590 likes | 857 Views
Some Important Emerging Shifts in the Motivations and Objectives of Cyberattackers Max Kilger, Ph.D. Profiler The Honeynet Project. Seacure.it October 2009 Milan,Italy. Overview. Why do we care about profiling? Why take a more theoretical approach to this problem? A very brief retrospective
E N D
Some Important Emerging Shifts in the Motivations and Objectives of CyberattackersMax Kilger, Ph.D.ProfilerThe Honeynet Project Seacure.it October 2009 Milan,Italy
Overview • Why do we care about profiling? • Why take a more theoretical approach to this problem? • A very brief retrospective • Motivational profiles • Community level analysis • Geo-political and economic influences • Emerging threats: • Civilian cyber warrior • Developing economic, political and social power of hacking groups • Loose coupling of virtual and violent criminal activity • The potential pandora’s box of the developing world • Some final thoughts
Objectives of Profiling and Social Analysis • Primary uses of profiling and social analysis: • Profiling of individuals identification and possible apprehension • Collection and analysis of data into models that allow better theoretical understanding of black hat community • Assist in predicting motives and behaviors in specific attacks by groups/individuals • Produce a better understanding of emerging threats • What are they? • What form might they take? • Who are the potential targets? • Where will they come from? • How do we begin to build pre-emptive defenses against them?
Profiling Myths and Realities • A Profile Alone is not Enough… • Don’t expect a profile to directly identify the offender(s) • A profile does do three key things: • A filter in which to bring into focus important details of the crime and attenuate those details which are not likely to be relevant – a tool that helps tell the investigator where to look and what to look for • Provides a rich fabric of interlocking details that allow the investigator to look for correlates that build the pathway to finding the offender • Sometimes provides the “catalyst” that together with other information leads eventually directly to the offender(s)
Magic History Status Tech Humor Derog Elements of the Community in the Simpler Past
Dimensions of the Social Structure of the Hacking Community Note: Jargon File entry may be coded into multiple thematic categories
Griefing Identity Coercion Deception Emergent Complex Elements
Motivations • A play off the old FBI counter-intelligence term MICE • MEECES • Money • Ego • Entertainment • Cause • Entry to social group • Status
Motivations: Money • Now the most common motivator for blackhats • Individuals motivated by money often are found almost entirely within groups that share this motivation • There are a number of “currencies” in use in the black hat community – stolen credit cards and bank accounts, root ownership of compromised machines, exploits, virtual assets, “secret” data • Financial resource for organized crime/terrorist funding - quick turnover of stolen credit card numbers, bank accounts and cash in foreign countries and subsequent write-off
Motivations: Ego • Both black hat and white hat communities share this common and very powerful motivation • Derived from the satisfaction that comes from overcoming technical obstacles and creating code that is elegant and innovative • Idea of mastery over the machine – getting it to do what you want, often in spite of numerous security obstacles
Motivations: Entertainment • This motivation often comes from the consequences of an exploit • Getting a device to do something unusual or novel • Bluejack bluetooth devices like phones and get them to call porn lines • sometimes this involves anthropomorphic dimensions • Sometimes the entertainment value comes from the actions of individuals/organizations that are directly associated with the exploited box/device
Motivations: Cause • An emerging and evolving motivation in the white hat/black hat community • Most common instance of this motivation - hacktivism - the use of the Internet to promote a particular political, scientific or social cause • Original seed – “information should be free”
Motivations: Cause • Examples of hacktivism • Bronc Buster and Zyklon disable Chinese firewalls to allow Chinese Internet users access to forbidden websites • Jam Echelon Day (JED), hacktivists flooded net with emails with embedded target words to flood intel net sniffers • Electronic Disturbance Theater floods Republican National Committee and conservative websites to coincide with RNC convention • RIAA website wiped off the Internet • Stay tuned for the special case of the civilian cyber warrior
Motivations: Entrance to a Social Group • Black hat/white hat groups tend to be status homogeneous in nature • This implies there is a certain level of expertise necessary for induction into the group • Elegant code/exploits are one method for gaining acceptance into the group - writing new and innovative code and sharing it as a demonstration of the level of expertise necessary to be considered for membership in the social group
