hack and more about the hacker.

Perhaps the time has come to start taking advantage of the human factor and
to modify our perspective and perception. It's time to hit hackers where it
hurts—and that's with their time and money.

If there's one thing hackers don't like, it's dealing with tasks they
perceive to be a waste of valuable time. And if there's one thing hackers
usually don't have a lot of, it's patience. They want quick results, gain,
and cash in their pockets.

So considering their economic motivation, what can we do? We can find ways
to increase the time, effort and opportunity costs associated with
compromising websites, datacentres, and networks. We can employ an
important, effective, and underutilised security tool, which is the ability
to waste their time and devalue their efforts.

Based on first-hand intelligence on attacks aimed at our own
infrastructure, we learned that there is a finite amount of time that most
attackers will continue to attack a Web application before giving up.

Looking at the attackers who targeted several of our websites and
applications, representative of a typical enterprise environment, revealed
trends in how hackers approach attacking a website or datacentre. Some of
the most telling trends are rooted in time:

Minutes. For a smaller site, which has fewer pages to attack, the average
duration of attacks by 99.23% of attackers was 22 hours. However, when the
mere 0.3% of attackers who hack for extended periods of time are removed,
the average attack time dropped to only eight minutes per attacker. This
indicates if you could frustrate the majority of attackers for more than
eight minutes, you'd be able to stop nearly every attack and encourage the
attacker to move on to other targets.

Hours. On another much larger site, the average duration of the attack was
11 hours and 52 minutes. Again, if you remove the longest of these attacks,
which equated, again, to less than 1% of attackers, the average attack
duration shrunk to three hours per attacker.

A day. There are a small number of attackers who are much more persistent
in their pursuits. When compared with the shorter duration attackers, these
more persistent folks also tend to launch larger volume attacks with more
advanced attack techniques and much more sophisticated tools. Still, even a
persistent sophisticated hacker will likely only spend one day attacking a
site.

Collectively this demonstrates there is a clear threshold where attackers
will move on to other targets if a company can protect its infrastructure
for long enough. While the duration differs for each website and depends on
the number of web pages, the sophistication of the site content, and the
value of the data behind the site, the research still shows that if
attackers are frustrated early on in the process, most will go elsewhere.
Further, it allows us to focus our time and resources on the more
persistent attacks, which tend to be the most devastating.

This can be done by denying instant gratification. In fact, prolong
gratification for as long as possible. The key is getting hackers to give
up. Find ways to increase the time, effort, and opportunity cost associated
with the exploitation. Make them relinquish their quest. Make them realise
their time is better spent elsewhere. Make them realise that your site is a
losing proposition. Let ‘em cut their losses and move on.

One approach is to trick attackers into exposing themselves when they
target a site, and finding ways to frustrate their progress by leading them
to hack data that ultimately doesn't exist. This can include slowing
connections to the server for the attacker, creating fake directories,
simulating broken applications and flooding attacker scanning programs with
information about vulnerabilities that don't exist.

This approach has other unintended but positive benefits to the broader
community. Wasting the time of attackers means they have that many less
hours in the day to attempt to hack others. The very thought puts a slight
schadenfreude grin on my face. That isn't so wrong, now is it?

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!