Hacker economics: Opportunity costs and attacker attention spans

Share this article:
Michael Callahan, VP of global product marketing for the security business, Juniper Networks
Michael Callahan, VP of global product marketing for the security business, Juniper Networks

When we think about criminal hackers, we picture a techie who lives and breathes code. The game player, puzzle solver, master of manipulation. But more recently, another picture comes to mind. When you get right down to it, hackers are people, too.

Too often, we focus on the technical side of online threats. We head straight down to the technique level of SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), you name it. We think sessions, authorization, authentication, proxies, or query string manipulation. But we can tend too often to overlook the true root cause of the exploitation—which is less about the hack and more about the hacker.

Perhaps the time has come to start taking advantage of the human factor and to modify our perspective and perception. It's time to hit hackers where it hurts—and that's with their time and money. If there's one thing hackers don't like, it's dealing with tasks they perceive to be a waste of valuable time. And if there's one thing hackers usually don't have a lot of, it's patience. They want quick results, gain, and cash in their pockets.

So considering their economic motivation, what can we do? We can find ways to increase the time, effort and opportunity costs associated with compromising websites, data centers, and networks. We can employ an important, effective, and underutilized security tool, which is the ability to waste their time and devalue their efforts.

Based on first-hand intelligence on attacks aimed at our own infrastructure, we learned that there is a finite amount of time that most attackers will continue to attack a Web application before giving up.

Looking at the attackers who targeted several of our websites and applications, representative of a typical enterprise environment, revealed trends in how hackers approach attacking a website or data center. Some of the most telling trends are rooted in time:

  • Minutes. For a smaller site, which has fewer pages to attack, the average duration of attacks by 99.23 percent of attackers was 22 hours. However, when the mere 0.3 percent of attackers who hack for extended periods of time are removed, the average attack time dropped to only eight minutes per attacker. This indicates if you could frustrate the majority of attackers for more than eight minutes, you'd be able to stop nearly every attack and encourage the attacker to move on to other targets.
  • Hours. On another much larger site, the average duration of the attack was 11 hours and 52 minutes. Again, if you remove the longest of these attacks, which equated, again, to less than one percent of attackers, the average attack duration shrunk to three hours per attacker.
  • A day. There are a small number of attackers who are much more persistent in their pursuits. When compared with the shorter duration attackers, these more persistent folks also tend to launch larger volume attacks with more advanced attack techniques and much more sophisticated tools. Still, even a persistent sophisticated hacker will likely only spend one day attacking a site.

Collectively this demonstrates there is a clear threshold where attackers will move on to other targets if a company can protect its infrastructure for long enough. While the duration differs for each website and depends on the number of web pages, the sophistication of the site content, and the value of the data behind the site, the research still shows that if attackers are frustrated early on in the process, most will go elsewhere. Further, it allows us to focus our time and resources on the more persistent attacks, which tend to be the most devastating.

This can be done by denying instant gratification. In fact, prolong gratification for as long as possible. The key is getting hackers to give up. Find ways to increase the time, effort, and opportunity cost associated with the exploitation. Make them relinquish their quest. Make them realize their time is better spent elsewhere. Make them realize that your site is a losing proposition. Let ‘em cut their losses and move on.

One approach is to trick attackers into exposing themselves when they target a site, and finding ways to frustrate their progress by leading them to hack data that ultimately doesn't exist. This can include slowing connections to the server for the attacker, creating fake directories, simulating broken applications and flooding attacker scanning programs with information about vulnerabilities that don't exist.

This approach has other unintended but positive benefits to the broader community. Wasting the time of attackers means they have that many less hours in the day to attempt to hack others. The very thought puts a slight schadenfreude grin on my face. That isn't so wrong, now is it?

Share this article:

Sign up to our newsletters

More in Opinions

Hackers only need to get it right once, we need to get it right every time

Hackers only need to get it right once, ...

Hackers only need to find one weak point to steal valuable information. On the flip side, security pros need to account for every possible scenario.

Successful strategies for continuous response

Successful strategies for continuous response

While it isn't realistic for organizations to expect that it will never happen to them, a rapid, professional and continuous response can limit their scope and reputational impact.

When it comes to cyber attacks, predictions are pointless but preparation is key

When it comes to cyber attacks, predictions are ...

Rather than predicting the next lightning strike it is far better to pay attention to the areas we already know are vulnerable.