The cost of developing a package of tools for an advanced persistent threat (APT) attack could be as little as US$15,000, estimates a security vendor.
In a report released Thursday, Positive Technologies came to that conclusion after looking at the tools used by 29 APT groups used in attacks over the last two years from its own data — including postings on 190 dark web sites and sites selling APT tools — and public reports from other security companies.
The lower estimate breaks down like this (all figures in U.S. dollars):
-$2,000 for tools to develop malicious attachments for a spear phishing attack (not including the cost of a zero-day vulnerability);
–at the most $5,000 for malware;
–and at a minimum $8,000 for commercial penetration testing tools to find vulnerable systems. The report says its research suggests just under half of currently active APT groups use pentesting tools to identify and exploit security weakness.
The report admits that actual expenses could be higher depending on how much an APT group wants to spend, and the target. For example, commercial penetration tools can cost as much as $40,000. It estimates the cost of the tools needed for an attack on a bank would start at $55,000. A cyberespionage campaign would cost at least $500,000 to start.
There could be other operational costs to an attack, such as renting servers, buying domain names, hosting websites, and paying for VPN services, to name a few. But the report estimates those expenses could total as little as $1,000.
The point is that to an attacker the cost is relatively low compared to the potential reward. “Just a few successful attacks are enough for the “investment” in purchasing or developing tools to pay off,” the report points out.
“Companies need a sober understanding of the protection systems in place to secure their key assets,” the report warns. “Solutions must be comprehensive, limiting criminals’ space for maneuver and ensuring maximum coverage of security events in the context of system logs, traffic, and network objects. Full awareness of infrastructure events is a critical link in the threat hunting chain for detection of the actions of APT groups.”
To put some perspective on the numbers, the report looks at what Positive Technologies has found about an APT group its calls Silence, which it believes was behind the theft of about $930,000 from automated bank machines (ATMs) of PIR Bank in Russia. Silence uses the free Sysinternals Suite, Metasploit Pro plus a number of self-developed tools, says the report, including a toolkit for hacking ATMs.
The report estimates Silence could have spent between $140,000 and $465,000 to get that $930,000.
The report also notes how the cost of tools can fall. For example, an exploit builder for a vulnerability purchased by one APT group in 2017 for $10,000 now runs about $400.