A B U S I N E S S W H I T E P A P E R F R O M N S F O C U S

DISTRIBUTEDDENIAL-OF-SERVICE(DDoS) ATTACKS: AN ECONOMIC PERSPECTIVE

2

TableofContents

Introduction...............................................................................................................................................3ADistributedDenial-of-ServicePrimer.....................................................................................................4Volumetricbasedattacks.......................................................................................................................4Applicationbasedattacks......................................................................................................................4ThreatActors,AttackVectorsandMotivations–WhatdrivesDDoSAttacks?......................................4

TheFinancialImpactofDistributedDenial-of-ServiceAttacks................................................................5DirectCosts.............................................................................................................................................5IndirectCosts..........................................................................................................................................7

ACloserLookAtTheCostofDistributedDenial-of-ServiceAttacks........................................................8DDoSAttackCostModel........................................................................................................................8Example:OnlineRetail......................................................................................................................9Example:SoftwareDevelopment....................................................................................................12

ReturnonInvestment:AThreeYearCostAnalysis..............................................................................13Conclusion............................................................................................................................................14

TheEconomicsofDDoSAttacks:AMacroView....................................................................................15Summary..................................................................................................................................................15

Executive Summary Senior executives are wisely paying attention to Distributed Denial-of-Service (DDoS) attacks, since the financial consequences can be significant. A comprehensive analysis of the financial impact of a DDoS attack should include both direct and indirect costs, bearing in mind that the cost of a DDoS attack is closely tied to the duration and type of attack itself. This paper presents a model that can be used to estimate costs and return-on-investment (ROI) based on the specifics of each situation. Payback for DDoS protection solutions can range from immediate to less than 6 months,, depending on the features, cost and performance of the chosen solution. In light of the fact that macro trends point to a continuing rise in the frequency and damage from DDoS attacks, a model such as this becomes increasingly important.

3

Introduction WhilenetworksecurityexpertsdisagreeonwhenthefirstDistributed-Denial-of-Service(DDoS)attackoccurred,itisgenerallyconcededthatthemostvisibleseriesofattacksoccurredinFebruaryof2000whenInternetgiantsYahoo,Amazon,eBay,E-tradeandotherswereattackedintermittentlyoveraperiodofseveraldays.TheYankeeGroupestimatedthetotalcumulativecostsoftheseattacksat$1.2BillionU.S.Dollars,anditwaslaterdiscoveredthattheattackswereconductedbya15-yearoldCanadianteenagerusingthealias“Mafiaboy”.Theteenagerhadcraftedtheseriesofattacksusingseveralpubliclyavailablehackertools.1 Morethanfourteenyearslater,DDoSattacksaremorefrequent,complexanddestructivethanever.Thethreatactorlandscapehasexpandedfromasingleindividualwithahobbyandanagendatoincludecyber-terrorists,professionalhackers/crackers/phreakers,hostilenationstates,rivalcompaniesandevenunwittingemployees,customers,partnersandprivatecitizens.Today,therehasbeenanexplosioninconnectivityusheredinbymobileandcloudcomputing,coupledwiththeavailabilityofsophisticatedbuteasy-to-useDDoStoolsandtherapidcommoditizationofnetworkbandwidth.Asaresult,ithasneverbeeneasiertolaunchasustainedattackdesignedtodebilitate,humiliateorstealfromanycompanyororganizationconnectedtotheInternet.Theseattacksoftenthreatentheavailabilityofbothnetworkandapplicationresources,andresultinlossofrevenue,lossofcustomers,damagetobrandandtheftofvitaldata.Fortunately,DDoSmitigationtechniqueshavealsoevolved;today,theDDoSmitigationmarketcomprisesdozensofcompanieswhocollectivelyinvestbillionsofdollarsintheresearchanddevelopmentofadvancedcountermeasures.Theaccuracyandeffectivenessofthesesolutionscertainlydiffer,butthereisnodenyingthatspecializedDDoStechnologyisbeingdeployedbyorganizationsofallsizesinordertoinsulatethemselvesagainstthisgrowingthreat.

ThispaperexaminesthefinancialimpactofmodernDDoSattacksbydescribingthecoststypicallyincurredbythevictimsoftheseattacks.Itsummarizespublicly-availableinformationandresearchaboutthescopeandcostsofrecenthigh-profileattacks,andprovidesamodelthatcanbeusedtomeasuretheimpactofaDDoSattackforyourownorganization.Whileallofthecostsinthemodelmaynotdirectlyapplytoyourspecificbusinessororganization,theyarepresentedtoprovideacompletepictureoftheexpensestoconsiderwhenevaluatingthepurchaseofDDoSprotection.Finally,thispaperdiscussesthelargereconomicfactorsthatwillcontinuetofueltheproliferationofthesetypesofattacksfortheforeseeablefuture.

