The Full Cost of Cyber Crime is Hard to Measure – Here’s Why
When it comes to the world of cybersecurity and cyber crime, it can be difficult to quantify anything. Protecting data and network infrastructure is a constant effort. When a cybersecurity expert is doing their job, nothing will happen, so it’s hard to recognize success. And since there is so little reporting done, it can be hard to identify even the cost of cyber crime. With security, we have to get it right every time – but the criminals only have to get it right once.
See Ever-Changing Cyber Crime with Raj Samani for a complete transcript of the Easy Prey podcast episode.
Raj Samani is the Chief Scientist at cybersecurity firm Rapid7. He runs the Vulnerability Intelligence Team, which analyzes and tracks threats across the globe and develops threat models to use in their products. Raj also works with law enforcement on cyber crime cases and is a special advisor to the European Cybercrime Centre. He worked at McAfee for twelve years, eventually ending up in the Advanced Threat Research division. It was very similar to what he does at Rapid7, but Rapid7 offered the opportunity to work with cutting-edge cybersecurity technology, which is where he wanted to be.
Starting a Career in Cybersecurity
Raj’s career in cybersecurity started with a book. If you haven’t read Cliff Stoll’s book The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage, Raj urges you to take a look. It’s the only book he’s found that explains what cybersecurity professionals do to mitigate the costs of cyber crime in an understandable way. When he read the book, he thought it was incredible. He decided that’s what he wanted to do for a career.
At the time, cybersecurity wasn’t a discipline. It was just a hobby. Raj’s first job had nothing to do with cyber crime. He worked at an IT helpdesk. At the time, the company had found that some workers were doing non-work things, including downloading porn. Raj remembers having a conversation with one of the employees and asking, “Should you really be doing this?” The employee responded, “Well, you didn’t tell me not to.”
Raj started doing some research, and came across the concept of an acceptable use policy. He helped the company start introducing governance to their technological infrastructure and take more control. Then he started to look into dial-up attacks, which were common at the time. From there, cybersecurity became a career
It’s a cool and fun career, but it’s also exhausting. One of the costs of cyber crime for cybersecurity professionals is that you don’t always get the weekend or the time off you’d hoped for. If an attack happens, you need to drop everything and handle it. But it’s exciting because it’s always changing and adapting.
We’ve got to be on it all the time because when it breaks, you’ve got to do the analysis. You’ve got to develop detection. You’ve got to be public about the detection that we have in place.Raj Samani
Who is Responsible for Cyber Crime
One factor that makes it difficult to determine the real cost of cyber crime is it’s difficult to determine who is responsible. In 2013, Raj wrote a paper about cyber crime as a service. It highlighted the cyber crime economy, where aspiring criminals can rent services and hire talent to commit attacks. Generally, we’ve had the idea that cybercriminals are individuals with skills in everything they need to commit cyber crime. But over the last decade, we’ve seen that change.
This is especially true of ransomware. These types of attacks can easily use affiliate models and subcontractors. It’s hard to determine the origin or cost of cyber crime when it’s hard to be sure who is even involved. Cybersecurity professionals have no means to interrogate the people involved or find out anything for sure. They can trace the attacks, determine methodologies, and come up with theories, but there’s no way to prove it. In many ways, we only have thirty or forty percent of the answer to any question about cyber crime.
Managing the Cost of Cyber Crime by Prioritizing
A lot of cybersecurity professionals today try to reduce the occurrence and cost of cyber crime by focusing on specific vulnerabilities. The problem is that they get so many alerts and have so many systems to patch that it’s impossible to do it all. They look at it from a binary perspective – there’s a vulnerability, so it must get fixed.
It’s important to think about context and nuance. Prioritizing fixes is essential. If this vulnerability requires an attacker to have physical access to a device on the network, and that one can be done remotely but isn’t being actively exploited right now, maybe those can be fixed next month. But if there’s one being actively exploited, it’s time for all hands on deck to get it fixed now.
