Some Important Emerging Shifts in the Motivations and Objectives of Cyberattackers
Download
1 / 59

- PowerPoint PPT Presentation


  • 191 Views
  • Updated On :

Some Important Emerging Shifts in the Motivations and Objectives of Cyberattackers Max Kilger, Ph.D. Profiler The Honeynet Project. Seacure.it October 2009 Milan,Italy. Overview. Why do we care about profiling? Why take a more theoretical approach to this problem? A very brief retrospective

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '' - mike_john


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Slide1 l.jpg

Some Important Emerging Shifts in the Motivations and Objectives of CyberattackersMax Kilger, Ph.D.ProfilerThe Honeynet Project

Seacure.it

October 2009

Milan,Italy


Overview l.jpg
Overview Objectives of Cyberattackers

  • Why do we care about profiling?

  • Why take a more theoretical approach to this problem?

  • A very brief retrospective

  • Motivational profiles

  • Community level analysis

  • Geo-political and economic influences

  • Emerging threats:

    • Civilian cyber warrior

    • Developing economic, political and social power of hacking groups

    • Loose coupling of virtual and violent criminal activity

    • The potential pandora’s box of the developing world

  • Some final thoughts


Objectives of profiling and social analysis l.jpg
Objectives of Profiling and Social Analysis Objectives of Cyberattackers

  • Primary uses of profiling and social analysis:

    • Profiling of individuals identification and possible apprehension

    • Collection and analysis of data into models that allow better theoretical understanding of black hat community

    • Assist in predicting motives and behaviors in specific attacks by groups/individuals

    • Produce a better understanding of emerging threats

      • What are they?

      • What form might they take?

      • Who are the potential targets?

      • Where will they come from?

      • How do we begin to build pre-emptive defenses against them?


Profiling myths and realities l.jpg
Profiling Myths and Realities Objectives of Cyberattackers

  • A Profile Alone is not Enough…

    • Don’t expect a profile to directly identify the offender(s)

    • A profile does do three key things:

      • A filter in which to bring into focus important details of the crime and attenuate those details which are not likely to be relevant – a tool that helps tell the investigator where to look and what to look for

      • Provides a rich fabric of interlocking details that allow the investigator to look for correlates that build the pathway to finding the offender

      • Sometimes provides the “catalyst” that together with other information leads eventually directly to the offender(s)


A very brief retrospective l.jpg
A Very Brief Retrospective Objectives of Cyberattackers


Elements of the community in the simpler past l.jpg

Magic Objectives of Cyberattackers

History

Status

Tech

Humor

Derog

Elements of the Community in the Simpler Past


Dimensions of the social structure of the hacking community l.jpg
Dimensions of the Social Structure of the Hacking Community Objectives of Cyberattackers

Note: Jargon File entry may be coded into multiple thematic categories


Emergent complex elements l.jpg

Griefing Objectives of Cyberattackers

Identity

Coercion

Deception

Emergent Complex Elements


Motivations l.jpg
Motivations Objectives of Cyberattackers


Motivations10 l.jpg
Motivations Objectives of Cyberattackers

  • A play off the old FBI counter-intelligence term MICE

  • MEECES

    • Money

    • Ego

    • Entertainment

    • Cause

    • Entry to social group

    • Status


Motivations money l.jpg
Motivations: Money Objectives of Cyberattackers

  • Now the most common motivator for blackhats

  • Individuals motivated by money often are found almost entirely within groups that share this motivation

  • There are a number of “currencies” in use in the black hat community – stolen credit cards and bank accounts, root ownership of compromised machines, exploits, virtual assets, “secret” data

  • Financial resource for organized crime/terrorist funding - quick turnover of stolen credit card numbers, bank accounts and cash in foreign countries and subsequent write-off


Motivations ego l.jpg
Motivations: Ego Objectives of Cyberattackers

  • Both black hat and white hat communities share this common and very powerful motivation

  • Derived from the satisfaction that comes from overcoming technical obstacles and creating code that is elegant and innovative

  • Idea of mastery over the machine – getting it to do what you want, often in spite of numerous security obstacles