1SANSInstitute,“TheChangingFaceofDistributedDenial-of-ServiceMitigation,2001

4

ADistributedDenial-of-ServicePrimerDDoSattacksareanattempttoexhaustnetwork,serverorapplicationresourcessothattheyarenolongeravailabletointendedusers.Theseattacksgenerallyfallintotwocategories: Volumetricbasedattacks Theseattacksarecharacterizedbythepresenceofanabnormalandoverwhelmingnumberofpacketsonthenetwork.Threatactorsattempttoconsumeallavailablenetworkbandwidthand/orexhaustrouter,switchandserverforwardingcapacitybyfloodingthesedeviceswithmalicioustrafficsothatlegitimateusertrafficisstarved.SomeexamplesofvolumetricbasedattacksincludeUDP,ICMPandSYNfloodattacks. Application-basedattacks Application-basedattacksaredesignedtoexploitweaknessesorsoftwaredefectsthatexistintheprotocolsandapplicationsthemselves.TheyattempttodisruptservicebyconsumingCPU,memoryorstorageresourcesintargetserversthatarerunningtheapplicationsothattheapplicationisnolongerabletoservelegitimateusers.Theymayalsoattempttocrashtheapplicationbysupplyingmalformedmessagesorunanticipatedinputtotheapplication.SomeexamplesofapplicationattacksincludeHTTPGET/POSTattacks,SIPheadermanipulationattacksandSQLinjectionattacks.

HybridattacksModernDDoSattacksareverysophisticatedandoftenblendseveralvolumetricandapplication

basedattacksinordertodisruptservice.Thesesocalled“hybrid”attacksattempttoconsumeallnetworkbandwidthwhilesimultaneouslyexhaustingserverresources.Frequentlytheseattacksareusedtonotonlycreateacatastrophicdenialofserviceconditionbutalsodistractsecurityoperationspersonnelfromothermaliciousactivitysuchastheinstallationofbackdoorsorotheradvancedpersistentthreats(APT)toolsdesignedtostealvitaldata.Anothercommonattacktechniqueistoprobeanorganization’sDDoSresponsecapabilitiesusingaseriesofshortdurationattacksoveralongerperiodoftimeinordertocraftasite-specificplandesignedtocircumventexistingDDoSprotectionsolutions. ThreatActors,AttackVectorsandMotivations–WhatdrivesDDoSAttacks?Whoisperformingtheseattacks(threatactors),whatmeansdotheyuse(threatvectors)andwhatistheirmotivation?Theanswerstothesequestionsareasvariedastheattacksthemselves.Threatactorscanincludeex-employees,currentemployees,hobbyists,politicalactivists(hacktivists),professionalhackers(hackers-for-hire),competitors,hostilenationstatesorvandalswhosimplyenjoycreatingchaos.

5

Theseattackerscanuseaseeminglyinfinitenumberofdevicesandprotocolsasameanstocarry

outtheirattacks.Sophisticatedandlargevirtualnetworksofcompromisedcomputers,mobilephones,internetconnectedsmartdevices(IoT/homeautomation),infrastructureservers,homerouters,UnifiedCommunications systems and almost anything that is internet connected could be controlled bymaliciousattackersto launchdirectedandsustainedattackcampaigns. Thesesocalled“botnets”or“zombie armies”will use adiverse setof protocols typically foundat layers 3, 4 and7of theOpenSystemsInterconnectionModel(OSI)tocarryouttheattacks. Anon-inclusive listoftheseprotocolsincludesTCP,UDP,ICMP,NTP,SSDP,HTTP,DNS,SNMP,FTPandmore.Attackerscanexploitthemannerin which the protocols work as well as software defects in their implementation to disrupt servicedelivery. TheseprotocolsanddevicesarethethreatvectorstoconsiderwhendesigninganeffectiveDDoSmitigationstrategy.