We can’t continue an all-or-nothing approach. IT and cybersecurity teams only have so much resources and time. And they can only take down the systems for so long before the company starts losing money. To reduce the cost of cyber crime and the cost of preventing cyber crime, you need to know what to patch first and what issues to address first.
Adding Context and Nuance to Alerts
A big area of investment to help reduce the incidence and cost of cyber crime is incorporating that context into alerts. If IT and cybersecurity professionals know how much risk is involved in each vulnerability, they can better prioritize.
Rapid7 has a repository called Attacker KB to help with this. A lot of what Rapid7 does is open-source, and Attacker KB is no different. It is free to access and find information. At Attacker KB, they analyze the most critical Common Vulnerabilities and Exposures (CVEs), explain how they work, and reveal which ones are currently being exploited in the wild. It provides the kind of nuance that’s often lost in security operations.
The Struggle of Corporate Buy-In
Raj spent some time as a CISO. When he was in that role, his manager outright refused to see him. The manager complained that every time Raj came to see him he brought a problem, and every time the manager gave him more funding all he did was find more problems. The issue was that they had done some work around user education, which meant more people were able to spot and report issues. Raj was told that if the board had known the project would just create more work, they wouldn’t have let him do it in the first place.
The challenge is that every other part of the business can say, if you give me X amount of investment, there’ll be Y amount of value … we’re an industry that can’t even measure our success.Raj Samani
Raj asked his manager how the board determined success, and was told success was not having a breach. But on the flip side, if there was a breach, you’re out. We have seen CISOs being let go when breaches happen. But more than likely the CISO was aware of the risk and just didn’t get the investment needed to mitigate it.
Cybersecurity as an industry doesn’t yet have metrics to articulate the value of what they do. It can be very hard to calculate what the cost of cyber crime would have been and how much you’ve saved the company because attacks didn’t get through. Effectively, cybersecurity professionals become insurance salesmen. Their main selling point is that they stopped something bad that might have happened. And it’s hard to make people care when the best case scenario is “nothing happens.”
How Covid Changed Cyber Crime
In February of 2020, Raj ended up with some serious injuries and spent a long time in the hospital. He remembers watching the news while sitting in the hospital and getting a call from his boss. His boss wanted to know if he was seeing any cyber attacks happening. There had been a couple issues with apps and some misinformation, but nothing worth noting.
Then in March 2020, lockdown happened. And there was an explosion of cyber crime. From low-end Business Email Compromise scams to misinformation spread by nation-state threat groups, the incidence and cost of cyber crime skyrocketed. Raj thinks what most likely happened is people doing physical crime decided to try digital. They decided that if they sent a bunch of emails and pretended to sell PPE, they could make a ton of money. When it worked, they decided to keep doing it.
On the other side, businesses had to go entirely remote and digital and didn’t always have the time or infrastructure to do it securely. There was also incredible growth in ransomware at that time. Raj tracked the wallets of one particular ransomware network for three months during the pandemic, and that group made $25 million in those three months.
Even though the pandemic has slowed down, this “cyber pandemic” hasn’t. If you are trying to join the cybersecurity industry, you probably won’t get much sleep, but in all likelihood you will stay employed.
Why Raj is Concerned about the Cost of Cyber Crime
What keeps Raj up at night isn’t the fear of something cyber criminals might do in the future. Whatever you hope they’re not doing, it’s already happening. People’s medical records are being stolen, sold, and traded. Child exploitation and trafficking happens, and groups are trading and sharing those images. Crime is being played out digitally in front of us. Security professionals are the thin line that are trying to educate and protect us.
People go, what’s the worst thing that can happen? That happens right now.Raj Samani
But what we have collectively failed to do is articulate the impact and cost of cyber crime. Not long ago there was a meat packing plant and a petroleum company hit by ransomware, and it had a real impact on real people. But we didn’t talk about the individuals who were told they couldn’t come to work and had to deal with the fear that they would no longer be able to pay their bills or feed their kids.
