1 / 43

Understanding the Social Behaviors of Cyberattackers Online and Offline

Understanding the Social Behaviors of Cyberattackers Online and Offline. Tom Holt, Ph.D. Assistant Professor Michigan State University Spartan Devils Honeynet Chapter Max Kilger, Ph.D. Profiler The Honeynet Project. Annual Honeynet Project Workshop Public Day Presentation March, 2011.

izzy
Download Presentation

Understanding the Social Behaviors of Cyberattackers Online and Offline

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Understanding the Social Behaviors of Cyberattackers Online and Offline Tom Holt, Ph.D. Assistant Professor Michigan State University Spartan Devils Honeynet Chapter Max Kilger, Ph.D.ProfilerThe Honeynet Project Annual Honeynet Project WorkshopPublic Day PresentationMarch, 2011

  2. Agenda • Honeynet Project Multi-Disciplinary Approach • Flashtalk #1: Russian Hacking Gangs • Flashtalk #2: Economics of the Cybercrime Market • Flashtalk #3: Malicious Motivations and Future Emerging Threats • Coming attractions: Nationalism and the link between cyberterror and physical terror a “sneak peek” at our new study • Summary

  3. Honeynet ProjectMulti-Disciplinary Approach

  4. Multidisciplinary Approach • Honeynet Project Members • Strong technical experts in many areas • Social Scientists with technical backgrounds • Criminologist – Tom Holt • Social Psychologist – Max Kilger

  5. Multi-Disciplinary Approach • With a multi-Disciplinary approach you can explore important questions like: • What motivates malicious acts on the web • It’s not as simple as you might think • How different motivations trigger different malicious behaviors • The role of social networks • In exploit diffusion • In identifying malicious actors and attribution • Predicting emerging threat scenarios

  6. Flashtalk #1: Russian Hacking Gangs

  7. Malware and Hackers • How do we identify the hackers who have the ability to build the new tools and materials, relative to the larger population of semi-skilled users? • Where and how do they sit in larger social networks? • Few systematic unclassified examinations of the malware and hacker community have examined social ties and interests

  8. On-line Resources • The malware and hacking community utilize on-line resources that can be actively mined for information to explore these questions. • This study will examine the social networks of the malware and hacking community in Russia and Eastern Europe using data generated from social networking blogs • Blogs provide important information on: • Current and emerging threats • The relationships and behavior of attackers • Locations, attitudes, beliefs

  9. Self-Report Information • Each LJ profile allows users to provide information on their: • Location • Education • Biographies sometimes provide useful information on psychological status of the user or whether the journal is friends-only • Interests can include political affiliation, geographical location as well as nonsense • Friends • people whom the users read and who can have access to ‘friends-only’ entries • Also friend of • people who read this journal and do not have access to protected entries • Mutual friends • both users added each other • Communities • LJ groups that the individual belongs to

  10. Physical and e-mail address Team Associations Interests Associations

  11. Data Set

  12. Country Locations Country Frequency Percent Belarus 3 2% China 1 1% Estonia 1 1% Germany 3 2% Jamaica 2 2% Kyrgyzstan 1 1% Laos 2 2% Moldova 1 1% Puerto Rico 1 1% Russian Federation 100 78% USA 1 1% Ukraine 13 10% Number of Missing Entries = 235 (64.5%)

  13. Extrapolating Data: Risk • Risk scores were created and assigned based on open searches on the handle or forum name provided, along with additional detail • 0: no risk • 1: computer security blogger • 2: low level hacker • 3: high level hacker

  14. Network Actors

  15. Strength of Group Ties

  16. Popularity – Risk Level

  17. Flashtalk #2: Economics of the Cybercrime Market This study was funded by the National Institute of Justice Grant No. 2007-IJ-CX-0018

  18. The Cybercrime Market: Purchasing • Individuals interested in purchasing products from a seller must contact them privately • ICQ • E-mail • Private messages in forum • Buyers place orders and pay for services electronically • Web money (WM) • Yandex • Escrow payments

  19. The Process of Sales “You know me [contact me] in ICQ and obviously explain what I need to do. . . After that, as soon as I complete your order, you transfer money into my WebMoney purse. After that, you receive the product. . . To familiars (at least exchange couple of words in ICQ) I will give the product first. For all the rest, we work based on the scheme: money first, and then chairs after.”