MotivationsforDDoSattackstendtobefinancial,philosophicalorpoliticalinnature.Typical

motivationsincludeblackmail/extortion,politicalorideologicaldisputes,revenge,vandalism,anattempttogainacompetitiveadvantageinabusinessrivalryoranattempttocoverupordistractfromotherexfiltrationortheftofdataactivities.Regardlessofthemotivation,itisclearthatifyouareconnectedtotheInternetorrelyontheinternettoconductyourbusinessoperationsyoucanbeatarget.ThesignificanceoftheDDoSthreathasnotgoneunnoticed:arecentsurveyofmorethan641ITsecurityandoperationsprofessionalsrevealedthat38%ofrespondentsrankedDenial-of-ServiceattacksastheirmostsignificantITsecurityconcern,placingthisclassofattackinthetop3outof10overallITsecuritythreats.2

TheFinancialImpactofDistributedDenial-of-ServiceAttacks InanyDDoSattacktherearebothdirectandindirectcoststothevictim.Directcosts,ingeneral,areeasiertomeasureandcanbeimmediatelyassociatedwiththeattack.Indirectcosts,ontheotherhand,aremoredifficulttoidentifyandtheireffectsareoftennotfeltforweeks,monthsorinsomecasesyearsfollowingtheactualattackitself. DirectCostsLossofrevenue:Thisisusuallythemoststraightforwardmetrictocollect,particularlyifyourprimarybusinessiselectroniccommerce.Onlineretailers,streamingmediaservices,onlinegaming,businesstobusinesshubs,onlinemarketplaces,Internetbasedadvertisersandinternetcommercebusinessesareamongthosethatexperiencedirectrevenuelosswithanydisruptionofservice.Thesecompaniestypicallymeasurerevenueinclicksorimpressionsperminuteoraveragerevenueperminuteortransaction.Revenueiscompletelylostforthedurationofanyattackthattakesthemcompletelyoffline,orcanbeseverelyreducedduringperiodswhentheironlinesystemsareperformingoutsideoftheirnormaloperatinglevel.

2PonemonInstitute,“TheCostofDenial-of-ServicesAttacks”,March2015

6

Lossofproductivity:Manycompaniesandorganizationsusetheirnetwork,onlineresourcesandpublicly-availableservicestosupporttheirprimarybusiness.Anydisruptiontotheavailabilityoftheseimportantresourcesresultsinalossofproductivity.WhetheremployeesareaccessingtheInternet,performingsoftwaretasksonremoteservers,transferringoraccessingvaluablecompanydataremotely,enteringdataintobusinesssystems,usingcloudbasedservices,e-mailing,printing,communicatingoranynumberofothernetworkrelatedtaskstheycanbenegativelyimpactedbyDDoSattacks.Personnelcosts–IToperations/securityteams:Thiscostincludesthefully-burdenedsalaryofanyemployeeswhoareinvolvedineliminatingtheDDoSthreatandrestoringservicetoitsnormallevels.Insomeorganizations,thiscanbeasinglepersonortwo.Inothers,thiscanbealargerteamcomprisedofbothIToperationsandsecurityprofessionalsandinvolvemultiple,geographicallydiverselocations.DuetothesevereimpactofaDDoSattackmostcompanieswillinvolvealltechnicalresourcescapableofhelpingtorestoreserviceuntilthethreathasbeeneliminated.Thesecostscanmountquicklyovertheminutes,hours,daysandpotentiallyevenlongertimeitcantaketorecoverfromaDDoSattack.Personnelcosts–Helpdesk:InmostDDoSattacksthereisasurgeofactivityandcallstohelpdesksupportpersonnel.Callscancomefromcustomers,partnersandinternalemployeeswhocontactthehelpdeskforavarietyofreasons:toreportthecurrentoutage,torequestthecurrentstatus,tofindoutwhenservicewillberestored,tocomplain,torequestarefundorservicecreditandmore.SpecializedConsultants:InsomeinstancesitmaybenecessarytocallinanemergencysecurityconsultantorhireamanagedsecurityservicesexpertwhospecializesinDDoSattackstorestoreservice.Theseconsultantscanbecomeinvolvedinactivemitigationtoeliminatethethreat,securityincidentandeventmanagement(SIEM)assistance,forensicorcompliancereportingeffortsorprovidefollowupanalysisandrecommendationstopreventfutureattacks.Customercredits/Servicelevelagreementenforcement:Somebusinessesofferservicelevelagreementstotheircustomersthatguaranteeacertainlevelofserviceavailability.DDoSattackscanpreventthesebusinessfrommeetingthesecommitmentsandoftenresultinfinancepenalties.Also,manycompaniesandretailersareforcedtorefundpurchasesorcreditbackservicesinordertoretaincustomersorimproveloyaltyandsatisfactionaftersufferingtheeffectsofDDoSattacks.Legal/Compliance:Manyindustrieshavestrictregulationsregardingthehandlingofsensitivedataandthereportingofanycybersecurityattacksandbreaches.Intheseinstances,detailedforensicsandroot-causeanalysismustbeperformed.Theactivitiescantakeanextendedperiodoftimeto

