A breakdown in costs to analyse the binary and produce the required output is as follows:
The investigation team consisted of 2 people, sniph and elliot.
Time spent analysing the software:
Incident Investigator 1 - sniph: 26 hours
Time spent coding custom analysis tools:
Incident Investigator 2 - elliot: 20 hours
Time spent documenting results:
4 hours each
In a typical scenario, the compromised machine would have been taken offline for forensic analysis. As such, it would not have been available for the 26 hours spent analysing the code. In a critical security incident, it can be assumed that the Investigation team works greater than 8 hours per day. This would suggest a total of 2.5 days of outage before the system can be either cleared for production, or rebuilt from a stored backup. Rounding this to 3 days, one can assume that the system downtime in working hours was 24 hours total (3 days * 8 hours per day). If the system was high availability, the costs would increase depending on the resources available for forensic analysis.
An assumption of 50 affected users, at a cost of $12.00 lost per hour per user, was used in calculating cost of damage to individual users.
The total costs can be seen in the following chart:
|Incident Investigator 1||30||$33.65||$720.00||$612.00||$828.00|
|Incident Investigator 2||24||$33.65||$807.60||$686.46||$928.62|
|System Downtime||50 Users * 24 Hours||$12.00||$14,400.00||$12,240.00||$16,560.00|
|Subtotal - Salary + Benefits||$20387.33||$17329.23||$23445.27|
|Total Labour Cost||$21387.33||$18179.23||$24595.27|
sniph has worked as a network engineer, systems administrator, and coder for the 6 years. The last 2 years have been specifically in a security consulting role.
elliot has worked as a network engineer, coder and security consultant for the last 4 years.