Motivations entertainment l.jpg
Motivations: Entertainment Objectives of Cyberattackers

  • This motivation often comes from the consequences of an exploit

  • Getting a device to do something unusual or novel

    • Bluejack bluetooth devices like phones and get them to call porn lines

    • sometimes this involves anthropomorphic dimensions

  • Sometimes the entertainment value comes from the actions of individuals/organizations that are directly associated with the exploited box/device


Motivations cause l.jpg
Motivations: Cause Objectives of Cyberattackers

  • An emerging and evolving motivation in the white hat/black hat community

  • Most common instance of this motivation - hacktivism - the use of the Internet to promote a particular political, scientific or social cause

  • Original seed – “information should be free”


Motivations cause15 l.jpg
Motivations: Cause Objectives of Cyberattackers

  • Examples of hacktivism

    • Bronc Buster and Zyklon disable Chinese firewalls to allow Chinese Internet users access to forbidden websites

    • Jam Echelon Day (JED), hacktivists flooded net with emails with embedded target words to flood intel net sniffers

    • Electronic Disturbance Theater floods Republican National Committee and conservative websites to coincide with RNC convention

    • RIAA website wiped off the Internet

  • Stay tuned for the special case of the civilian cyber warrior


Motivations entrance to a social group l.jpg
Motivations: Entrance to a Social Group Objectives of Cyberattackers

  • Black hat/white hat groups tend to be status homogeneous in nature

  • This implies there is a certain level of expertise necessary for induction into the group

  • Elegant code/exploits are one method for gaining acceptance into the group - writing new and innovative code and sharing it as a demonstration of the level of expertise necessary to be considered for membership in the social group


Motivations status l.jpg
Motivations: Status Objectives of Cyberattackers

  • A powerful motivation within both the white hat and black hat communities

  • Much of the behavior within these communities is influenced by the status position of individuals both within local group as well as global group hierarchies

  • Community as meritocracy


Profiling example l.jpg
Profiling Example Objectives of Cyberattackers

  • IRC chat

    • here we see members of a group exchanging areas of expertise - you should evaluate these using reactions of other group members as validation points

  • 20:49:30 quark: am I the only one who uses C++ rather than C?

  • 20:49:32 oracle: heh

  • 20:49:34 shaverboy: yah

  • 20:49:42 oracle: u a winshit coder?

  • 20:49:42 shaverboy: personally i don't like c++

  • 20:49:42 burgerking: outties

  • 20:49:49 burgerking: ".k *"

  • 20:49:52 quark: lol, yes, i'm a winshit coder

  • 20:49:52 burgerking: .users

  • 20:49:59 shaverboy: i can do everything i want in C and if i need object oriented stuff, I can use LISP, Java or Python


Profiling example19 l.jpg
Profiling Example Objectives of Cyberattackers

  • Status plays an important part in the social structure of the computer hacker community and this next excerpt allows the profiler to identify the status positions of at least some of the members of the group:

  • 15:35:28 Slash: checkov i am not sure what kind of code it is

  • 15:35:46 cigquake: because you don't know shit about what is going on

  • 15:35:50 burgerking: yeah quark im just an amature :P

  • 15:36:09 quark: lol, I'm far from pro, I just enjoy doing it

  • 15:36:17 checkov: Slash: well figure it out

  • 15:36:36 burgerking: Slash the whole point of me pestering you is so you will get off your ass and try learn.. because you rely on others

  • 15:36:46 burgerking: and thats not what your suppose to do to learn

  • 15:37:01 Slash: i am learning i never learnd why !/bin/pass workes!!!

  • 16:34:04 burgerking: Ok well here is a simple explanation the code your exploiting has a group level of 2.. which is your current the user is level3 which means


Profiling example20 l.jpg
Profiling Example Objectives of Cyberattackers

Here we get a very good clue about their perspective on the blackhat-whitehat continuum

  • 16:44:56 Shortkid: i used to be gray but its not that cool

  • 16:44:59 burgerking: Trashcan im not from the south island ;)

  • 16:45:01 shaverboy: black hat eh?

  • 16:45:15 burgerking: lol how are you a black hat?