DDoS Attack Cost Categories Direct Loss of revenue Loss of productivity IT operations/security Help desk Consultants Customer credits/SLA Legal/Compliance Public relations Indirect Damage to brand Theft of vital data Customer loss Opportunity cost

7

completeandtheircostscanbesubstantial.Also,legalcostscanbeincurredinordertodefendagainstpartiesseekingcompensationforthedisruptionofservice.Publicrelations:SomevictimsofDDoSattacksendupspendingadditionalmoneywithpublicrelationsfirmsinanefforttorestorethegoodwillandconfidenceofthegeneralpublicortheircustomersafteranoutage.Thesefirmswilloftenhelpthevictimscreateclearmessagingabouttheincidentandwhatisbeingdonetopreventattacksofthistypeinthefuture.Theycanalsohelpwithpressannouncements,editorialcalendars,contributedarticles,speakingengagementsoreventelevisedinterviewsandadvertising.

IndirectCostsDamagetobrand:Somecompaniesspendasubstantialportionoftheiroperatingbudgettocreateandnurturetheirbrandimagethroughadvertising,PR,direct-mailcampaignsandotherinitiatives.Earningthetrustandfaithofcustomersandconstituentsoftentakesyearsoftime,effortandmoney.Today’sDDoSattackscandamageyourbrandandruinyourreputationinashockinglyshortamountoftime.Customerloss:TheeffectsofaDDoSattackincludingdisruptionofserviceandtheftofcustomerinformationcancausealossofconfidenceinyourcustomerbase.Thesecustomerscandecidetomovetheirbusinesstoacompetitororusesocialmediatoventtheirangerandfrustration.Clearlynoneoftheseoutcomesisdesirableandunfortunatelyitmaytakesometimetorealizethefullextentofanycustomerlosses.Theftofvitaldata:AworrisometrendinrecentDDoSattacksisforthreatactorstousetheDDoSattackasasmokescreenordistractiontohideothermaliciousactivity.TheDDoSattackitselfisonlyameanstoanend.Therealgoaloftheattackistostealcriticaldata.Inthisstyleofattack,thethreatactordirectsaDDoSattacktoacertainportionofthenetworkwhilelaunchingspeciallycraftedattacksatothertargets.ThegoalistocompromisetheseothertargetsandeitherstealcriticaldataduringtheDDoSattackorinstallabackdoorthatwillgrantfutureaccesstothenetworkanditsresources.TheseattackscanbesuccessfulbecauseITstaffarecompletelyfocusedonmitigatingtheDDoSattackitselfwhileothermaliciousactivitygoesunnoticed.TherearemanytypesofDDoSattacksthatattempttotakeserversoff-lineorcrashapplicationswhilestillleavingenoughnetworkbandwidthtocompromiseothertargets.Additionally,ifthevictimdoesnothaveadedicatedDDoSprotectionsystem,thehackersmayattempttoloosenfirewallorIDS/IPSsecurityrulestokeepthesesystemsonline.Thiscreatesfurtherholesinperimetersecuritythatcanbeexploited.ThesheervolumeoflogsgeneratedduringaDDoSattackmakesdiscoveringothermaliciousactivityextremelydifficultevenaftertheDDoSattackisthwarted.Vitaldatacanincludecreditcards,passwords,intellectualproperty,tradesecrets,medicalinformation,privatecustomerrecordsandbankinginformation.Onehigh

8

profileexampleofthisstyleofattackoccurredwhenhackerslaunchedaDDoSattackonCarphoneWarehouseandstolethepersonaldetailsofover2millioncustomers.3Opportunitycost:Thiscategoryencompassesthesetofprojects,workoractivitythatisdelayedordroppedbecausethecompanyisoccupiedwithrepairingthedamageofaDDoSattackasapriority.PriorityactivitiesassociatedwithaDDoSattackcanincludeforensicanalysis,incidentreportingtocomplywithrelevantregulations,publicrelationsandthedeploymentofnewDDoSprotectionsystems.

