The Chances of Becoming a Cyber Victim: A Look at Cyber Safety

What are the chances of becoming a cyber victim? In this post, we’ll explore the odds compared to the chances of other unrelated events.

Many of us take comfort in knowing that certain bad things are not likely to happen to us, so we don’t worry too much about those things. We think our chances are pretty good.

Comforting Odds: 

  • Dying from a shark attack: 300,000,000 : 1
  • Your opponent’s getting a Royal Flush in poker: 649,739 : 1
  • Being struck by lightning in California: 7,538,382 : 1
  • A meteor landing on your house: 182,138,880,000,000 : 1
  • Dying from a mountain lion attack in California: 32,000,000 : 1
  • Dying from parts falling off an airplane: 10,000,000 : 1
  • Being attacked by an Orca: 0 (excluding Orcas in captivity)

On the other hand, we find lots of things good or bad for which the odds are not what we would like them to be.  We don’t think our chances are as good for these things turning out our way.

Not Comforting Odds:

  • Getting a Royal Flush in poker: 649,739 : 1
  • A meteor landing on your worst boss’s house: 182,138,880,000,000 : 1
  • Being struck by lightning in Montana 249,550 :1
  • Having a stroke: 1 in 6
  • Winning the Powerball Jackpot: 13,983,816 : 1
  • An American man developing cancer in his lifetime: 1 in 2
  • There is another category of bad things for which we just don’t know the odds, and It’s Downright Scary!

Downright Scary:

Odds that your antivirus product will protect you from a cyberattack: Unknown

Actually, you cannot accurately calculate the odds of your antivirus (AV) product protecting you because probabilities deal with the odds of specific events happening.   Here, the cyberattack could be spam, malware, phishing, social engineering, or some other form of attack.  Within each of those categories, there is a wide range of types of attacks.  On average, there are 27 trillion malicious attacks per year, so there are going to be a lot of attack vectors crashing into your AV product.  Calculating the odds is almost impossible.  It’s Downright Scary!

McAfee’s The Economic Impact Of Cybercrime And Cyber Espionage, July 2013, estimates the cost of global cybercrime to be $300 billion to $1 trillion.  Using an average annual cost per breach of $11.56 million, extrapolated from the 488 attacks used to measure the total cost in a study for The Ponemon Institute’s 2013 Cost of Cyber Crime Study: United States, the total number of attacks would be in the range of 26,000 to 87,000.  Of course, as the number of attacks is spread out over all victims, the cost per attack would drop, meaning that the number of successful attacks would be much higher.  We just don’t know. It’s Downright Scary!

What we do know is that for those 26,000, 86,000, or whatever higher, scarier number it is, their AV product did not stop whatever malicious threats caused the breaches.  Of course, none of the other defenses these companies had in place stopped the criminals.  In fact, 100% of the time, the combination of all of these products failed for these victim companies.

How about for you company?  Would you be protected?  Unfortunately, you don’t know. It’s Downright Scary!  Also unfortunate is that fact that most companies don’t know they were not protected until about 210 days on average (Trustwave) after they have been compromised.  Wonder what the bad guys could do inside your systems in 210 days?  It’s Downright . . ., well, you get the point.

What can you do?  It is apparent from these numbers and from the daily news reports, that there are at least two major things happening in the cyber world – the good guys are losing and the bad guys are winning.  This is not just both sides of the same coin, there is much more to it than that.  Sure, the bad guys are getting better at what they do.  They have entire infrastructures to rely on, social networks for criminals, division of labor, secondary markets for their tools, and they learn quickly from what they learn.  They are not all smart, but many are and there are many of them.

So, why are the good guys losing?  There are lots of reasons to be sure, but a significant number of attacks are successful because the incoming threat was not detected at all or not detected until it was too late.  The collective description of the problem in these cases is than the AV vendor of other provider is trying to fight today’s cyber war, and it is a war, using yesterday’s tactics and yesterday’s weapons.  Many victims are surprised to learn that there is a better way.  That better way it to use actionable intelligence and proactive intervention to identify the sources of the malicious threats, identify the bad actors and their tools and networks and to use this information to prevent their success and to take down their infrastructure.

