There’s a new metric on Wallarm’s Dashboard — the cost of resources invested by hackers to attack your site. How do we measure it, and why does it matter?
What metrics are used to analyze attacks?
Information security is a process that subtracts funds from a business. Still, the cost effectiveness of this process is very difficult to measure. It’s impossible to estimate possible damage from an incident before it happens — and since information security doesn’t generate profit, ROI calculation is also always tricky.
We’ve considered the needs of our customers requiring quality attack analysis. Classic metrics, such as the quantity of attacks and their geography, are simply not representative. Protecting a site — it’s not an advertising company, attackers can change their ‘geographic address’ as they please. And what does the ‘map’ of attack distribution by continent show? Internet coverage around the globe! Unique IP addresses are also not indicative: cheap cloud resources and Tor can give one attacker thousands, or even hundreds of thousands, of different end IP addresses.
At Wallarm, we analyze attacks themselves — their nature, their character, and not just their sources. We understand when an attacker changes his IP address but continues the same attack. We understand when one scanner is using a distributed network with multiple external addresses.
We avoid using unnecessary data in Wallarm’s interface. We understand that users can’t keep track of dozens of metrics. Every extra second the operator spends on looking at and understanding the interface is another second for hackers to conduct their attack.
Therefore, we’ve developed an aggregate metric that helps tie together attackers and business risk.
Now, Wallarm users can evaluate safety risks in business terms — in money. This is truly necessary.
New metric — “Cost of attacks”
Starting today, Wallarm calculates the cost of resources expended to carry out each attack!
Cost of attack resources = cost of equipment + cost of tools:
- Cost of equipment is quite simple to calculate. For example, if the source of the attack is located in a cloud provider’s infrastructure, we take the average cost of this cloud instance from an public price list and use that in our calculation. If it’s VPS, we check the rental price of a similar server. And so on for other types of resources. We figure that if the resource is hacked and captured, then the cost of such an action is comparable to the cost of its lease at market price (this is our approach in calculating).
- The cost of tools makes small adjustments to the overall meaning of the cost of the attack, since that sum is mostly a question of the cost of equipment. Nevertheless, we take into account the market value of the tools used in the attack (licenses for the vulnerability scanners used in the attack, etc.). Here, we don’t consider the possibility that the attackers are using a cracked tool or a foreign license. By the way, instead of analyzing User-Agent and other signature-based methods (which is just funny, at this point), Wallarm implements behavioral fingerprinting schemes to determine the tools used in the attack. We’re planning to write about them in future posts.
In the future, we plan to finalize the calculation algorithm to include the cost of human resources for attacks. We already have classifications for hackers by skill level and ability based on an analysis of attack vectors and behavior, and we plan to take this into account in accordance with the labor market cost of safety consultants.
What the new metric gives you
The purpose of our metrics is to give you a minimum estimate in monetary terms of the cost to hackers to attack your project. Those resources that they’ve definitely already spent on you.
In the future, we want to give you a maximum estimate for this value and identify trends so that it’s even easier for you to work with information security in business terms: predicting risks, determining liquidity costs, assessing the effectiveness of measures you’ve taken, and solutions.
You still haven’t tried Wallarm? Time to order demo access!