Value of Stolen Data Often Dictates Hacker Behavior

Beware of the old deceptive denial of service attack…

I recently read an interesting article written by Paul Mazzucco, CTO at TierPoint, on Radware’s blog entitled, “See Through the DDOS Smoke-Screen to Protect Sensitive Data“. The article raises an interesting revisit to an attack behavior that we is now witnessing in real-time involving bad guys who initiate a distributed denial-of-service attack as a decoy to divert your attention while they carry out a completely different but simultaneous attack. This is what I am calling a “deceptive distributed denial-of-service” attack (or DDDoS).

TierPoint is witnessing a growing trend of using such attacks as the means to another, potentially more devastating, end: stealing sensitive data. ~Radware blog

The article made me wonder about the sort of “cost benefit analysis” that bad guys might consider when formulating their plans and that paths they might take in carrying out their attack, all of which pertains to some form of prize beyond simple LULZ. It’s not a mystery that current behaviors and attacks by bad actors are seldom for amusement. Rather cybercrime is a thriving multi-billion dollar business and a formidable weapon of nation-state actors. This article share some of the previous research from McAfee and others regarding the dollar value placed on stolen personal data. Given the aggregate value of stolen data (in large quantities), the possibility is highly likely that a denial of service would nearly always serve as a diversion from the bad guy’s actual intention to steal valuable data. I’m going to briefly paraphrase some of these metrics (below) from Paul’s original article, McAfee’s research, and my own, in order to apply additional perspective and context further within my article.

According to McAfee, the Value of Stolen Data

  1. Stolen Credit and Debit cards are valued from $5 to $45 each, depending where in the world they are, and perhaps who owns them.
  2. Stolen Bank Account login credentials, based on accounts with balance of $2,200 are valued at $190 each. The greater the account balance, the greater the value.
  3. Stolen PHI (Patient Health Information) and PII (Personally Identifiable Information) depending on the age  and financial status of the individual, each instance is valued from $500 to $1,800 each.
  4. Stolen Online Payment Service (e.g. PayPal) login credentials, are valued from $20 to $300 each, depending on the account balance. The greater the account balance, the greater the value.

Now for the Value of a Denial-of Service Attack

Now I’d like for us to look at the cost impact of a DDOS outage. The Atlantic recently published an article entitled, “How Much Will Today’s Internet Outage Cost?“, where they referenced much of the 2014 Imperva Incapsula Survey: What DDoS Attacks Really Cost Businesses, and further stated that “some companies could lose thousands of dollars for every minute of a DDoS attack.” That’s every minute!

For more than one-third of companies, a single hour of a DDoS attack can cost up to $20,000, according to  a 2014 report by the security firm Imperva Incapsula. (For some companies, the cost of an attack can exceed $100,000 per hour.) ~theAtlantic

Now let’s consider that two-thirds of sustained DDoS attacks ran between 6 hours and 24 hours. This indicates that the total cost impact for just a 6-hour outage could range between $120,000 and $600,000 per each company.

On the extreme side, the cumulative impact of a single-victim attack could potentially be lot greater, as was the case in the eleven day period of IT outages, resulting in $15 – $20 million in reported losses caused by DDoS attack against budget airline Virgin Blue in 2010.

In a particularly stark example, the airline Virgin Blue  lost $20 million in period of IT outages that spanned 11 days in 2010. ~theAtlantic

By knowing the value of data compared to the impact potential for a denial of service, can we predict the attack path that a bad guy might take? Yes, I think we can.

Now let’s compare the impact values.

In cases of stand-alone businesses, predicting a bad guy’s path becomes quite obvious: steal and sell the data. The potential exists that a greedy bad guy may attempt to carry out all: both DDoS and a targeted data theft as follows:

  1. Launch a DDoS to take out the victim’s e-business, and demand a ransom to restore the service, and also
  2. Exploit discovered weaknesses (while using the DDoS attack as a decoy) to steal data records, then threaten to sell the stolen data if x-amount ransom isn’t paid, and also
  3. Sell the stolen data in the dark-market, regardless of whether a ransom is paid or not.

Note: depending on the type of data stolen, a really bad guy may swap #3 and #2 above, sell the data first, then demand a ransom for the return of the records where the victim may think the data hasn’t already been sold.

Using the data value metrics (described previously), let’s assume a bad guy targets a victim-company with at least one million data records and let’s assign a calculated value for data of each category as below. Let’s also assume that the assigned values pertain to “freshly stolen information” since value of certain data deteriorates rapidly once a breach has been detected by the victim-company because they will trigger incident response countermeasures to do things such as change victim passwords and account numbers, immediately flag and monitor activities pertaining to victims, etc., rendering the stolen data less valuable.