Is this a 100% cure?  No, a “cure” is not in sight.  However, it is better medicine.  Throughout our history, we have benefited from moving away from shamans and witch doctors and toward proven effective cures for many illnesses.  To make ourselves safer in the cyber world, we must take similar action.  We must move away from what might have worked, we really don’t know how well it did work, to what we know is better – an intelligence-based approach to cyber protection.  Not only is the cyber world often very mysterious, It’s Downright Scary!

An inside look at Dropbox phishing: Cryptowall, Bitcoins, and You (updated)

Post Updated on June 10

On Monday, I wrote about attackers using phishing attacks to deliver malware via links to Dropbox. Today, we received another wave of these emails with slightly different subject lines. Figures 1, 2, and 3 show the variants that were received by us in the latest campaign, and reported by our internal users. In this campaign, 10 of our users were targeted.

What do Takedown Vendors and Fire Hydrants Have in Common?

What, you may ask, do takedown vendors and fire hydrants have in common?  Well, perhaps more than one might think.

In this post, we’ll examine a couple of different aspects: what they do and their intended use, their impact on us and our businesses and where they fall short in protecting us and our assets from harm and how we can address these shortcomings.

Let’s start with what each does and their intended use.  Both are intended to protect us from further harm once a threat to our security and wellbeing are identified.  In the case of the fire hydrant, water is provided by an individual hydrant for a limited area for use by a third party, firefighters, to put out a fire at its source and save our assets, a home or building. Timeliness and accurate identification of the source are critical to success.

Similarly, once a brand is notified of a fraudulent website, the takedown vendor acts on the suspected phishing urls. The hope and intent is to reach the source of the attack and eliminate it by “taking it down” and protecting credentials with a quick response.  Timeliness and accuracy are critical to success in much the same way putting out fires is.

What do fire hydrants and takedown vendors truly provide us?

In the case of fire hydrants, they can help lower our insurance premiums if they’re close enough our home or building.  They can give us some piece of mind.  And they help firefighters put out fires.  Unfortunately, they do nothing to prevent fires and in that sense, they only address symptoms.

In a similar fashion, takedown vendors make us feel good because we are reacting to threats and attempts to steal credentials, etc.  But they too are dealing with symptoms and generally not effectively addressing the critical time between the onset of the phishing campaign and credential theft and the remediation or successful take down of the fraudulent sites. Again, they do nothing substantially to prevent attacks.

It’s important to remember, time is critical and time is not on your side in either case.  Fires spread at a geometric rate in their early stages. So, in summary, both fire hydrants and takedown vendors do what they are intended to do well but are ineffective at identifying the true source of the threat and preventing destruction of assets.

So what’s one to do: abandon fire hydrants and stop using the services of takedown vendors?

Certainly not.  They perform their intended function.  But there are things that can be done to complement their function and result in more effective protection of our assets.

Just as inspections of homes and buildings for potential fire hazards go a long way in preventing fires and reduce the need for reliance on fire hydrants and fire trucks, actionable threat intelligence with deep contextual information can make cybersecurity measures more effective and more timely in their response. Tools can be more preemptive, reducing the need to take down fraudulent websites.  When they are needed, takedown efforts can be more focused on the true sources of the threats and improve takedown time.  And some of that portion of the budget can be used elsewhere.

So, ask yourself this question: how pleased are you with your current takedown approach/vendor?  The intelligence-led security approach is gaining traction in corporate security circles. It’s an approach worth investigating.  It can help make the difference between merely being compliant and being effective as well.

You’re infected! Ransomware with a twist

Your computer is infected! Pay $50 USD in order to remove the malware.

The FBI has been tracking you for visiting inappropriate sites. Please pay $250 to avoid higher court costs and appearances.