ACloserLookatTheCostofDistributedDenial-of-ServiceAttacksTherehavebeennumeroussurveysandstudiesconductedonthecostofDDoSattacks.Whiletheresultsvarybasedonindustry,companysize,securityoperatingbudgetandmore,acommonelementofalloftheseestimatesisthatthecostiscloselytiedtothedurationoftheoutagecausedbytheattack.Considerthefollowing:•Forsomefinancialandweb-basedbusiness,DDoSattackscanresultinmillionsofdollarsofdamagesperhour.4•TheaverageamountofdowntimefollowingaDDoSattackis54minutesandtheaveragecostforeachminuteofdowntimeis$22,000.However,thecostcanrangefromaslittleas$1tomorethan$100,000perminuteofdowntime.5•DDoSisnolongeranannoyancethreat.Infact,ithasn'tbeenforseveralyears.Thereisreallossandrealcost,andcompaniesofallindustriesandsizesarevulnerable.6ThisinformationprovidesageneralmeasureoftheimpactofthesetypesofattacksandthefindingsdemonstratethatthereisasubstantialfinancialrisktonotbeingpreparedforaDDoSattack.Thispaperprovidesamodelthatcanbeusedasatemplatetobetterestimatethecostofanattackforyourspecificsituation. DDoSAttackCostModel

3TheTelegraph,“CarphoneWarehousehackers‘usedtrafficbombardmentsmokescreen’”,August20154Frost&Sullivan,“GlobalDDoSMitigationMarketResearchReport”,July20145PonemonInstitute,“Cybersecurityontheoffense:AstudyofITsecurityexperts”,November20126IDCResearch,“BreachIsaForegoneConclusion:DDoS”,October2015

9

Themodelisintroducedbydescribingthecostsassociatedwithahypotheticalattackforbothanonlineretailerandasoftwaredevelopmentcompany.Thesebusinessesarefictionalbutthecostfactorspresentedarerepresentativeofthosethatwouldbeconsideredinanyreal-worldDDoSattack.

Example:OnlineRetailCompanyProfile:Thecompanyisanonlineretailerofferingdiscountednamebrandofficefurnitureincludingchairs,desks,cabinetsandartwork.Theyalsoofferbulkconsumableofficesuppliesandtheircurrenttrailing12-monthrevenueis$35,000,000.TheirIToperationsteamconsistsof4engineersandtheyhaveaseparatehelpdeskstaffedtoreceivecallsfrombothinternalemployeesandonlinecustomers.Thereare2fulltimeemployeesstaffingthehelpdeskatanygiventime.Scenario-A:ThecompanywasthevictimofaDDoSattackthatresultedinacompleteoutageoftheironlinestore.Customerswerenotabletobrowsethestoreorcompletepurchasesforthedurationoftheoutage.ScenarioA–CostTable: OutageDuration 30

Minutes2

Hours5

Hours8

Hours1

Day3

Days Notes

DirectCosts Lossofrevenue 3,600 14,400 36,000 57,600 172,800 518,400 1

Lossofproductivity IToperations 108 430 1,076 1,721 5,163 15,490 2

Helpdesk 10 40 100 160 480 1,440 3Consultants 1,600 2,000 2,400 3,000 4,000 8,000 4

Customercredits/SLA 3 11 27 43 128 383 5Legal/compliance Publicrelations 1,200 1,200 2,400 3,000 6

IndirectCosts

Damagetobrand Theftofdata Customerloss 35,000 87,500 175,000 7

Opportunitycost

Totalcost($USD) 5,320 16,881 40,802 98,724 272,471 721,713 Notes:1–Thecompanydoes90%oftheirannualrevenueduringa12-hourperiod(6am-6pmPST)withanaveragerevenueperminuteof$120.Theoutageoccurredduringthiswindow.2–Themodelassumesafullyburdenedaveragesalaryof$108,000perIToperationsstaffandall4employeesinthisexamplewereinvolvedindetectingandmitigatingtheDDoSattackfortheentiredurationoftheoutage.3–Themodelassumesafullyburdenedaveragesalaryof$42,000perhelpdeskemployeewithatotalpercostcallof$1.Therewere2employeesatthehelpdeskatthetimeoftheincidentfielding20totalcallsperhour.Eachcalltothehelpdeskduringtheoutageaveraged2minutesinduration.

