Hacker economics: Opportunity costs and attacker attention spans
Michael Callahan, VP of global product marketing for the security business, Juniper Networks
When we think about criminal hackers, we picture a techie who lives and breathes code. The game player, puzzle solver, master of manipulation. But more recently, another picture comes to mind. When you get right down to it, hackers are people, too.
Too often, we focus on the technical side of online threats. We head straight down to the technique level of SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), you name it. We think sessions, authorization, authentication, proxies, or query string manipulation. But we can tend too often to overlook the true root cause of the exploitation—which is less about the hack and more about the hacker.
Perhaps the time has come to start taking advantage of the human factor and to modify our perspective and perception. It's time to hit hackers where it hurts—and that's with their time and money. If there's one thing hackers don't like, it's dealing with tasks they perceive to be a waste of valuable time. And if there's one thing hackers usually don't have a lot of, it's patience. They want quick results, gain, and cash in their pockets.
So considering their economic motivation, what can we do? We can find ways to increase the time, effort and opportunity costs associated with compromising websites, data centers, and networks. We can employ an important, effective, and underutilized security tool, which is the ability to waste their time and devalue their efforts.
Based on first-hand intelligence on attacks aimed at our own infrastructure, we learned that there is a finite amount of time that most attackers will continue to attack a Web application before giving up.
Looking at the attackers who targeted several of our websites and applications, representative of a typical enterprise environment, revealed trends in how hackers approach attacking a website or data center. Some of the most telling trends are rooted in time:
- Minutes. For a smaller site, which has fewer pages to attack, the average duration of attacks by 99.23 percent of attackers was 22 hours. However, when the mere 0.3 percent of attackers who hack for extended periods of time are removed, the average attack time dropped to only eight minutes per attacker. This indicates if you could frustrate the majority of attackers for more than eight minutes, you'd be able to stop nearly every attack and encourage the attacker to move on to other targets.
- Hours. On another much larger site, the average duration of the attack was 11 hours and 52 minutes. Again, if you remove the longest of these attacks, which equated, again, to less than one percent of attackers, the average attack duration shrunk to three hours per attacker.
- A day. There are a small number of attackers who are much more persistent in their pursuits. When compared with the shorter duration attackers, these more persistent folks also tend to launch larger volume attacks with more advanced attack techniques and much more sophisticated tools. Still, even a persistent sophisticated hacker will likely only spend one day attacking a site.
Collectively this demonstrates there is a clear threshold where attackers will move on to other targets if a company can protect its infrastructure for long enough. While the duration differs for each website and depends on the number of web pages, the sophistication of the site content, and the value of the data behind the site, the research still shows that if attackers are frustrated early on in the process, most will go elsewhere. Further, it allows us to focus our time and resources on the more persistent attacks, which tend to be the most devastating.
This can be done by denying instant gratification. In fact, prolong gratification for as long as possible. The key is getting hackers to give up. Find ways to increase the time, effort, and opportunity cost associated with the exploitation. Make them relinquish their quest. Make them realize their time is better spent elsewhere. Make them realize that your site is a losing proposition. Let ‘em cut their losses and move on.
One approach is to trick attackers into exposing themselves when they target a site, and finding ways to frustrate their progress by leading them to hack data that ultimately doesn't exist. This can include slowing connections to the server for the attacker, creating fake directories, simulating broken applications and flooding attacker scanning programs with information about vulnerabilities that don't exist.
This approach has other unintended but positive benefits to the broader community. Wasting the time of attackers means they have that many less hours in the day to attempt to hack others. The very thought puts a slight schadenfreude grin on my face. That isn't so wrong, now is it?