RSA Conference Europe 2012 – Adversary ROI

Adversary ROI: Evaluating Security from the Threat Actor’s Perspective

Joshua Corman – Director, Security Intelligence, Akamai Technologies
David Etue – VP, Corporate Development Strategy, SafeNet

The premise of this talk is that adversaries have developed better ROI models than we have relating to our security spend..

As an organisation we cannot protect everything.  We have scarce security resources.  Are we protecting our most critical assets?  Think like our adversaries – what is important to them, not just what we think is important to us.  It Is not just about what you have done, but WHO is after you..

Why does security ROI fail?  Security provides protect, it is not a profit centre..

Does ROSI (Return on Security Investment) improve things?

ROSI = ((Risk Exposure * % Risk Mitigated) – Solution cost) / Solution cost.

However in the real world, much of the Risk exposure and risk mitigation have to be educated guests at best.  So how accurate can we ever be?

The adversary does not care about your ROI / ROSI, they are results orientated, all their care about is whether they can get the assets of yours that they want and achieve an ROI that is acceptable to them.

Thinking about adversary ROI came about from looking at risk – A risk requires a threat and a vulnerability that results in a negative consequence.  As we have finite resources we must optimise the risk equation for our success.

Consider what is a “threat”? Proposed that is is an Actor with a Capability and a Motive.  Stuxnet, ‘0-days’ etc. are the ‘bullets’ without the actor they would do nothing..

While adversaries have limited resources, consider the adage, ‘why spend $40M on it if you can steal it for $1M?’.  There are many criminal organisations willing to spend $1M+ on a single exploit if the return makes this worth while.

Adversary ROI ((Attack Value (Value of assets compromised + adversary value of operational impact) – Cost of attack) / Cost of attack) * Probability of Success – Deterrence Measures (% chance of getting caught * Cost of getting caught)

Discussion around profiling a particular Actor or class of actors;

Actor Classes (States, Crime, Hactivists…)


Motivations (Financial, Industrial, Ideological…)

Which define their

Targets (Credit card #s, Intellectual property, Cyber Infrastructure…)

With various

Impacts (Reputational, Personal, Availability…)

Via many

Methods (Tools “Metasploit”, Phishing, Malware, Physical…)

Using methods like this to understand the who and why of who is likely to be attacking you can be a great aid to your risk assessment activities.

Consider the already discussed ‘HD Moore’s Law’, suggesting that attacker power increases exponentially, double every 18 months (as with Moore’s law for CPU power).  The ability or strength of the casual attacker grows at the rate of software and tools such as Metasploit, Cain, and Pineapple etc.

Does it matter who is attacking?  Yes, as an example in the survey of top threats, Abuse of System access / privileges was number 18 in the overall list, so if you chose to try and mitigate the top 10 you may miss this one.  However for those wishing to steal intellectual property and classified information this was the number one attack.  Knowing who is trying to attack you, and why will help ensure you have the correct focus for your very finite security budget and resources.

While patching is important, once we have patching in order do we need to keep looking at this as one of our key security metrics?  For example 25% of current breaches are via SQL injection, how much effort is spent on application and code security?  What metrics do you have for ensuring the security of your applications?

I’d recommend reviewing the Verizon Business Data Breach Investigations Report for more information on breaches and breach types etc.  This contains a lot of very useful information to aid your understanding of the current landscape.

Have a look at some of these interesting free tools that can help with your security defences;

WebLabyrinth –

FOG Computing –

SCIT: Self Cleansing Intrusion Tolerance –

Honeyports –

I don’t have time to cover all of these here, but have a look for yourselves if you want some more tools to make attackers lives considerably more difficult should they get onto your networks.

So, how to we best get non security executives involved?  Some questions you can put to them to get the conversation started;

–          What protected or sensitive information do we have?

–          What adversaries desire the information and why?

–          What is the value of the information to the organization?

–          How would the adversary value it?

–          What are the adversary’s capabilities?

–          What controls protect the information?

Summary and next steps;

Remember these are ways to enrich and complement your existing security, not instead of it!

–          Start with a blank slate

–          Engage non security people – you must have executive buy in, and should aim to gradually make security front and centre as part of the corporate culture

–          Identify your most likely adversaries and thus their likely motivations – work with other businesses in your industry – information and knowledge sharing!

  • Obtain and share adversary centric intelligence;
  • Threat intelligence
  • Brand chatter monitoring
  • Information sharing

–          Simulate adversary-driven scenarios – improve on your penetration testing.