Trustedwave released a 110 page Global Security Report
This article will review the ROI portion of the report.
This report focuses on breaches on TrustedWave investigations (as Trustedwave has many security services and products) so this report is trying to help sell their services.
One could say it is a competitor of consultants and other security companies. Although we service different types of companies.
The Trustedwave report actually said 1425% ROI, but I made this post 1000% because another few hundred percent does not matter – and then fixed the calculation by some reverse math as you will see below.
The report also states that 81% of victims did not detect the breach themselves (this has been said before elsewhere). In fact how would you know that you have been breached with credit card number breaches for example? VISA can tell, or the bank that issued cc, but can you tell?
This number should have been 99%, because if you can detect a breach you are also not detecting some breaches. In an enterprise environment with 150,000 computers and in 10 different countries in 3 continents you can’t tell me that you are detecting all breaches.
So this report is stating the obvious in a different manner. You could easily make up a number and then say 3293% ROI.
They are stating their data compromise investigations: 574 data compromises across 15 countries.
The ROI information starts at page 63
first some explanations and definitions…
Then there is a Russian advertisement for a CTB Locker (ransomware software) $3000 with $300 / month service support.
So this is how there is the beginning of ROI determination.
Now you have payload, but no computers.
So you can buy exploited computers or traffic to a page that would have your payload in it.
Remember I have said in the past that what the criminal hacker wants is to control your computer (so they can sell the access)
Here is my diagram which places worth to your computer
I have to update the image and put ransomware paid on there $300
Once computers have been hacked the computer can now be exploited.
Now the criminal hacker may also need a daily encryption service ($600)
So the total is $5900 expenses.
Now how much can one make?
If you charge $300 for a “Decryption” it will only take 12 successful payments to make your investment back.
Out of 1000 clicks or controlled computers not all will be successful (something may go wrong) and not all will pay.
So here is where the estimation gets a bit murky.
Trustedwave thinks an average of 10% infection rate, a 50% payout rate, $300 ransom amount, and how long the campaign is.
so they come up with $90,000 with 20,000 visitors.
Of course these numbers could be less or higher depending on the skill of the criminal hacker.
This is why I chose 1000% as my number
8640 visitors *.05 infection rate = 432 infections
payout rate 50% = 216 paid a total of $64900
for 64900 – 5900 cost = $59000 net profit
59,000 / 5900 = 10 = 1000%
Simple reverse mathematics since the numbers can be easily adjusted.
So which sounds nastier?
10 times the investment? or 1000% of the investment?
The criminal hacker is constantly trying to
1. Get more traffic to the websites that have their ransomware payload
2. More efficient ransomware (i.e. so that the person will pay)
3. More efficient website infection rates. this of course depends on the client-side infection capabilities.
As a new vulnerability comes out (I’m using yesterday’s blogpost from rand.org image below) it will have a certain time period of effectiveness for even patched computers. But if your computer is not patched then an old vulnerability will work
This is why we (security pros) recommend patching as soon as practicable after a patch is released