  • 16:45:15 shaverboy: so you're actually trying to be malicious? that's fine by me

  • 16:45:32 Shortkid: lets say i want to be a black hat

  • 16:45:37 shaverboy: ok


Profiling example21 l.jpg
Profiling Example Objectives of Cyberattackers

  • Here’s the money shot for those folks in law enforcement or intelligence - a dentist’s appt on a specific date and time in a town in Maine…

  • 21:59:30 quark: Maine here

  • 22:00:22 shaverboy: checkov i'm in VT, just got 2 feet of snow on x-mas day

  • 22:00:24 shaverboy: i love maine

  • 22:00:25 quark: lol

  • 22:00:30 checkov: i hate snow

  • 22:00:36 checkov: I lived in fl for 15yrs

  • 22:02:32 quark: so yeah, I woke up at 6:30 am to get ready for what I thought was an orthodontist apointment... turns out it was at 3:40 in the afternoon

  • 22:02:38 quark: I could have slept in too :(


Community level analysis l.jpg
Community Level Analysis Objectives of Cyberattackers


Status processes and community gatherings l.jpg
Status Processes and Community Gatherings Objectives of Cyberattackers

  • Very strong emphasis on one’s status position in the community sets off a number of other social processes with similar vigor

    • Status conflicts within the community occur frequently and often with considerable rancor

    • Status processes are at work in the efforts of individuals to join specific local social networks

    • Individual members of the black hat community tend to form social groups based upon status homogeneity

    • Status processes often result in affect processes being triggered - evidenced by the high level of derogatory behaviors seen in the community within local social networks and beyond

    • Lack of verbal and non-verbal communication cues because of the use of chat rooms/email as major form of communication often leads to conflict


Status processes and community gatherings24 l.jpg
Status Processes and Community Gatherings Objectives of Cyberattackers

  • Hacker “conventions” are an important structural/functional component of the community

    • Allows face to face communication where status hierarchies can be more easily worked out and communicated between groups/individuals

    • Also provides a method by which status hierarchies can be communicated across groups, thus producing a more stable community with a larger sense of inter-group solidarity

    • Gives the community the opportunity to formally pass on the norms and values of that community


Geo political and economic analysis l.jpg
Geo-Political and Economic Analysis Objectives of Cyberattackers


Geo political and economic influences l.jpg
Geo-Political and Economic Influences Objectives of Cyberattackers

  • There’s more at work than just micro-level influences…there are macro-level forces at work as well

  • The distribution of these motivations is dependent upon the geo-political and economic environment within a country or region


Romanian blackhat community l.jpg
Romanian Blackhat Community Objectives of Cyberattackers

  • Historical background (pre 1989)

    • Romania during it’s Communist regime a center for the development of computer tech and software for Eastern Bloc countries

    • Romania also has a tradition of strong university programs in math and comp sciences

  • Current Political and Economic Conditions

    • Poor economic conditions coupled with a runaway inflation rate

    • Significant unemployment among higher educational attainment groups with strong tech backgrounds

    • Widespread corruption among many sectors of government


Romanian blackhat community34 l.jpg
Romanian Blackhat Community Objectives of Cyberattackers

  • Result: Larger number of blackhats motivated by Money

    • legitimate opportunities for business and employment shrink - more tech trained individuals turn to financial cybercrime (credit card fraud, cyber extortion, etc.) to generate capital

  • Result: Larger number of blackhats motivated by Ego and Status components

    • Lack of legitimate outlets and rewards for tech skills lead to high levels of frustration and need to “prove technical expertise”, restore self-esteem

    • Sense of global relative injustice may motivate these individuals to attack targets in countries where their skills are more valued and rewarded


Prc blackhat community l.jpg
PRC Blackhat Community Objectives of Cyberattackers

  • Threat just in terms of sheer numbers

    • Difficult to estimate the number of blackhats in PRC

      • Darkvisitor website suggests 380,000 – but who knows…

  • Current political, economic and social conditions

    • Incredible economic growth

      • China Daily cites 10% annual growth

    • Adoption and integration of technology into everyday life of chinese citizens – especially younger ones – is taking place at exponential speed

