1 / 59

Some Important Emerging Shifts in the Motivations and Objectives of Cyberattackers Max Kilger, Ph.D. Profiler The Honeyn

Some Important Emerging Shifts in the Motivations and Objectives of Cyberattackers Max Kilger, Ph.D. Profiler The Honeynet Project. Seacure.it October 2009 Milan,Italy. Overview. Why do we care about profiling? Why take a more theoretical approach to this problem? A very brief retrospective

mike_john
Download Presentation

Some Important Emerging Shifts in the Motivations and Objectives of Cyberattackers Max Kilger, Ph.D. Profiler The Honeyn

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Some Important Emerging Shifts in the Motivations and Objectives of CyberattackersMax Kilger, Ph.D.ProfilerThe Honeynet Project Seacure.it October 2009 Milan,Italy

  2. Overview • Why do we care about profiling? • Why take a more theoretical approach to this problem? • A very brief retrospective • Motivational profiles • Community level analysis • Geo-political and economic influences • Emerging threats: • Civilian cyber warrior • Developing economic, political and social power of hacking groups • Loose coupling of virtual and violent criminal activity • The potential pandora’s box of the developing world • Some final thoughts

  3. Objectives of Profiling and Social Analysis • Primary uses of profiling and social analysis: • Profiling of individuals identification and possible apprehension • Collection and analysis of data into models that allow better theoretical understanding of black hat community • Assist in predicting motives and behaviors in specific attacks by groups/individuals • Produce a better understanding of emerging threats • What are they? • What form might they take? • Who are the potential targets? • Where will they come from? • How do we begin to build pre-emptive defenses against them?

  4. Profiling Myths and Realities • A Profile Alone is not Enough… • Don’t expect a profile to directly identify the offender(s) • A profile does do three key things: • A filter in which to bring into focus important details of the crime and attenuate those details which are not likely to be relevant – a tool that helps tell the investigator where to look and what to look for • Provides a rich fabric of interlocking details that allow the investigator to look for correlates that build the pathway to finding the offender • Sometimes provides the “catalyst” that together with other information leads eventually directly to the offender(s)

  5. A Very Brief Retrospective

  6. Magic History Status Tech Humor Derog Elements of the Community in the Simpler Past

  7. Dimensions of the Social Structure of the Hacking Community Note: Jargon File entry may be coded into multiple thematic categories

  8. Griefing Identity Coercion Deception Emergent Complex Elements

  9. Motivations

  10. Motivations • A play off the old FBI counter-intelligence term MICE • MEECES • Money • Ego • Entertainment • Cause • Entry to social group • Status

  11. Motivations: Money • Now the most common motivator for blackhats • Individuals motivated by money often are found almost entirely within groups that share this motivation • There are a number of “currencies” in use in the black hat community – stolen credit cards and bank accounts, root ownership of compromised machines, exploits, virtual assets, “secret” data • Financial resource for organized crime/terrorist funding - quick turnover of stolen credit card numbers, bank accounts and cash in foreign countries and subsequent write-off

  12. Motivations: Ego • Both black hat and white hat communities share this common and very powerful motivation • Derived from the satisfaction that comes from overcoming technical obstacles and creating code that is elegant and innovative • Idea of mastery over the machine – getting it to do what you want, often in spite of numerous security obstacles

  13. Motivations: Entertainment • This motivation often comes from the consequences of an exploit • Getting a device to do something unusual or novel • Bluejack bluetooth devices like phones and get them to call porn lines • sometimes this involves anthropomorphic dimensions • Sometimes the entertainment value comes from the actions of individuals/organizations that are directly associated with the exploited box/device

  14. Motivations: Cause • An emerging and evolving motivation in the white hat/black hat community • Most common instance of this motivation - hacktivism - the use of the Internet to promote a particular political, scientific or social cause • Original seed – “information should be free”

  15. Motivations: Cause • Examples of hacktivism • Bronc Buster and Zyklon disable Chinese firewalls to allow Chinese Internet users access to forbidden websites • Jam Echelon Day (JED), hacktivists flooded net with emails with embedded target words to flood intel net sniffers • Electronic Disturbance Theater floods Republican National Committee and conservative websites to coincide with RNC convention • RIAA website wiped off the Internet • Stay tuned for the special case of the civilian cyber warrior

  16. Motivations: Entrance to a Social Group • Black hat/white hat groups tend to be status homogeneous in nature • This implies there is a certain level of expertise necessary for induction into the group • Elegant code/exploits are one method for gaining acceptance into the group - writing new and innovative code and sharing it as a demonstration of the level of expertise necessary to be considered for membership in the social group

