A breakdown in costs to analyse the binary and produce the required output is as follows:
The investigation team consisted of 2 people, sniph and elliot.
Time spent analysing the software:
Incident Investigator 1 - sniph: 26 hours
Time spent coding custom analysis tools:
Incident Investigator 2 - elliot: 20 hours
Time spent documenting results:
4 hours each
In a typical scenario, the compromised machine would have been taken offline for forensic analysis. As such, it would not have been available for the 26 hours spent analysing the code. In a critical security incident, it can be assumed that the Investigation team works greater than 8 hours per day. This would suggest a total of 2.5 days of outage before the system can be either cleared for production, or rebuilt from a stored backup. Rounding this to 3 days, one can assume that the system downtime in working hours was 24 hours total (3 days * 8 hours per day). If the system was high availability, the costs would increase depending on the resources available for forensic analysis.
An assumption of 50 affected users, at a cost of $12.00 lost per hour per user, was used in calculating cost of damage to individual users.
The total costs can be seen in the following chart:
Title | Hours | Cost/Hr | Total | -15% | +15% |
Incident Investigator 1 | 30 | $33.65 | $720.00 | $612.00 | $828.00 |
Incident Investigator 2 | 24 | $33.65 | $807.60 | $686.46 | $928.62 |
System Downtime | 50 Users * 24 Hours | $12.00 | $14,400.00 | $12,240.00 | $16,560.00 |
Subtotal | $15927.60 | $13538.46 | $18316.62 | ||
Benefits @28% | $4459.728 | $3790.77 | $5128.65 | ||
Subtotal - Salary + Benefits | $20387.33 | $17329.23 | $23445.27 | ||
Incidental Costs | $1000 | $850 | $1150 | ||
Total Labour Cost | $21387.33 | $18179.23 | $24595.27 |
sniph has worked as a network engineer, systems administrator, and coder for the 6 years. The last 2 years have been specifically in a security consulting role.
elliot has worked as a network engineer, coder and security consultant for the last 4 years.