Motivations: Status • A powerful motivation within both the white hat and black hat communities • Much of the behavior within these communities is influenced by the status position of individuals both within local group as well as global group hierarchies • Community as meritocracy
Profiling Example • IRC chat • here we see members of a group exchanging areas of expertise - you should evaluate these using reactions of other group members as validation points • 20:49:30 quark: am I the only one who uses C++ rather than C? • 20:49:32 oracle: heh • 20:49:34 shaverboy: yah • 20:49:42 oracle: u a winshit coder? • 20:49:42 shaverboy: personally i don't like c++ • 20:49:42 burgerking: outties • 20:49:49 burgerking: ".k *" • 20:49:52 quark: lol, yes, i'm a winshit coder • 20:49:52 burgerking: .users • 20:49:59 shaverboy: i can do everything i want in C and if i need object oriented stuff, I can use LISP, Java or Python
Profiling Example • Status plays an important part in the social structure of the computer hacker community and this next excerpt allows the profiler to identify the status positions of at least some of the members of the group: • 15:35:28 Slash: checkov i am not sure what kind of code it is • 15:35:46 cigquake: because you don't know shit about what is going on • 15:35:50 burgerking: yeah quark im just an amature :P • 15:36:09 quark: lol, I'm far from pro, I just enjoy doing it • 15:36:17 checkov: Slash: well figure it out • 15:36:36 burgerking: Slash the whole point of me pestering you is so you will get off your ass and try learn.. because you rely on others • 15:36:46 burgerking: and thats not what your suppose to do to learn • 15:37:01 Slash: i am learning i never learnd why !/bin/pass workes!!! • 16:34:04 burgerking: Ok well here is a simple explanation the code your exploiting has a group level of 2.. which is your current the user is level3 which means
Profiling Example Here we get a very good clue about their perspective on the blackhat-whitehat continuum • 16:44:56 Shortkid: i used to be gray but its not that cool • 16:44:59 burgerking: Trashcan im not from the south island ;) • 16:45:01 shaverboy: black hat eh? • 16:45:15 burgerking: lol how are you a black hat? • 16:45:15 shaverboy: so you're actually trying to be malicious? that's fine by me • 16:45:32 Shortkid: lets say i want to be a black hat • 16:45:37 shaverboy: ok
Profiling Example • Here’s the money shot for those folks in law enforcement or intelligence - a dentist’s appt on a specific date and time in a town in Maine… • 21:59:30 quark: Maine here • 22:00:22 shaverboy: checkov i'm in VT, just got 2 feet of snow on x-mas day • 22:00:24 shaverboy: i love maine • 22:00:25 quark: lol • 22:00:30 checkov: i hate snow • 22:00:36 checkov: I lived in fl for 15yrs • 22:02:32 quark: so yeah, I woke up at 6:30 am to get ready for what I thought was an orthodontist apointment... turns out it was at 3:40 in the afternoon • 22:02:38 quark: I could have slept in too :(
Status Processes and Community Gatherings • Very strong emphasis on one’s status position in the community sets off a number of other social processes with similar vigor • Status conflicts within the community occur frequently and often with considerable rancor • Status processes are at work in the efforts of individuals to join specific local social networks • Individual members of the black hat community tend to form social groups based upon status homogeneity • Status processes often result in affect processes being triggered - evidenced by the high level of derogatory behaviors seen in the community within local social networks and beyond • Lack of verbal and non-verbal communication cues because of the use of chat rooms/email as major form of communication often leads to conflict
Status Processes and Community Gatherings • Hacker “conventions” are an important structural/functional component of the community • Allows face to face communication where status hierarchies can be more easily worked out and communicated between groups/individuals • Also provides a method by which status hierarchies can be communicated across groups, thus producing a more stable community with a larger sense of inter-group solidarity • Gives the community the opportunity to formally pass on the norms and values of that community
Geo-Political and Economic Influences • There’s more at work than just micro-level influences…there are macro-level forces at work as well • The distribution of these motivations is dependent upon the geo-political and economic environment within a country or region
Romanian Blackhat Community • Historical background (pre 1989) • Romania during it’s Communist regime a center for the development of computer tech and software for Eastern Bloc countries • Romania also has a tradition of strong university programs in math and comp sciences • Current Political and Economic Conditions • Poor economic conditions coupled with a runaway inflation rate • Significant unemployment among higher educational attainment groups with strong tech backgrounds • Widespread corruption among many sectors of government