  20. The Cybercrime Market: Materials Resources Number of % of Buy % of Sell % of Posts Total Posts Total Post Total Cybercrime 219 30 39 17.8 180 82.2 Services ICQ Numbers 73 10 9 12.3 64 87.7 Malware 246 34 103 41.9 143 58.1 Services  Other 92 13 22 23.9 70 76.1 Stolen Personal 92 13 21 22.8 71 77.2 Information Total 722 100 194 26.9 528 73.1

  21. Pricing Information For Cybercrime Services* (from Chu et al. 2010) Minimum Maximum Average Count Count Product Price PricePrice With Price No Price DDoS** 0.41 25.00 14.26 22 7 Proxy 0.50 200.00 42.53 9 11 Spam Services Databases 0.50 100.00 45.43 10 23 Services 0.50 700.00 50.91 12 11 Tools 2.00 180.00 59.11 9 6 Webhosting and Services Hosting 0.85 300.00 48.89 14 16 Registration 9.00 150.00 50.17 6 4 • *Due to significant missing data, hacking services, domain sales, and VPN service pricing are not included here • ** Due to variation in pricing, DDoS estimates are based on the stated hourly rate or an average hourly rate based on prices for 24 hour attacks.

  22. The Cybercrime Market: Social Dynamics • Three normative orders shaped relationships and actions in these cybercrime markets • Low prices • Customer service • Trust

  23. Flashtalk #3: Malicious Motivations and Future Emerging Threats

  24. Motivations in the Community - MEECES • A play off the old FBI counter-intelligence term MICE • MEECES • Money • Ego • Entertainment • Cause • Entry to social group • Status

  25. Motivations: Money • No news to anyone - now by far the most common motivator for blackhats • Individuals motivated by money still often are found mostly within groups that share this motivation • Emergence of “currencies” in use in the black hat community • Stolen credit cards • Stolen bank accounts • Root ownership of compromised machines • Exploits • Virtual assets (QQ coins) • “Secret” data

  26. Motivations: Money • Money has a powerful effect on social structure and social relations • Money is fundamentally changing many elements within the hacking community • Money also acts as a force to attract individuals who are outside the community • Money as a social object gives these outsiders opportunities for power and prestige inside the hacking community that were formerly not available to them

  27. Motivations: Ego • Derived from the satisfaction that comes from overcoming technical obstacles and creating code that is elegant and innovative • Idea of mastery over the machine – getting it to do what you want, often in spite of numerous security obstacles • The community at large shares this common and very powerful motivation • This core motivation still present and remains a strong social motivation within the community

  28. Motivations: Entertainment • This motivation arises from the consequences of an exploit • Getting a device to do something unusual or novel • Bluejack bluetooth devices like phones and get them to call porn lines • Originally an uncommon motivation, it has gained momentum over the past years due in part to: • Infusion of less technical individuals into the digital space • Expanded social environment in the digital space

  29. Motivations: Cause • A rapidly evolving motivation in the hacking community • Most common instance of this motivation – hacktivism: • the use of the Internet to promote a particular political, scientific or social cause • Original seed – “information should be free”

  30. Motivations: Cause • Recent examples of hacktivism • Beginning in 2008 - project chanology, an attack on Scientology by Anonymous group • 2008 – Chinese attacks on CNN in response to Western protests during Olympic Torch relay + accusations of biased media reports in the West • 2009 – Efforts by groups to facilitate forums for online public protest by Iranians angered by Iranian election results • 2009 -2010– Attacks on Australian government websites protesting the proposed filtering of Australian ISP traffic for “unsafe” materials on the Internet • 2010 – current – Wikileaks disclosure of thousands of classified documents and diplomatic cables