  17. Motivations: Status • A powerful motivation within both the white hat and black hat communities • Much of the behavior within these communities is influenced by the status position of individuals both within local group as well as global group hierarchies • Community as meritocracy

  18. Profiling Example • IRC chat • here we see members of a group exchanging areas of expertise - you should evaluate these using reactions of other group members as validation points • 20:49:30 quark: am I the only one who uses C++ rather than C? • 20:49:32 oracle: heh • 20:49:34 shaverboy: yah • 20:49:42 oracle: u a winshit coder? • 20:49:42 shaverboy: personally i don't like c++ • 20:49:42 burgerking: outties • 20:49:49 burgerking: ".k *" • 20:49:52 quark: lol, yes, i'm a winshit coder • 20:49:52 burgerking: .users • 20:49:59 shaverboy: i can do everything i want in C and if i need object oriented stuff, I can use LISP, Java or Python

  19. Profiling Example • Status plays an important part in the social structure of the computer hacker community and this next excerpt allows the profiler to identify the status positions of at least some of the members of the group: • 15:35:28 Slash: checkov i am not sure what kind of code it is • 15:35:46 cigquake: because you don't know shit about what is going on • 15:35:50 burgerking: yeah quark im just an amature :P • 15:36:09 quark: lol, I'm far from pro, I just enjoy doing it • 15:36:17 checkov: Slash: well figure it out • 15:36:36 burgerking: Slash the whole point of me pestering you is so you will get off your ass and try learn.. because you rely on others • 15:36:46 burgerking: and thats not what your suppose to do to learn • 15:37:01 Slash: i am learning i never learnd why !/bin/pass workes!!! • 16:34:04 burgerking: Ok well here is a simple explanation the code your exploiting has a group level of 2.. which is your current the user is level3 which means

  20. Profiling Example Here we get a very good clue about their perspective on the blackhat-whitehat continuum • 16:44:56 Shortkid: i used to be gray but its not that cool • 16:44:59 burgerking: Trashcan im not from the south island ;) • 16:45:01 shaverboy: black hat eh? • 16:45:15 burgerking: lol how are you a black hat? • 16:45:15 shaverboy: so you're actually trying to be malicious? that's fine by me • 16:45:32 Shortkid: lets say i want to be a black hat • 16:45:37 shaverboy: ok

  21. Profiling Example • Here’s the money shot for those folks in law enforcement or intelligence - a dentist’s appt on a specific date and time in a town in Maine… • 21:59:30 quark: Maine here • 22:00:22 shaverboy: checkov i'm in VT, just got 2 feet of snow on x-mas day • 22:00:24 shaverboy: i love maine • 22:00:25 quark: lol • 22:00:30 checkov: i hate snow • 22:00:36 checkov: I lived in fl for 15yrs • 22:02:32 quark: so yeah, I woke up at 6:30 am to get ready for what I thought was an orthodontist apointment... turns out it was at 3:40 in the afternoon • 22:02:38 quark: I could have slept in too :(

  22. Community Level Analysis

  23. Status Processes and Community Gatherings • Very strong emphasis on one’s status position in the community sets off a number of other social processes with similar vigor • Status conflicts within the community occur frequently and often with considerable rancor • Status processes are at work in the efforts of individuals to join specific local social networks • Individual members of the black hat community tend to form social groups based upon status homogeneity • Status processes often result in affect processes being triggered - evidenced by the high level of derogatory behaviors seen in the community within local social networks and beyond • Lack of verbal and non-verbal communication cues because of the use of chat rooms/email as major form of communication often leads to conflict

  24. Status Processes and Community Gatherings • Hacker “conventions” are an important structural/functional component of the community • Allows face to face communication where status hierarchies can be more easily worked out and communicated between groups/individuals • Also provides a method by which status hierarchies can be communicated across groups, thus producing a more stable community with a larger sense of inter-group solidarity • Gives the community the opportunity to formally pass on the norms and values of that community

  25. Geo-Political and Economic Analysis

  26. Geo-Political and Economic Influences • There’s more at work than just micro-level influences…there are macro-level forces at work as well • The distribution of these motivations is dependent upon the geo-political and economic environment within a country or region

  27. Romanian Blackhat Community • Historical background (pre 1989) • Romania during it’s Communist regime a center for the development of computer tech and software for Eastern Bloc countries • Romania also has a tradition of strong university programs in math and comp sciences • Current Political and Economic Conditions • Poor economic conditions coupled with a runaway inflation rate • Significant unemployment among higher educational attainment groups with strong tech backgrounds • Widespread corruption among many sectors of government