Romanian Blackhat Community • Result: Larger number of blackhats motivated by Money • legitimate opportunities for business and employment shrink - more tech trained individuals turn to financial cybercrime (credit card fraud, cyber extortion, etc.) to generate capital • Result: Larger number of blackhats motivated by Ego and Status components • Lack of legitimate outlets and rewards for tech skills lead to high levels of frustration and need to “prove technical expertise”, restore self-esteem • Sense of global relative injustice may motivate these individuals to attack targets in countries where their skills are more valued and rewarded
PRC Blackhat Community • Threat just in terms of sheer numbers • Difficult to estimate the number of blackhats in PRC • Darkvisitor website suggests 380,000 – but who knows… • Current political, economic and social conditions • Incredible economic growth • China Daily cites 10% annual growth • Adoption and integration of technology into everyday life of chinese citizens – especially younger ones – is taking place at exponential speed • The synergy of these two economic and social forces is producing a blackhat world that is evolving at incredible speed
PRC Blackhat Community • There is also a geo-political component to this • Incredibly strong sense of nationalism among many PRC blackhats • Example: CNN attacks • Synergistic interactions between PRC government entities and Chinese blackhat groups
PRC Blackhat Community • Result: Large number of blackhats motivated by Money • Large community of virus writers • Sell malware used to steal credentials, access to bank accounts and especially virtual assets • Virtual assets especially targeted • QQ accounts, QQ coins, gaming assets • Recent paper cited one large virtual asset marketplace (Zhuge et al, 2007) • Over 42,000 virtual asset shops • Almost 9 million transactions in 6 months • Whale phishing • Targeting US and other affluent executives • Use sophisticated social engineering techniques • Blackhat community seems to be paralleling the tremendous growth of the Chinese economy • Growing pools of financial assets
PRC Blackhat Community • Result: Blackhat groups accepting directions from PRC government entities – Cause • Assisting in large scale data collection for industrial and military/governmental espionage purposes • Combination of nationalism and implicit coercion or co-opting to gain cooperation of blackhat community members and groups
Final Geo-Political Comment… • Research that measures the levels of each of the motivations (MEECES) within a specific country may help us predict the types of threats that emerge from that country…
The Special Case of the Civilian Cyber Warrior • Traditional forms of aggression • Personal costs • Economic • Probability of getting caught • Legal consequences • Historical and social significance of emergence of civilian cyber warrior • Key point – the social psychological significance of the event • First time in history that an individual could effectively attack a nation state • The reassessment of the usual assumptions of the inequalities of the levels of power between nation states and citizens – establishes new relationships between institutions of society, government and individuals
Emerging Threat: Developing Economic, Political and Social Power of Hacking Groups
Hacking Groups Aggregating Different Forms of Power • Acquisition of knowledge and resources • Role of the Internet • Lower visibility of preparations • The role of mentors • Effectiveness • Changing probabilities in the risk assessment • The danger of ignoring the distribution of skills and expertise • Probability of success • Likelihood of engaging multiple actors • Magnitude of damage
Hacking Groups Aggregating Different Forms of Power • Conditions for emergence • Coalescence of external group identity • Formation of internal infrastructure • Identifiable leadership • Ideological mission statements • Institutional neglect or failure to pursue/co-opt • Civil authorities • Law enforcement • Government • Counter example – China’s Revenge of Flame group
Hacking Groups Aggregating Different Forms of Power • Aggregation of a resource from which to project a power base • Financial resources • RBN and the Duma election • Demonstrated technical resources • Example – china hacker groups • The potential of the double-edged sword
Emergence of Loosely Coupled Criminal Enterprises • Current cybercrime situation • Most all forms of current cybercrime involve financial motives and non-violent actions • Exploits • Phishing • Spearphishing • DDOS or extortion via DDOS • DNS poisoning • Web page hijacking • A new twist – the epilepsy attack • Epilepsy Foundation website • Images placed to induce epileptic seizures by visitors • More of a “griefer” attack than a violent crime action
Emergence of Loosely Coupled Criminal Enterprises • Loose coupling of cyber and violent actors • Factors facilitating the emergence • Loss of privacy and ability to collect personally identifiable information from the web • Establishment of electronic means of payment along with emergence of ignorant or willing money mules • Increasing presence of nationals bonded by ethnic or national ties to other out-of-country individuals pursuing cybercrimes
Emergence of Loosely Coupled Criminal Enterprises • A hypothetical example • Cybercrime group collects PII about target • Terrestrial addresses • Home • Work • Familial details • Vehicle id • Business information • Financial information