  31. Motivations: Cause • There have been a significant increase in the instances of cause-motivated hacks over the past few years • The seriousness and consequences of cause-motivated attacks has grown significantly • Remember the phrase “civilian cyber warrior” – a special case of Cause we will return to a bit later…

  32. Motivations: Entrance to a Social Group • Hacking groups tend to be status homogeneous in nature • This implies there is a certain level of expertise necessary for induction into the group • Elegant code/exploits are one method for gaining acceptance into the group • Seeing more of this motivation given shifts in traditional society’s perspective on hacking

  33. Motivations: Status • A powerful motivation within the hacking community • Community as meritocracy • Skills and expertise in networks, operating systems, hardware, security, etc. used as status characteristics • Your position in the status hierarchy – locally and globally – depends in great part on these characteristics • The decline of the hacking meritocracy • Non-trivial decreases in basing status upon skills and expertise – probably due to the rise of money as a motivation

  34. Near-Term Emerging Threats • Civilian Cyber Warrior • Hacking Groups Aggregating Different Forms of Power • Loose Coupling of Virtual and Violent Criminal Activity • Large Scale Collection of Information by Nation States for CI

  35. Emerging Threat Example:Civilian Cyber Warrior

  36. The Special Case of the Civilian Cyber Warrior • Traditional forms of aggression • Personal costs • Economic • Probability of getting caught • Legal consequences • Historical and social significance of emergence of civilian cyber warrior • Key point – the social psychological significance of the event • First time in history that an individual could cost-effectively attack a nation state • The reassessment of the usual assumptions of the inequalities of the levels of power between nation states and citizens – establishes new relationships between institutions of society, government and individuals

  37. Different Social Dimensions Under Investigation as Related to Civilian Cyber Warrior Behavior • Civilian Cyber Warrior study is concentrating on.. • Dependent variables • Willingness to commit acts of cyberterror against another country • Willingness to commit acts of cyber terror against their own country • Willingness to commit acts of physical terror against another country • Willingness to commit acts of physical terror against their own country

  38. Different Social Dimensions Under Investigation as Related to Civilian Cyber Warrior Behavior • Civilian Cyber Warrior study is concentrating on.. • Independent predictor variables including • Level of skill • Hours per week using computer • Prior minor malicious acts using a computer • Level of nationalism • Level of ethnocentrism • Country of orign • Demographics

  39.     Graph this question 10) Imagine that the country of Bagaria has recently promoted national policies and taken physical actions that have had negative consequences to the country that you most closely associate as your home country or homeland. These policies and actions have also resulted in significant hardships for the people in your home country. What actions do you think would be appropriate for you to take against Bagaria given their policies and physical actions against your home country? You may choose as many actions as you think the situation warrants. In this scenario, you may assume that you have the necessary skills to carry out any of the actions below. Sneak peak at preliminary data – more data is coming …

  40. 11) Aside from physical activity, what on-line activities do you think would be appropriate for you to take against Bagaria given their policies and physical actions against your home country? You may choose as many actions as you think the situation warrants. In this scenario, you may assume that you have the necessary skills to carry out any of the actions below. Sneak peak at preliminary data – more data is coming …

  41. Summary

  42. Points to Hopefully Take Away… • Understanding the nature of the relationship between people and technology may help you predict where the next threat vectors are going to emerge • The elements of the hacking community social structure are still there, but in different form and distribution • The motivations of the hacking community are still there but their form, shape and consequences have changed, often dramatically • Constructing scenarios of emerging threats can help you anticipate and plan in a fast evolutionary threat environment

  43. Contact Information Tom Holt, Ph.D. holtt@msu.edu Max Kilger, Ph.D. Maxk@smrb.com

More Related