Reverse Deception: Organized Cyber Threat Counter-Exploitation (107 page)

While this study is still underway, very early results from the study models suggest that relationships exist among some of these variables and the severity of attack against another country or their own country. For example, early models suggest that there is a positive relationship between pirating media and software and the level of severity of a cyber attack or a physical attack against one’s own homeland. Individuals who considered some country other than the United States as their homeland also indicated they would initiate more severe cyber attacks against their own homeland. The study also hints at a possible relationship between the severity of contemplated cyber attacks and the severity of potential physical attacks against their own homeland.

When completed, the study may provide additional insight into the willingness of a more general population of individuals to launch a cyber attack against a nation-state—either foreign or their own. For example, results from this study suggest that the factors involved depend both on the type of attack—physical or cyber—and the intended victim—a foreign country or one’s own homeland. As one might expect, those with less strong feelings of patriotism were more likely to initiate a cyber attack against critical infrastructures in their own homeland. Respondents whose homeland was somewhere other than the United States were more likely to conduct a cyber attack against critical infrastructure elements in their own homeland. Those respondents who had engaged in software or media piracy acts were more likely to engage in a cyber attack against a foreign country.
¹⁶

Conclusion

This chapter described a small number of the many profiling vectors that play a part in profiling APTs, providing some examples of profiling characteristics and strategies. We addressed some of the strategies that might be used in profiling specific cyber attacks or attackers, with the goal of enhancing the digital forensic investigation process.

This chapter also introduced the idea of using profiling data on a strategic level to gain a better understanding of macro-level forces at work. We discussed the potential for individuals to conduct cyber attacks against their own or other nation-states.

We hope that some of the ideas presented here will spark additional professional interest in the area of cyber profiling, as well as remind more traditional technical forensic teams of the importance of knowing your enemy.

References

Bergson, H. (1913). “Time and free will: an essay on the immediate data of consciousness.” New York: Macmillian.

Cohen, J. (2011). “Law unto itself.”
South China Morning Post
, March 30, 2011.

de Nooy, W., Mrvar, A. and V. Bagtagelj (2005). “Exploratory social network analysis.” New York: Cambridge University Press.

Foucault, M. (1977). “Discipline and punish.” Canada: Random House Holt, T. (2007). “Subcultural evolution—Examining the influence of on and offline subcultural experiences on deviant subcultures.”
Deviant Behavior
(volume 28, pp. 171-198).

Holt, T. and M. Kilger (2011). “Civilian participation in cyber conflict.” Presented at the 10
^th
Annual Honeynet Project Workshop, Paris, France.

Holt, T., Kilger, M., Strumsky, D. and O. Smirnova (2009). “Identifying, exploring and predicting threats in the russian hacker community.” Presented at DefCon17, Las Vegas, Nevada.

Holt, T. and E. Lampke (2010). “Exploring stolen data markets online: Products and market forces.” Criminal Justice Studies 23 (pp. 33-50).

Kilger, M. (2010). “Social dynamics and the future of technology-driven crime.” In T. Holt and B. Schell (Eds.),
Corporate Hacking and Technology Driven Crime: Social Dynamics and Implications
(pp. 205-227). Hershey, PA: IGI-Global.

Kilger, M., Stutzman, J., and O. Arkin (2004). “Profiling.” In The Honeynet Project.
Know Your Enemy
(pp. 505-556). Addison Wesley Professional.

Linderman, F. (1957). Plenty-coups, Chief of the Crows. Lincoln, NE: University of Nebraska Press.

Markoff, J. and D. Barboza (2010). “2 Chinese schools said to be tied to online attacks.” New York Times published February 18, 2010, retrieved on May 1, 2012 from
www.nytimes.com/2010/02/19/technology/19china.html
.

McGrath, J. and F. Tschan (2004). “Temporal matters in social psychology: Examining the role of time in the lives of groups and individuals.” American Psychological Association.