    • The synergy of these two economic and social forces is producing a blackhat world that is evolving at incredible speed


Prc blackhat community36 l.jpg
PRC Blackhat Community Objectives of Cyberattackers

  • There is also a geo-political component to this

    • Incredibly strong sense of nationalism among many PRC blackhats

      • Example: CNN attacks

    • Synergistic interactions between PRC government entities and Chinese blackhat groups


Prc blackhat community37 l.jpg
PRC Blackhat Community Objectives of Cyberattackers

  • Result: Large number of blackhats motivated by Money

    • Large community of virus writers

      • Sell malware used to steal credentials, access to bank accounts and especially virtual assets

      • Virtual assets especially targeted

        • QQ accounts, QQ coins, gaming assets

        • Recent paper cited one large virtual asset marketplace (Zhuge et al, 2007)

          • Over 42,000 virtual asset shops

          • Almost 9 million transactions in 6 months

    • Whale phishing

      • Targeting US and other affluent executives

      • Use sophisticated social engineering techniques

    • Blackhat community seems to be paralleling the tremendous growth of the Chinese economy

      • Growing pools of financial assets


Prc blackhat community38 l.jpg
PRC Blackhat Community Objectives of Cyberattackers

  • Result: Blackhat groups accepting directions from PRC government entities – Cause

    • Assisting in large scale data collection for industrial and military/governmental espionage purposes

    • Combination of nationalism and implicit coercion or co-opting to gain cooperation of blackhat community members and groups


Final geo political comment l.jpg
Final Geo-Political Comment… Objectives of Cyberattackers

  • Research that measures the levels of each of the motivations (MEECES) within a specific country may help us predict the types of threats that emerge from that country…


Emerging threats l.jpg
Emerging Threats Objectives of Cyberattackers


Emerging threat civilian cyber warrior l.jpg
Emerging Threat: Objectives of CyberattackersCivilian Cyber Warrior


The special case of the civilian cyber warrior l.jpg
The Special Case of the Civilian Cyber Warrior Objectives of Cyberattackers

  • Traditional forms of aggression

    • Personal costs

      • Economic

      • Probability of getting caught

      • Legal consequences

  • Historical and social significance of emergence of civilian cyber warrior

    • Key point – the social psychological significance of the event

      • First time in history that an individual could effectively attack a nation state

      • The reassessment of the usual assumptions of the inequalities of the levels of power between nation states and citizens – establishes new relationships between institutions of society, government and individuals


Emerging threat developing economic political and social power of hacking groups l.jpg
Emerging Threat: Objectives of Cyberattackers Developing Economic, Political and Social Power of Hacking Groups


Hacking groups aggregating different forms of power l.jpg
Hacking Groups Aggregating Different Forms of Power Objectives of Cyberattackers

  • Acquisition of knowledge and resources

    • Role of the Internet

    • Lower visibility of preparations

    • The role of mentors

  • Effectiveness

    • Changing probabilities in the risk assessment

    • The danger of ignoring the distribution of skills and expertise

    • Probability of success

    • Likelihood of engaging multiple actors

    • Magnitude of damage


Hacking groups aggregating different forms of power45 l.jpg
Hacking Groups Aggregating Different Forms of Power Objectives of Cyberattackers

  • Conditions for emergence

    • Coalescence of external group identity

    • Formation of internal infrastructure

      • Identifiable leadership

      • Ideological mission statements

    • Institutional neglect or failure to pursue/co-opt

      • Civil authorities

      • Law enforcement

      • Government

        • Counter example – China’s Revenge of Flame group


Hacking groups aggregating different forms of power46 l.jpg
Hacking Groups Aggregating Different Forms of Power Objectives of Cyberattackers

  • Aggregation of a resource from which to project a power base

    • Financial resources

      • RBN and the Duma election

    • Demonstrated technical resources

      • Example – china hacker groups

        • The potential of the double-edged sword



Emergence of loosely coupled criminal enterprises l.jpg
Emergence of Loosely Coupled Criminal Enterprises Objectives of Cyberattackers

  • Current cybercrime situation

    • Most all forms of current cybercrime involve financial motives and non-violent actions

