Are you focusing on the wrong security problem?
One of the ways we can refine security and influence energy is by looking at bug bounty programs. These are where the hardware and software vendor offer cash payouts to hackers who can demonstrate vulnerabilities in their software.
This creates an economic value floor on the size of organization that needs to worry about this type of attack because the expected value of the attack must be worth more to a cybercriminal than the bug bounty. This could be in the form of using the capability to deploy ransomware against a large company or selling the capability to another criminal group who will.
The dollar value of each bounty les you estimate the skill sets and time required to create such levels of influence energy. This gives a good sense of what kind of threats exist at each level.
Every time an undisclosed, high energy capability is used there is a risk to the attacker of the technique being discovered and patched. The potential ROI of a capability plummets at this point as organizations with high security energy will patch.
This risk happens each time and against each target so attackers must be judicious with who and what they target with them.
You might say "don't I still need to be worried about public threats?" Yes, and you can mitigate them with good device management and regular updates. Check out my level 0 security checklist to see the minimum that covers public threats.
Take the iPhone bug bounty for example. If you can demonstrate a technique to take over an iPhone via usb port (ie a malicious charger), Apple will pay you $100,000. If you have this capability, it makes no sense to put it in an airport where random passerby might himself be a technical person who discovers the attack.
Another example is a hypervisor break out exploit. Modern application and server hosting universally uses virtual machines in either on-prem or cloud contexts. There is a real threat around one of the servers becoming compromised and then the cybercriminal breaking out of the virtual machine to affect other workloads on the same physical computer. This would have tremendous value to attackers because high and low security servers often run on the same hardware relying on the virtualization as a security barrier.
Looking at the Microsoft bug bounty for Hyper-V, the main platform behind Azure, and you can see that such a bug would be worth $250,000 if disclosed to them.
Putting yourself in the shoes of a cybercriminal who developed this capability, they would have to be confident they could get more than $250,000 from an operation to actually attempt it in a production environment. They would also require excellent targeting capability to know when was the right time to deploy it. Performing a "spray-and-pray" attack on Azure to compromise many physical systems would be a very likely way to get caught, have the vendor investigate the attack, and patch the system with no ROI.
Such a capability would need to be part of an Influence Energy 4+ campaign, where the total attack value was at least $1 million. ($250k for the value of the exploit, $250k for targeting, $250k for custom malware and infrastructure, $250k for the actions to get ROI from the attack).
Bug bounty programs provide a great economic reference point for what capabilities are at each influence energy level and thus which capabilities are need for defense at each security energy level.
If you need help understanding which threats matter to you, reach out today for a free consultation.