Parker, T., Shaw, E., Stroz, E., Devost, M., and Sachs, M. (2004). “Cyber adversary characterization: Auditing the hacker mind.” Rockland, MA: Syngress.

Rabinow, P. (2008). “Marking time: on the anthropology of the contemporary.” Princeton, NJ: Princeton University Press.

Rogers, M. (2005). “The development of a meaningful hacker taxonomy: a two dimensional approach.”
CERIAS
, Purdue University.

Scott, J. (2000). “Social network analysis: a handbook.” London: Sage.

Shannon, C. (1948). “A mathematical theory of communication.”
The Bell System Technical Journal
(volume 27, pp. 379-423).

Shaw, E., and Stroz, E. (2004). “WarmTouch software: assessing friend, foe and relationship.” In Parker, T. (Ed.),
Cyber Adversary Characterization: Auditing the Hacker Mind
. Syngress Publications, Rockland, Mass.

Wise, D. (2002). “The inside story of how the FBI’s Robert Hanssen betrayed America.” New York; Random House.

Wu, X. (2007). “Chinese cyber nationalism: evolution, characteristics and implications. Langham.” MD: Lexington Books

¹
For an anthropological take on time, see Rabinow, 2008. For a social psychological perspective, see McGrath and Tschan, 2004.

²
The MEECES acronym is based on the original acronym MICE used by the FBI for the reasons individuals would betray their country: money, ideology, compromise, and ego.

³
For a much more complete picture of this phenomenon, see Wu, 2007.

⁴
For a good practical guide on using Pajek to analyze social networks, see Nooy et al, 2005.

⁵
For examples of other measures of centrality, see Nooy et al, 2005:pp. 123-137.

⁶
WarmTouch is a psycholinguistic system developed by Shaw and Stroz that utilizes psychological profiling algorithms to analyze the psychological states and characteristics, such as anger, emotional vulnerability, and anxiety, as well as evaluating potential behaviors of a suspected malicious actor.

⁷
For an example of the Jargon File, see
www.catb.org/jargon/
.

⁸
Indeed, since the early beginnings of many Unix and Linux operating systems, magic numbers have played an important role in disk and file structures. The magic command can be found in the manuals for these operating systems.

⁹
Once Kilger shut down a Unix system for the weekend, and on return that Monday, found to his horror that when he turned on the power switch, nothing happened. He quickly called his Unix wizard, who told him to disconnect all the cables from the CPU. The next direction was to lift the CPU over his head and do the hokeypokey. When asked why, the wizard said “just do it.” After performing the magic hokeypokey, the wizard instructed the author to reconnect the cables and turn on the power switch. The server came to life immediately. When asked why, the wizard at first said “magic,” and then relented and explained that the lubricant in that particular hard drive the server used had solidified over the weekend, and the shaking the CPU endured during the hokeypokey session broke the lubricant’s grip on the hard drive spindle, allowing the drive to spin up and the server to boot.

¹⁰
Carding
refers to the activities involved in the acquisition, buying, and selling of stolen credit card numbers.

¹¹
For an example of a carding community study, see Holt and Lampke, 2010.

¹²
See Foucault, 1977 for examples of such discussions.

¹³
By “effectively,” we mean that there is a reasonably high probability of success, the level of damage that is inflicted is orders of magnitude larger than might otherwise be the case for a physical attack, and the attacker has a reasonably small probability of being apprehended.

¹⁴
For a more comprehensive look at the issues of nationalism among Chinese hackers, see Wu, 2007.

¹⁵
“Homeland” refers to the country that the respondents indicate they feel is their homeland, regardless of whether or not they are US citizens.

¹⁶
The geographical scope of this original research is being expanded to other countries, including Taiwan, Australia, Italy, South Africa, and Russia, with the intent of being able to make cross-national comparisons of the motivators for physical and online attacks by individuals against nation-states.

CHAPTER

11

The Value of APTs