No. I made no claim about attack procedure. I said an attack that would cause X dollars of damage which can include instantaneous, short duration, remote control, automated control, long duration, social engineering, multiple attacks, etc. To constrain the type of attack is ludicrous since attackers are not required to constrain the type of their attack, so doing so does not properly reflect the threat model.
What is your evidence that better privilege management would prevent an attack funded on the order of $30M from being anything other than devastating? Given that nearly every company in the world is routinely successfully attacked, I see no justification for giving the benefit of the doubt to claims of security that are not rigorously analyzed and tested. Have you ever seen a company run a $30M pentest that did not find ways in? If your answer is that no company does a $30M pentest since that is a crazy amount to pay, that supports my point since they are only bothering to test things easier than the standard I put forward. There is no reason to trust an entity in an industry that claims they are better than can be verified. If your answer is that a $30M pentest is not indicative of anything and nobody tests that way, then please suggest a test that correlates to difficulty of attack that is at the $30M level. If the answer is no such test exists, then I fail to see why there should be any confidence at all in claims that can not even be loosely quantified or correlated against the primary problem.
I will actually claim $30M is far too high. I bet attacks of this caliber would only take ~$1M to develop and deploy against best-in-class defenses. Therefore, my extortion argument actually becomes that they engineer 30 independent attacks and can burn one or two of them to demonstrate that they can do at least $300M in damages. Even developing 30 independent attacks, the strategy is highly profitable under my assumptions.
No, the extortion market is new. There is no reason to suggest that a new greenfield market with a multi-billion dollar potential market should be instantaneously saturated. That is ridiculous. This should be especially true in light of the fact that criminals do not have access to high-growth funding models due to being criminals so are generally required to bootstrap. Just because some criminal act is not done does not mean that it can not be done. Nobody hijacked a plane and flew it into a building before 9/11, but nobody is claiming that it was not feasible beforehand or that it would not have been an efficient act of terror if done previously.
If you actually want to make a meaningful counter-argument that may be convincing, please start from $300M in damages and then back-calculate the necessary cost of attack for a criminal to find such an attack profitable. State assumptions on each step for why it influences cost or benefit in some fashion and then we can discuss if those steps seem reasonable. I already did this previously when back-calculating to $30M from $300M, so you could also discuss why you think the individual steps are invalid. Please try to include quantitative estimates or beliefs. Ranges and probabilities are fine to hedge any statements.
What is your evidence that better privilege management would prevent an attack funded on the order of $30M from being anything other than devastating? Given that nearly every company in the world is routinely successfully attacked, I see no justification for giving the benefit of the doubt to claims of security that are not rigorously analyzed and tested. Have you ever seen a company run a $30M pentest that did not find ways in? If your answer is that no company does a $30M pentest since that is a crazy amount to pay, that supports my point since they are only bothering to test things easier than the standard I put forward. There is no reason to trust an entity in an industry that claims they are better than can be verified. If your answer is that a $30M pentest is not indicative of anything and nobody tests that way, then please suggest a test that correlates to difficulty of attack that is at the $30M level. If the answer is no such test exists, then I fail to see why there should be any confidence at all in claims that can not even be loosely quantified or correlated against the primary problem.
I will actually claim $30M is far too high. I bet attacks of this caliber would only take ~$1M to develop and deploy against best-in-class defenses. Therefore, my extortion argument actually becomes that they engineer 30 independent attacks and can burn one or two of them to demonstrate that they can do at least $300M in damages. Even developing 30 independent attacks, the strategy is highly profitable under my assumptions.
No, the extortion market is new. There is no reason to suggest that a new greenfield market with a multi-billion dollar potential market should be instantaneously saturated. That is ridiculous. This should be especially true in light of the fact that criminals do not have access to high-growth funding models due to being criminals so are generally required to bootstrap. Just because some criminal act is not done does not mean that it can not be done. Nobody hijacked a plane and flew it into a building before 9/11, but nobody is claiming that it was not feasible beforehand or that it would not have been an efficient act of terror if done previously.
If you actually want to make a meaningful counter-argument that may be convincing, please start from $300M in damages and then back-calculate the necessary cost of attack for a criminal to find such an attack profitable. State assumptions on each step for why it influences cost or benefit in some fashion and then we can discuss if those steps seem reasonable. I already did this previously when back-calculating to $30M from $300M, so you could also discuss why you think the individual steps are invalid. Please try to include quantitative estimates or beliefs. Ranges and probabilities are fine to hedge any statements.