10

4–Thehourlycostforaspecializedsecurityconsultantis$200perhour.TheconsultantwashiredforforensicanalysisandtomakerecommendationsimprovingperimetersecuritytopreventfutureDDoSattacks.Theamountoftimeincludedinthemodelrangedfrom8hoursofconsultingfora30-minuteattackto5businessdaysfora3-dayoutage.Thistimeincludesallnecessaryactivitiesforafullanalysisincludinglogcollectionandeventcorrelationfromaffectednetworkingdevicesandserversystems.5–Inanefforttobuildgoodwillamongthosecustomersaffectedbytheoutagethecompanyoffereda$10discounttowardsfuturepurchases.Themodelassumeddiscountsweregivento1%ofthetotalcustomerswhowereaffectedbytheoutage.Thecostsarebasedonanaveragemarginof15%peronlinepurchase.6–Thecompanypaysanaverageof$15,000permonthtoapublicrelationsagencyforpressandanalystrelations.ThecompanybeginstoworkwiththePRfirmwhenthedurationoftheoutageisgreaterthan5hours.TheamountofadditionalhoursbilledbythePRagencyrangesfrom10billablehoursfora5-houroutageto40billablehoursforanoutagelasting3days.7–Thecompany’s12-monthrevenuewas$35,000,000from152,174onlinecustomersatanaveragepurchaseof$230percustomer.Thefinancialimpactofpermanentlylosingcustomerstocompetitorsduetotheoutageisexaminedoverathree-yearperiod.Thenumberofcustomersthecompanylostisassumedtobe1/10thof1%oftotalannualcustomersduetoan8-houroutage,¼of1%oftotalannualcustomersduetoa24-houroutageand½of1%oftotalannualcustomersforanoutagedurationof3days.Scenario-B:Thecompanywasthevictimofahybridvolumetricandapplication-layerDDoSattackthatresultedinacompleteoutageoftheironlinestoreandthetheftofvitalcustomeraccountinformation.Customerswerenotabletobrowsethestoreorcompletepurchasesforthedurationoftheoutage.Thestolendataincludedcustomernames,phonenumbers,addresses,emailaddresses,accountpasswordsandcreditcardnumbers.

11

ScenarioB–CostTable: OutageDuration

30Minutes

2Hours

5Hours

8Hours

1Day

3Days

Notes

DirectCosts Lossofrevenue 3,600 14,400 36,000 57,600 172,800 518,400 1

Lossofproductivity IToperations 108 430 1,076 1,721 5,163 15,490 2

Helpdesk 15 60 150 240 720 2,160 3Consultants 17,600 18,000 18,400 19,000 20,000 24,000 4

Customercredits/SLA 3 11 27 43 128 383 5Legal/compliance Publicrelations 60,000 60,000 60,000 60,000 60,000 60,000 6

IndirectCosts

Damagetobrand 22,050,000 22,050,000 22,050,000 22,050,000 22,050,000 22,050,000 7Theftofdata Customerloss 3,500,002 3,500,002 3,500,002 3,500,002 3,500,002 3,500,002 8

Opportunitycost

Totalcost($USD) 25,631,327 25,642,903 25,665,654 25,688,606 25,808,813 26,170,435 Notes:1–Ninetypercentofthecompany’sannualrevenueisrealizedduringa12-hourperiod(6am-6pmPST)withanaveragerevenueperminuteof$120.Theoutageoccurredduringthiswindow.2–Themodelassumesafullyburdenedaveragesalaryof$108,000perIToperationsstaffandall4employeesinthisexamplewereinvolvedindetectingandmitigatingtheDDoSattackfortheentiredurationoftheoutage.3–Themodelassumesafullyburdenedaveragesalaryof$42,000perhelpdeskemployeewithatotalpercostcallof$1.Therewere2employeesatthehelpdeskatthetimeoftheincidentfielding30totalcallsperhour.Eachcalltothehelpdeskduringtheoutageaveraged2minutesinduration.4–Thehourlycostforaspecializedsecurityconsultantis$200perhour.TheconsultantwashiredforforensicanalysisandtomakerecommendationsimprovingperimetersecuritytopreventfutureDDoSattacks.Theamountoftimeincludedinthemodelrangedfrom88hoursofconsultingfora30-minuteattackto15businessdaysfora3-dayoutage.Therewere80hoursspentontheforensicanalysisofthedatatheftalone.Thistimeincludesallnecessaryactivitiesforafullanalysisincludinglogcollectionandeventcorrelationfromaffectednetworkingdevicesandserversystems.5–Inanefforttobuildgoodwillamongthosecustomersaffectedbytheoutagethecompanyoffereda$10discounttowardsfuturepurchases.Themodelassumeddiscountsweregivento1%ofthetotalcustomerswhowereaffectedbytheoutage.Thecostsarebasedonanaveragemarginof15%peronlinepurchase.6–Thecompanypaid$20,000permonthtotheirPRagencyforaperiodof3monthstohelpminimizethedamagecausedbythetheftoftheircustomer’spersonaldata.7–AccordingtoastudyconductedbythePonemonInstitute,theaveragediminishedvalueofanorganization’sbrandinvolvingthetheftof100,000ormorecustomerrecordswas21%.7Thebranddamagewascalculatedatmorethan$22,000,000basedonatotalcompanyvaluationof3timestrailing12-monthrevenueor$105,000,000USD.8–Thecompanylost10%ofitscustomersduetothedatatheft. 7PonemonInstitute,ReputationImpactofaDataBreach”,November2011