Ransomware is nothing new, and typically comes in many shapes and sizes. For years, users have been visiting websites, only to be redirected to a ransomware site and scared into paying fees that amounted to nothing more than lost money. With the advent of CryptoLocker, however, attackers have felt a need to “give” back to their victims. Once they infect a system and encrypt the data, they will offer to decrypt this data for a small fee. How kind of them…

In recent months, attackers have started to change the game by delivering these samples via phishing, and using new malware that imitates Cryptolocker. I recently came across a phish carrying ransomware similar to Cryptolocker, but with some noteworthy differences.

What we’re reading about the Chinese hacking charges

While the full implications from yesterday’s DoJ indictment of five Chinese hackers on charges of cyber crime are yet to be fully seen, these charges have already succeeded in elevating cyber crime from a niche discussion to an important debate in society at-large.

Furthermore, just as last year’s APT1 report did, the court documents provide a detailed glimpse at the tactics China is using to steal trade secrets from the world’s largest corporations (not surprisingly, phishing continues to be the favored attack method).

There has been a lot of media attention on this story, so we’ve put together a list of some of the most interesting content we’ve seen so far:

Dark Reading: ‘The New Normal’: US Charges Chinese Military Officers with Cyber Espionage

Pittsburgh Tribune-Review: Cybercrime case names U.S. Steel, Westinghouse, Alcoa as victims

The Wall Street Journal: Alleged Chinese Hacking: Alcoa Breach Relied on Simple Phishing Scam

The Los Angeles Times: Chinese suspects accused of using ‘spearphishing’ to access U.S. firms

Pittsburgh Business Times: Hackers posed as Surma on email to access U.S. Steel’s computers

Ars Technica: How China’s army hacked America

CNN: What we know about the Chinese army’s alleged cyber spying unit

The New York Times: For U.S. Companies That Challenge China, the Risk of Digital Reprisal

The Wall Street Journal: U.S. Tech Firms Could Feel Backlash in China After Hacking Indictments

The Washington Post: China denies U.S. cyberspying charges, claims it is the real ‘victim’

Mandiant: APT1: Exposing One of China’s Cyber Espionage Units


There’s threat data and then there’s threat intelligence, do you know the difference?

The intelligence-led security approach is gaining traction in corporate security circles.  However, we’ve noticed that the term threat data is often confused with threat intelligence.

It’s an easy mistake to make, yet very important to distinguish between the two – one represents the “old way of doing things,” while the other brings about a new era in corporate security and brand protection. In this article, we’ll discuss threat intelligence and how it differs from threat data.

The Difference between Threat Intelligence and Threat Data

#1: Threat intelligence is verified. Threat data is just a list.

Modern threat intelligence has been verified, while traditional threat data is a list of random data points, such as IP addresses or URLs.  Verified intelligence without false positives produces actionable intelligence that security professionals can rely on to protect their brands from cybercrime.

#2: Threat intelligence is actionable. Threat data is noisy.

Modern threat intelligence gives you enough information for you to take swift and immediate action to stop a threat. Threat intelligence allows you to bring together your network and people with the solution. Rather than “educate” machines with threat data, threat intelligence relies on the analysis and action of your human capital in order to drive success.

Threat data, on the other hand, has a high signal-to-noise ratio. The majority of data found on traditional lists is meaningless and it requires a large effort to sift through high volumes of data to find something meaningful.

#3: Threat intelligence is reliable. Threat data is full of false positives.

Threat intelligence provides a clear picture of what is really going on because it has been filtered to remove information that is not directly relevant to protecting the brand. True threat intelligence has been analyzed, vetted and tested – binaries clicked, URLs followed, threats detonated in sandbox environments. Traditional threat data contains many false positives, false URLs, dead URLs, dead IP addresses.

If an organization is working with old school threat data, then they’re just importing white lists, gray lists, or black lists. They’re going to be chasing ghosts for a good bit of their career, trying to find out what’s there and what’s not.

Threat data has bad habit of constantly crying wolf.  After a while, you stop believing the kid crying wolf.  Then, you stop worrying if there’s a wolf there.  If you have actionable intelligence, however, you know where the wolf is every time.