This implies that many types of data are most valuable immediately after it is stolen and that response time to an incident is most crucial. An exception is PHI or any other form of Personally Identifiable Information (PII) because this type of data specifically pertains to the victim as an individual, versus their bank account numbers, credit card information, or account login credentials. All data pertaining to account numbers, usernames and passwords can be disabled and changed within moments of discovering a breach, except for PHI and/or PII. I believe this is the reason PII and PHI data has such a significantly higher dollar value assigned to it than any other data type presented here.

The permanency of this information is also the reason environments who store personal identifiable information and personal health information are appropriately subjected to global regulation such as HIPAA, NIST SP 800-122, FISMA, EU Directive 95/46/EC, GDPR, AU Privacy Act of 1988 all of which define and prescribe requirements to protect this information by law. Yet, the technical IT Security tools, processes and behaviors most often are misaligned with these laws and regulations.

Let’s total the value of one million stolen records

  • Credit and Debit Cards: If a victim-company possesses at least one million records, valued by bad guys at $5 to $45 per each record, then the value of the stolen data is obviously within the range of $5 million to $45 million dollars.
  • Bank Account Login Credentials: If a victim-company possesses at least one million records, valued by bad guys at $190 per each record, then the value of the stolen data is $190 million.
  • Stolen PII and PHI: If a victim-company company possesses at least one million records, valued by bad guys at $500 to $1,800 per each record, then the value of the stolen data is $500 million to $1.8 billion.
  • Online Payment Service (e.g. PayPal) Login Credentials: If a victim-company company possesses at least one million records, valued by bad guys at $20 to $300 per each record, then the value of the stolen data is $20 million to $300 million.

Compared to the value placed on a sustained six-hour DDoS attack against an individual company, the value of stolen data is clearly the greater prize, at least immediately after it is stolen.

Hmmm, sounds like Equifax breach of PII was a very large heist.

Now, lets look at the value of stolen 147 million data PII data records (with credit worthiness ranking to boot) from the Equifax debacle.  Just using the low-side street value of PII at $500 per record, the total heist on stolen data value alone is $73,500,000,000 (that’s $73 billion USD).  I’ll be soon posting an extensive article on Equifax covering this and the many mishaps in their handling the incident, with pragmatic lessons and steps we all can take to minimize the occurrence of such breaches in our environments.

What About Cloud Services and Cloud Application Businesses?

The impact of a DDOS attack against a Cloud-based business or Cloud-service provider may be multiplied a thousand-fold based, thus representing a different scenario than attacking a single business. In the case of Cloud businesses, bad guys might solely choose a DDoS attack to knock out theirs and their customers’ cloud services and communications, and demand a ransom proportional to number of affected Cloud customers.

McAfee is among the industry’s most comprehensive and consistently accurate predictors of future attack types and expected cost for losses in the industry among other topics. McAfee Labs 2017 Threats Predictions (November 2016) report cites “Denial of service for ransom” will become a common attack against cloud service providers and cloud-based organizations” emphasizing the impact on Cloud providers and their Cloud-dependent customers.

“Denial of Service for ransom” will become a common attack against cloud service providers and cloud-based organizations ~ McAfee Labs

Contrary to the cost impact of a massive denial of service attack levied against a single business, a similar DDoS attack against a Cloud Services or Cloud Application provider is a different matter.

Fortunately, Cloud providers understand their market and the inherent risks of infrastructure attacks. They invest proportionally more budget and resources toward vulnerability and penetration testing, remediation processes, as well as technological infrastructure countermeasures designed to deflect distributed denial of service attacks, dropping and dead-ending bad traffic, blacklisting of bad-actor addresses, and effective incident response practices.

It is clear that Cloud Services businesses will indeed remain a target of DDoS attacks, as cited the McAfee report, and they should continue to focus proportional attention to their network infrastructure countermeasures as they do with their data protection practices for their customers. Because Cloud-service businesses are ideally better prepared for network impacts caused by denials of services, they will be less susceptible to bad actors using a deceptive distributed denial of service attack (DDDoS, or 3DoS) and will likely “not fall for the trick”. Their agility in handling DDoS attacks as routine will help them deal with those incidents, while never taking their eyes off data security, intrusion detection and prevention, and access control systems that surround their customers’ data records.

For all businesses, I hope this supplement is helpful and that it illustrates the importance and priority for protecting the data that you store, specifically as it pertains to account access records and personally identifiable information. I also hope this adds to the other publications (referenced within this article); that a denial of service attack may not be directed at your business for the sole purpose of disrupting your business communications. But, rather that a denial of service attack could be a planned diversion tactic designed to take your protective eyes off the highly-valuable data that you hold while you exhaust your resources to triage the deceptive distributed denial-of-service (3DoS) attack.

Until next time,


Leave a Reply