12

Example:SoftwareDevelopmentCompanyProfile:Thecompanyisa500-personsoftwaredevelopmentfirmbasedintheSanFranciscoBayArea.Theyareaglobalcompanywith8locationsconnectedusingaprivateMPLSwide-areanetwork(WAN).TheirInternetdatacenter,inSanFrancisco,supportstheirmaininternetconnectionaswellasavirtualizedserverfarmthatisusedbythecompany’s200softwareengineersastheirprimarydevelopmentenvironmentforapplicationdevelopmentandtesting.Scenario-C:Thecompanywasthevictimofahybridvolumetricandapplication-layerDDoSattackthatcompletelyexhaustedWANbandwidthandbroughtdownthecompany’sdevelopmentservers.ThispreventedaccesstotheInternetfortheentirecompanyanddisruptedsoftwaredevelopmentactivities.ScenarioC–CostTable: OutageDuration 30

Minutes2

Hours5

Hours8

Hours1

Day3

Days Notes

DirectCosts Lossofrevenue

Lossofproductivity 2,462 9,849 24,622 39,394 118,183 354,550 1IToperations 81 323 807 1,291 3,873 11,618 2

Helpdesk 5 20 50 80 240 720 3Consultants 1,600 2,000 2,400 3,000 4,000 8,000 4

Customercredits/SLA Legal/compliance Publicrelations

IndirectCosts

Damagetobrand Theftofdata Customerloss

Opportunitycost 1,845 11,228 11,228 11,228 5

Totalcost($USD) 4,148 12,191 29,723 54,993 137,523 386,115 Notes:1–Lossofproductivitycostsduringtheoutagearecalculatedusinganaveragefullyburdenedsalaryof$123,600persoftwaredeveloper.Onaverage40%ofthecompany’sdevelopersareonlineandusingthecentralizeddevelopmentserversortheInternetforresearch.2–Themodelassumesafullyburdenedaveragesalaryof$108,000perIToperationsstaffandall3employeesinthisexamplewereinvolvedindetectingandmitigatingtheDDoSattackfortheentiredurationoftheoutage.3–Themodelassumesafullyburdenedaveragesalaryof$42,000perhelpdeskemployeewithatotalpercostcallof$1.Therewere10totalcallsperhourtothehelpdeskbyinternalemployeestoeitherreporttheoutageand/orrequestastatusupdate.4–Thehourlycostforaspecializedsecurityconsultantis$200perhour.TheconsultantwashiredforforensicanalysisandtomakerecommendationsimprovingperimetersecuritytothwartfutureDDoSattacks.Theamountoftimeincludedinthemodelrangedfrom8hoursofconsultingfora30-minuteattackto5businessdaysfora3-dayoutage.Thistimeincludesallnecessaryactivitiesforafullanalysisincludinglogcollectionandeventcorrelationfromaffectednetworkingdevicesandserversystems.5–TheopportunitycostwascalculatedassumingadelaytotheimplementationofotherprojectsbytheITteamduetotheDDoSattack.Atanoutagedurationof5hours,theattackwasadistractionandonlyresultedina2-weekdelaytootherprojects.Inthecaseofan8or

13

more-houroutagethecompanydecidedtoevaluateandinstallanewDDoSprotectionsolutionwhichdelayedotherITprojectsforathree-monthperiod.Inthisparticularexample,thecompanyhadplannedtoreplaceitsagingMPLSWANinfrastructurewithanew,software-definedWANsolutionthatwouldsavethecompany66%inmonthlybandwidthcosts.Atamonthlycostof$500perMPLSWANlink,thecompanywouldsave$2,640monthly.Inaddition,theITteamhadplannedtoimplementanew,automatedpasswordrecoveryandmanagementsolutionaswellasconverttoanewanti-virussolutionfortheirhostmachines.ItwasestimatedthattheseprojectswouldsavetheITdepartmentanaverageof$52.50perdayineliminatedhelpdeskcalls.

ReturnonInvestment:AThreeYearCostAnalysisThispaperhasdescribedthecostsassociatedwithasingleDDoSattackusingavarietyofscenarios.Itisusefultoanalyzetheimpactofmultipleattacksoveralongerperiodoftimetoobtainanaccuratepictureofthereturn-on-investment(ROI)ofanyDDoSprotectionsolution.Acomprehensivesecuritysurveyofover370networkingandsecuritymanagersfrommorethan14industriesreportedthatrespondentsexperiencedaweightedaverageof4.5DDoSattacksperyearandanaverageattackdurationof8.7hours.8Thefollowingtablecalculatesthethreeyearcostofthescenariosdescribedinthispaperusingtheinformationprovidedbythesurvey.