  28. Romanian Blackhat Community • Result: Larger number of blackhats motivated by Money • legitimate opportunities for business and employment shrink - more tech trained individuals turn to financial cybercrime (credit card fraud, cyber extortion, etc.) to generate capital • Result: Larger number of blackhats motivated by Ego and Status components • Lack of legitimate outlets and rewards for tech skills lead to high levels of frustration and need to “prove technical expertise”, restore self-esteem • Sense of global relative injustice may motivate these individuals to attack targets in countries where their skills are more valued and rewarded

  29. PRC Blackhat Community • Threat just in terms of sheer numbers • Difficult to estimate the number of blackhats in PRC • Darkvisitor website suggests 380,000 – but who knows… • Current political, economic and social conditions • Incredible economic growth • China Daily cites 10% annual growth • Adoption and integration of technology into everyday life of chinese citizens – especially younger ones – is taking place at exponential speed • The synergy of these two economic and social forces is producing a blackhat world that is evolving at incredible speed

  30. PRC Blackhat Community • There is also a geo-political component to this • Incredibly strong sense of nationalism among many PRC blackhats • Example: CNN attacks • Synergistic interactions between PRC government entities and Chinese blackhat groups

  31. PRC Blackhat Community • Result: Large number of blackhats motivated by Money • Large community of virus writers • Sell malware used to steal credentials, access to bank accounts and especially virtual assets • Virtual assets especially targeted • QQ accounts, QQ coins, gaming assets • Recent paper cited one large virtual asset marketplace (Zhuge et al, 2007) • Over 42,000 virtual asset shops • Almost 9 million transactions in 6 months • Whale phishing • Targeting US and other affluent executives • Use sophisticated social engineering techniques • Blackhat community seems to be paralleling the tremendous growth of the Chinese economy • Growing pools of financial assets

  32. PRC Blackhat Community • Result: Blackhat groups accepting directions from PRC government entities – Cause • Assisting in large scale data collection for industrial and military/governmental espionage purposes • Combination of nationalism and implicit coercion or co-opting to gain cooperation of blackhat community members and groups

  33. Final Geo-Political Comment… • Research that measures the levels of each of the motivations (MEECES) within a specific country may help us predict the types of threats that emerge from that country…

  34. Emerging Threats

  35. Emerging Threat:Civilian Cyber Warrior

  36. The Special Case of the Civilian Cyber Warrior • Traditional forms of aggression • Personal costs • Economic • Probability of getting caught • Legal consequences • Historical and social significance of emergence of civilian cyber warrior • Key point – the social psychological significance of the event • First time in history that an individual could effectively attack a nation state • The reassessment of the usual assumptions of the inequalities of the levels of power between nation states and citizens – establishes new relationships between institutions of society, government and individuals

  37. Emerging Threat: Developing Economic, Political and Social Power of Hacking Groups

  38. Hacking Groups Aggregating Different Forms of Power • Acquisition of knowledge and resources • Role of the Internet • Lower visibility of preparations • The role of mentors • Effectiveness • Changing probabilities in the risk assessment • The danger of ignoring the distribution of skills and expertise • Probability of success • Likelihood of engaging multiple actors • Magnitude of damage

  39. Hacking Groups Aggregating Different Forms of Power • Conditions for emergence • Coalescence of external group identity • Formation of internal infrastructure • Identifiable leadership • Ideological mission statements • Institutional neglect or failure to pursue/co-opt • Civil authorities • Law enforcement • Government • Counter example – China’s Revenge of Flame group

  40. Hacking Groups Aggregating Different Forms of Power • Aggregation of a resource from which to project a power base • Financial resources • RBN and the Duma election • Demonstrated technical resources • Example – china hacker groups • The potential of the double-edged sword

  41. Loose Coupling of Virtual and Violent Criminal Activity

  42. Emergence of Loosely Coupled Criminal Enterprises • Current cybercrime situation • Most all forms of current cybercrime involve financial motives and non-violent actions • Exploits • Phishing • Spearphishing • DDOS or extortion via DDOS • DNS poisoning • Web page hijacking • A new twist – the epilepsy attack • Epilepsy Foundation website • Images placed to induce epileptic seizures by visitors • More of a “griefer” attack than a violent crime action

  43. Emergence of Loosely Coupled Criminal Enterprises • Loose coupling of cyber and violent actors • Factors facilitating the emergence • Loss of privacy and ability to collect personally identifiable information from the web • Establishment of electronic means of payment along with emergence of ignorant or willing money mules • Increasing presence of nationals bonded by ethnic or national ties to other out-of-country individuals pursuing cybercrimes

  44. Emergence of Loosely Coupled Criminal Enterprises • A hypothetical example • Cybercrime group collects PII about target • Terrestrial addresses • Home • Work • Familial details • Vehicle id • Business information • Financial information

More Related