Miners and Minions: Data Breaches aren’t the Only Thing that Cost You

Lori MacVittie 缩略图
Lori MacVittie
Published July 23, 2018

Sure, a data breach may cost more (at least right now) and it certainly forces your failure into the limelight (you gotta notify) but security can’t be just about data exposure.

These days you only hear about a breach if there’s been a data exposure component. The way some folks talk (and write), breaches only matter if there is data exposure. A recent report from Netwrix on security and IT risk noted, in fact, that “organizations are planning to focus their investments on securing sensitive data, as they cannot foresee every possible threat.” (2017 IT Risks Report)

Given that the average cost of a data breach is topping the scales at over $3 million based on research from Ponemon (sponsored by IBM), that certain seems like a sound strategy. Protect the data. After all, it not only costs in terms of dollars, it also tarnishes the corporate brand and reputation as well as often costing folks their jobs.

The problem with such a myopic security strategy is that it completely ignores that there are just as many costs associated with other breaches. Because no one attacks your defenses with the intention of walking away once they do. Attackers aren’t in it for the self-satisfaction of gaining access to your network or systems. We’re well past the simple “defacement as a rite of passage” phase in the hacking community. More often than not, today’s attackers are in it for the money.

And while we know that credentials and personal data are worth a pretty penny on the dark web, data isn’t the only way to earn money these days. The highly lucrative cryptomining market has proved that of late. A very detailed and lengthy (and worth the time to read) blog from Talos calculates that a single cryptojacking campaign could generate anywhere from $182,500 per year to a whopping $100 million annually:

“To put the financial gains in perspective, an average system would likely generate about $0.25 of Monero per day, meaning that an adversary who has enlisted 2,000 victims (not a hard feat), could generate $500 per day or $182,500 per year. Talos has observed botnets consisting of millions of infected systems, which using our previous logic means that these systems could be leveraged to generate more than $100 million per year theoretically. “ 

Theoretically, of course.

These numbers are startling, but it’s not the profits generated for the miners that’s necessarily germane to today’s post. That’s just the driving reason for attacks. A couple hundred thousand dollars is good reason to seek out free resources, after all. And because it’s so lucrative you should be more aware of the costs associated with breaches that leave miners and minions behind in your infrastructure.

The Cost of Illicit Resource Consumption

The costs of a data breach are well-documented and range from cleanup costs to notification and compensatory expenses.  The costs of other breaches are not so well-documented, but exist nonetheless in the form of unnecessary operational expenses and lost opportunity costs. Whether we’re talking miners or minions, traditional Linux-based processes or containerized code, the reality is that once deposited, these foreign and undesirable bots are illicitly consuming resources that cost real money at the end of the month (or quarter, depending on how often you pay your cloud bill).

Some may think that it may be these bots are consuming resources you would have paid for anyway. I mean, it seems like that might be true – you only use 20% of that instance/server on average, but you’re paying for 100% no matter what. So really, are the bots costing you real revenue?

You darn right they are.

Let us for a moment remember the premise of auto-scale – one of the reasons many organizations embrace the public cloud. When load or performance surpasses a threshold, we want a new instance to launch to meet demand. If we have an instance that is only using 20% to service legitimate clients, and a bot suddenly consumes the other 80%. We are going to pay for a second instance, and then a third, and a fourth, and finally a fifth to meet the demand that could have been met by a single instance if it were not being utilized illicitly.

So there’s that cost. 

For those who are passionate about the environment, there’s also the increased carbon emissions from increased electricity usage. Fascinating fact, but when compute is idle, it draws fewer watts than when it’s full engaged (particularly when it’s performing highly complex cryptographic calculations). So if a miner or minion is chugging away, it’s costing you in kilowatt hours (if it’s on-premises) and in instance hours (if it’s in the public cloud), all of which drives up your carbon footprint.

Drawing more power means more heat, which needs to be offset by additional cooling. So there’s even more electricity being used. And there’s the systems that monitor the temperature and report on the temperature… well, you get the point. There’s a lot of ancillary computing power used to run a data center – in the cloud or on-premises – that costs you increasing amounts of operational dollars thanks to illicit resource consumption.

As noted in the aforementioned blog from Talos, some of these cryptomining scripts are smart. They’re evasive, and they’re able to keep your machines from going into standby, rebooting, logging of, or any other activity that might interrupt their operation. They keep your machines running 24x7 and scrape every last digital bit they can before you call in the exterminator.

So that’s tangible costs – the ones you can see in the ballooning utility and cloud bills. What about the intangible costs? Like the loss of a customer (or potential customer) due to poor performance?

Well, let’s remember operational axiom #2: as load increases, performance decreases.

If a miner or minion is consuming resources, it’s adding to the overall load on a server which is going to decrease app performance. Like gravity, it’s a law. The impact of poor performance is well-documented. For example, we know from AppDynamics’ research that 8 of 10 users have deleted an app because it performed poorly. We know that Amazon and Google and Walmart have all documented the impact even microseconds make on revenue, conversions, and purchases. Depending on the industry, that lost app or slight degradation of performance can translate into measurable losses pretty quickly.

Even if you don’t want to do the actual math (and I certainly don’t), the general idea speaks for itself: miners and minions cost organizations real dollars in a variety of ways. While yes, data exposure is a serious security and business risk that’s critical to defend against, let’s not ignore that any breach can result in serious consequences. 

A startling 25% of organizations, according to RedLock Cloud Security Trends May 2018, are currently suffering cryptojacking activity in their environments. Tripwire similarly noted that 15 million people were affected by a single Monero mining operationeWeek reported on a utility whose compute resources were being dramatically drained by illicit cryptomining operations.

These reports are growing more frequent, likely in the hopes of bringing the seriousness of these activities to light. The important thing to note about miners – and minions serving in botnet armies – is that they are evidence of a breach in your defenses, none of which are necessarily related to sensitive data.

Focusing too narrowly on protecting data is a good way to add your name to the mounting list of companies that have paid to make cryptojacking such a lucrative business. The uncertainty of what attackers will exploit next is not a good reason to shift our focus away from a comprehensive security strategy and put all our efforts on protecting data. Let’s protect the business – and that includes the operational line items that can eat away at the corporate bottom line.