8SANSInstitute,“DDoSAttacksAdvancingandEnduring”,February2014

14

OnlineRetailer-ScenarioA

DDoSAttackOnlineRetailer-ScenarioB

DataTheftSoftwareCompany

DDoSAttackSingleincidentcost

(8hour) $98,724 $25,688,606 $54,993

EstimatedThreeyearcost

Singleincidentcostx13.5=1,332,770

(Singleincidentcostx13.5)+Costdatatheft=$33,471,156

Singleincidentcostx13.5=$742,402

EstimatedMonthlycost $36,743 $929,754 $20,622

Usingthisanalysis,wecanseethatthepaybackperiodformostDDoSprotectionsolutionswillrangefromimmediatetolessthan6monthsdependingonthecost,capabilityandperformanceoftheparticularsolution.

ConclusionInexaminingthedirectandindirectcostsofourthreesamplescenariositbecomesclearthatthedistributionofcostscanvarywidelydependingontheresultsoftheattack.Whiledirectcostsrelatedtoservicedisruptionarerelativelyeasytoidentify,theindirectcostsassociatedwitheitheradatabreachorthepermanentlossofcustomerscanquicklybecomethemostexpensiveportionofaDDoSattack.AsshowninScenarioB,thedamageduetothetheftofcustomerdataandthelossofcustomersdwarfedthedirectcostsincurredasaresultoftheattack.Itisimperativethatanycostanalysisincludebothdirectandindirectcostsinordertoobtainacompleteviewofthefinancialimpactoftheattack.Thechartsbelowdepictthecostdistributionofaneight-houroutageforthethreesamplescenarios.

15

TheEconomicsofDDoSAttacks:AMacroViewUnfortunately,ithasneverbeeneasierorlessexpensivetolaunchaDDoSattack.Thelastdecadehasseenordersofmagnitudeincreasesinbandwidth,computepoweranddeviceconnectivitythatmakeiteasytoquicklyoverwhelmtheonlineactivitiesofmostcompaniesandorganizations.CompoundingtheproblemisthefactthatthetechnicalbarriertoentryforlaunchingDDoSattackshasneverbeenlower.Theearlydaysofhackingrequiredsomeamountoftechnicalskillandadetailedunderstandingoftheunderlyingnetworkandapplicationprotocolstocreateanattack.Today,therearemassive,automatedbotnetsavailableforrentrangingfrom$10to$300USDmonthlyandcapableofgeneratingupto3Gbpsworthofattacktraffic.9Theycanbecombinedandusedwithotheramplificationtechniquestogenerateanoverwhelmingamountofattacktraffic.Thesebotnetsincreasinglyusesophisticated,complex,multi-layerattacksbutcanbecontrolledwithasimplewebGUIfront-end.AsinglecreditcardnumberorPayPalaccountandtheIPaddress(oraddresses)ofthevictimareoftenallthatisneededtolaunchmassiveattackscapableofdisruptingcriticalonlinesystems.DDoSattacksareataninflectionpointwherethelowcostandsimplicityoflaunchinganattackmeanthattheirfrequencywillonlyincrease.Wesawthesamethingafewyearsagowithspam,whenthecostofsendingbulkemaildropped,andcomputepower,bandwidthandemailsoftwareimproved,andtheamountofSPAMincreased.Similarly,trendsinthecost,performanceandavailabilityofmodernDDoSattackspointtotheproliferationofthesetypesofattacksfortheforeseeablefuture.

SummaryThispaperhasdetailedthecostfactorstoconsiderwhenevaluatingthefinancialimpactofDDoSattacksonanyorganization.Ithasalsodemonstratedhowthecostscanvarybasedonthenatureofthethreat,thetypeofbusinessunderattackandthevulnerabilitiesthatareexploited.ItprovidedatemplatethatcanbeusedtomeasuretheimpactofanypotentialattackforyourspecificsituationandprovidesacostmodelthatisusefulforevaluatingtheROIofDDoSprotectionsolutions.Finally,itdescribedthewidelandscapeofthreatactors,threatvectors,motivationsandeconomictrendsthatwillcontinuetodrivetheincreasedfrequencyandeffectivenessofmodernDDoSattacksfortheforeseeablefuture.

9Karami,ParkandMcCoy,“StressTestingtheBooters:UnderstandingandUnderminingtheBusinessofDDoSServices,August2015

03122015

N S F O C U S G L O B A L . C O M