How much money does it take to equip a fully funded black hat team? How much money to defend against such a team?
$2500 is all it takes to get a black-hat operation started
In 2009, it was reported that US banks lost more than $140M from Internet heists, as quickly as $10M in one 24-hour period.
I believe it is possible to start a criminal operation with as little as 2500 US dollars.
- Cloud servers: 300 US dollars for 3 months
LAMP stack: 0 US dollars
Malware that can steal money from banks: 700 US dollars (ZeuS, although sub Meterpreter)
- Web exploit delivery/management system: 800 US dollars (Fragus, although sub Drivesploit)
- An affiliate system using advertising to drive traffic/eyeballs: 700 US dollars (or a nice SQLi or RFI botnet)
Total: 2500 US dollars
My proof
Brian Krebs runs articles on Security Fix focused on fraud. There are countless examples, but let me pick on this one regarding the county of Kentucky, who lost 415000 US dollars in 2009 to the exact situation I created above. This particular one involved 45 or so wire transfers in amounts just under 10000 US dollars. Considering mules were paid about 500 dollars each, and the whole operation involved 2-4 UKR scammers, you are still looking at a 391k score split 2-4 ways, with almost no investment other than the time to babysit the money mules and grease over the affiliates (oh and that initial 2500, lest I forget that!).
The skills of these scammers can also be very, very low. This isn't even college level system administration. Anyone with a summer interest in Linux could get this operation going. Yes, there is also the money mule piece, which perhaps takes a good scammer with some experience and way above average charisma -- but we assume that at least one of out every 3 criminals already has these skills.
Go back to any of those articles and reverse engineer what you think it took the criminals/scammers to get their job done.
The Cost of Defense: 6-7 percent of IT budget
You've seen the cost of PCI DSS compliance numbers no doubt; ignore those for a second. Gartner says that the security budget should be in between 6 and 7 percent of the total IT budget. UMD professors Lawrence Gordon and Martin Loeb say not to spend more than 37 percent of the asset you are trying to protect.
Staff your org with incident handlers to the number of incidents
I say that we need to hire to the incidents. If you have 1-400 incidents a year, you are going to need somewhere in between 1-400 security incident handlers. Calculate the time involved in handling the incidents and hire accordingly. I am perfectly fine with staffing taking up the entire information security budget and so should your IT finance decision-makers. People play the most important role in an information security management program.
If you haven't had any incidents, perhaps now is a good time to hire an incident response and forensics / malware research company to come in and determine if you have actually had an incident or not (let's say this is a 20k one-time assessment). While that's going on, stay on the safe side and hire at least one FTE incident response manager (100k/year) -- especially assuming you have at least 250k worth of stuff to steal, or brand damage to be done.
Monitor your apps, systems, and networks
Hand your new incident response manager an OSSIM CDROM to install in an AMI instance or whatever. Email can be sent to his or her GMail/GApps account for all I care. The point is that most companies overspend on firewalls, VPNs, and "security server hardware". I think most companies would be better served with an open firewall and access-list policy, but using the bogon filters and FATF Blacklist as null routes on every router or system with a public IP (or NAT/PAT'd to one). Give the manager at least enough budget to cover the cost of TruArx for the year if there is no other risk management portal in place already.
Give risky job roles safe tools and awareness training
Finally, equip any worker that is handling financial, banking, or payment card information (or anything else with a severe data classification) with a freaking iMac or Mac Pro and training to go with it. Make sure they have to complete some sort of SaaS-based security policy and awareness training with providers such as Cornerstone OnDemand. This may in fact be the cheapest answer to the problem, but this is the TRUST not the VERIFY. The incident manager/team provides the verification. There have been reports of targeted malware inside large-installation Mac-centric companies, although they are not hit quite as bad on the drive-by-download frontal assault. If Win7 is required, then implement a rollback-before-every-transaction VM-guest strategy.
The Cost of Application Security Defense
The real expense comes if your company or organization doesn't buy COTS, but instead rolls their own code (or outsources app development). In this situation, things can get really expensive in the long-term if the org doesn't start a very thorough appsec program before the design and coding starts. Even then, most co-ordination with application security consulting companies costs at least 1-4 million dollars over 2-3 years. If you have 10M US dollars worth of applications to protect, this should be a no-brainer -- it's going to also increase the quality of the apps and your business intelligence. It is also where the Gartner IT spending strategy tends to fall down for information security management programs, especially considering that firewalls still take up over 50 percent (and some as high as 90 percent) of Fortune/Global 2000 security budgets.
Generally, it depends on the final goal - who is the target and what are the terms. I suppose nothing has drastically changed since that what Richard Bejtlich was talking about. Anyway, there is another one good presentation from Charlie Miller about cyber army, defense and attack investigation: https://www.defcon.org/html/links/dc-archives/dc-18-archive.html (Kim Jong-il and Me: How to Build a Cyber Army to Defeat the U.S.).
Interestingly, based on the team I ran for the last couple of years, a million could happily fund a reasonably successful attack on any major corporate entity, government department or agency.
The $10M heist that atdre referenced cost the attackers around $180k, based on some reasonable assumptions on the payoffs to the team including techies, mules, grunts etc. And broadly speaking, that should have been successful, if it wasn't for the usual "loose lips sink..." etc - but that was an attack on low hanging fruit + some reasonably clever work around account limits.
You can attack for much less than that, but if you want it to be successful, then you need some reasonable intelligence. $750k to $1M is a good ballpark, covering decent zero-day research, scanning teams, attack, money movement etc.