The human costs of cyber crime are very real, but we’ve removed them from the story. When all we focus on is the latest issue, or sometimes the cost of cyber crime to business, we’re missing something essential. It’s like putting on a seat belt when you get into the car – we do it because we’ve seen what happens if you get into an accident. The same is true in the digital realm. If you don’t talk to your kids about cyber crime, they will experience it the painful way. They need to know that cybersecurity does impact them and why.
What keeps me up at night and what scares me is not the stuff that we’re dealing with today, but actually the impact of what we deal with today.Raj Samani
Steps to Reduce the Cost of Cyber Crime
One thing Raj appreciates about working with Rapid7 is their ability to build tools to help reduce the cost of cyber crime, manage risks and vulnerabilities, and provide other options for people affected by cyber attacks. No More Ransom is a tool born out of that desire and the spread of ransomware. Rapid7 successfully took down some ransomware groups and got access to the decryptor keys. They started thinking that they had the keys, so where could someone go to get them? There wasn’t a good place to find them if you were attacked by ransomware.
So in 2016, they launched No More Ransom to make the seven keys they had available. Over the years, they’ve increased their partners. There are now over a hundred decryptor keys available for free. They don’t ask for your email and they don’t track your IP address. All they do is help you find out what variant of ransomware you’re affected by and provide the decryptor if they have one. They estimate they’ve saved people about $1 billion in ransoms.
Reporting to Measure the Cost of Cyber Crime
Another key thing that No More Ransom does is provide the opportunity to report the crime. You can select your country and actually submit a file to law enforcement. Part of the struggle to combat cyber crime is that we don’t know what we don’t know. You would report it to the police if your house was burgled or your computer was stolen. But people don’t tend to report cyber crime. And if it’s not reported, it’s almost impossible to measure the cost of cyber crime.
If we’re not reporting it, we don’t know the impact of it. If we don’t know the impact of it, then politicians won’t do the investment it needs.Raj Samani
When Raj worked at McAfee, they had a category called Potentially Unwanted Programs, or PUPs. The PUP market was hugely profitable for criminals. But nobody was doing anything about it. A single instance didn’t have a big impact. But all together, they were making tens of millions of dollars. People weren’t reporting it because it was insignificant. But because they weren’t reporting it, there was no way to measure the impact, so nothing was done about it. Reporting is essential because it helps accurately gauge the cost of cyber crime to a country and an economy. And once people know the costs, it’s easier to convince those in charge to allocate resources to stopping it.
Why Raj Doesn’t Call Them “Hackers”
The biggest advantage cyber criminals have is automation. They can do attacks or send spam at scale. Most of their attacks are opportunistic. They use the “spray and pray” method and hope one person clicks out of the thousands of emails they sent. Or they find out about a vulnerability or an un-patched system and exploit it to see what they can get. Some of their attacks are more targeted, and some have elements of both. But since so much is purely taking what they can get, it’s hard to identify real signals among all the noise.
The stereotype of a cyber criminal is a guy in a hoodie writing lines of code. But that’s not what we’re dealing with. Many of the cyber crimes that are happening today are masterminded by someone with little to no technological ability who hired the tools or talent they needed to commit the crime. Raj never uses the word “hacker” – it’s not accurate. They’re criminals committing crime. We have to move away from stereotypes, because they don’t help us prevent or reduce the cost of cyber crime.
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Networking Basics: Learn How Networks Work
- Online Privacy
- Online Safety
As a super strong extra layer of security, two-factor authentication prevents a thief who knows your login...[Read More]
In the modern world, we need the internet for daily life. Work, school, banking, shopping, social connection,…[Read More]
You’ve probably seen them somewhere. A sign by the road, an ad on a billboard, or even…[Read More]
Student loans came out of their forbearance period and payments resumed towards the end of last year….[Read More]