      • Exploits

      • Phishing

      • Spearphishing

      • DDOS or extortion via DDOS

      • DNS poisoning

      • Web page hijacking

    • A new twist – the epilepsy attack

      • Epilepsy Foundation website

      • Images placed to induce epileptic seizures by visitors

      • More of a “griefer” attack than a violent crime action


Emergence of loosely coupled criminal enterprises49 l.jpg
Emergence of Loosely Coupled Criminal Enterprises Objectives of Cyberattackers

  • Loose coupling of cyber and violent actors

    • Factors facilitating the emergence

      • Loss of privacy and ability to collect personally identifiable information from the web

      • Establishment of electronic means of payment along with emergence of ignorant or willing money mules

      • Increasing presence of nationals bonded by ethnic or national ties to other out-of-country individuals pursuing cybercrimes


Emergence of loosely coupled criminal enterprises50 l.jpg
Emergence of Loosely Coupled Criminal Enterprises Objectives of Cyberattackers

  • A hypothetical example

    • Cybercrime group collects PII about target

      • Terrestrial addresses

        • Home

        • Work

      • Familial details

      • Vehicle id

      • Business information

      • Financial information


Emergence of loosely coupled criminal enterprises51 l.jpg
Emergence of Loosely Coupled Criminal Enterprises Objectives of Cyberattackers

  • Cybercrime group contacts target and presents demand along with physical threat

  • Viable outcomes

    • Target complies with demand

      • Cybercrime group collects demand electronically

      • Cybercrime extracts promise of silence from target

      • Moves on to next target


Emergence of loosely coupled criminal enterprises52 l.jpg
Emergence of Loosely Coupled Criminal Enterprises Objectives of Cyberattackers

  • Viable outcomes

    • Target fails to comply with demand

      • Cybercrime contacts loosely coupled violent crime group

      • Violent crime group is given target details and desired action

      • Violent crime group commits action desired against target

      • Violent crime group collects payment via electronic system from cybercrime group


Emergence of loosely coupled criminal enterprises53 l.jpg
Emergence of Loosely Coupled Criminal Enterprises Objectives of Cyberattackers

  • Think that it’s not very probable?

    • It’s already happened…in PRC!

      • Catching mice in china site June 26, 2008

        • PRC criminals bought personal info online –targeted car owners

        • Called up victim and said paid to kill victim

        • Recited personal info as creds

        • Demanded 10,000Y to call it off


The developing world and cybercrime l.jpg
The Developing World and Cybercrime Objectives of Cyberattackers


The dilemma of the developing world and the internet l.jpg
The Dilemma of the Developing World and the Internet Objectives of Cyberattackers

  • The good news…

    • Correlation between information, communication and economic growth is well known

    • Communication also a facilitator for democratization

    • Areas of education, social policy, health and science benefit from the communication that the Internet brings


The dilemma of the developing world and the internet56 l.jpg
The Dilemma of the Developing World and the Internet Objectives of Cyberattackers

  • The not-so-good news (i.e. you think we have problems now…)

    • Ever increasing numbers of individuals in developing countries are going to have opened for them a two-way portal into the virtual resources and vulnerabilities of the first world

      • Think relative deprivation/resource gap here

    • Large subpopulations whose biggest resource is time

    • Even if using old technology, still viable cyberweapons


The dilemma of the developing world and the internet57 l.jpg
The Dilemma of the Developing World and the Internet Objectives of Cyberattackers

  • The not-so-good news (i.e. you think we have problems now…)

    • Broadband expanding faster rate in developing countries

    • Digital technology will accelerate university access and increase the number of highly capable individuals

    • Are policies going to be enough to attenuate this new cyberthreat?


Some final thoughts l.jpg
Some Final Thoughts… Objectives of Cyberattackers


What is the most important lesson know your enemy l.jpg
What is the most important lesson? Objectives of CyberattackersKnow your Enemy

  • Understanding the motivations of the blackhat community can help evaluate, explain and predict

  • Understanding how social forces work on the community gives you an idea of where those communities are headed

  • Understanding the nature of the relationship between people and technology will help you predict where the next threat vectors are going to emerge


ad