Read Reverse Deception: Organized Cyber Threat Counter-Exploitation Online
Authors: Sean Bodmer
Tags: #General, #security, #Computers
Similarly, a fair amount of attention has been paid to motivation for malicious online acts by a number of researchers exploring cyber crime and the hacking community. In some cases, such as in reasearch by Max Kilger and his associates, the person’s general motivation for developing malware, creating exploits, and participating in unauthorized penetrations of networks is the primary classification factor in defining an online offender taxonomy (Kilger et al, 2004). More recently, Kilger describes some of the shifts in those motivations over time, as well as changes in the dynamic social structure of the hacking community as a whole (Kilger, 2010).
In another example, Meyers and his follow researchers use motivations as a secondary classification characteristic in defining their online adversary schema (Meyers et al, 2009). They list very specific motivations as being associated with specific classes of offenders. For example, the class set (cyberpunks, crashers, and thugs) is said to have prestige, personal gain, and thrill-seeking as their motivations for malicious online acts. Offenders of the coder and writer classes are motivated by power, prestige, revenge, and respect. Rogers also elaborates on distinct motivations for malicious online behavior for each of his classes of offenders (Rogers, 2005). Individuals in his novice category, for example, are said to be motivated by thrill-seeking and ego-stroking, while the old-guard class of individuals are motivated by curiosity and the need for intellectual challenge.
Similar to the case of traditional criminal activity, the selection of a victim in the online digital world may be an important one that can be strongly related to the motivations of the offender. In the world of advanced persistent threats, the connection between the victim and the nature of the motivation of the offenders is often closer than it might be in less sophisticated attacks. Understanding the motivation of an offender can provide important intelligence for the defender. This knowledge can be leveraged, and may be able to tell defenders which of their assets are most likely to come under attack and which ones are relatively safe. The potency of the offender’s motivation in the case of more complex and persistent threats is often going to be much stronger than for less advanced attacks. Correspondingly, the value of the objectives of the attack is likely to be significantly higher than for the average cyber attack.
In any case, the offender’s motivation is an important factor in the cyber profiler’s evaluation. We will return to a more detailed examination of the role motivation can play in profiling advanced persistent threats in
Chapter 10
.
Weapons and Tactics
Weapons, and the manner in which they are used, play a key role in the traditional criminal profiler’s analysis. A weapon is more than just a means to an end in a violent crime. The weapon connects the offender directly to their victim. The choice of weapon and how it is used can often be of assistance in producing a psychological profile of the offender (Denevi and Campbell, 2004). For example, a knife is a weapon that generally must be used very close to the victim with significant physical effort, and thus is sometimes felt to suggest a more aggressive and close personal involvement of the perpetrator.
Excessive use of a weapon beyond what would normally be necessary to subdue, incapacitate, or kill the victim is often taken to suggest that the offender is attempting to dehumanize the victim (Denevi and Campbell, 2004). Overkill is discussed at length by Douglas and his coauthors, and they suggest that there is a positive correlation between the magnitude of overkill and the closeness of the relationship between the offender and the victim (Douglas et al, 2006).
The choice of weapon is also sometimes linked to some postcrime behaviors by offenders. Ressler and his fellow researchers reviewed 64 murder cases for postcrime behaviors (Ressler et al, 1992). The results indicate that in murders in which only a firearm was used, the offender was more likely to have kept a diary (56 percent versus 26 percent), kept newspaper clippings (64 percent versus 26 percent), and confided in someone or hinted about his crime (21 percent versus 6 percent).
Traditional criminal profilers also have an interest in weapons and tactics because patterns often emerge among multiple crimes in terms of the weapons, tactics, and characteristics of weapon when there is a single offender committing the crimes. Perpetrators often use the same weapon in the same manner when committing a serial set of crimes.
The presence or absence of a weapon is also a potential clue for the criminal profiler. The presence of a weapon at the crime scene suggests that the crime was committed by a disorganized offender. The absence of a weapon at the crime scene suggests an organized offender. This determination of an organized or a disorganized offender can then lead to other inferences that may be helpful in identifying the perpetrator.
Weapons and tactics also play an important part in the process of developing a profile of an offender committing malicious acts online. A large number and variety of weapons and tools are available to online perpetrators, such as vulnerability scanners, viruses, Trojans, rootkits, man-in-the-middle exploits, and distributed denial-of-service tools—just to name a few.
Similar to traditional criminals, if malicious online offenders are having success with a particular type of attack vector or weapon, they are likely to continue to deploy that particular tool or exploit until the costs begin to outweigh the benefits. It may be the case that this cost emerges in the form of an effective defense that has been released against the particular tool, and as a consequence, the number of vulnerable machines has dropped significantly. It could also be the case that the risk of being identified using the specific tool or exploit has increased because of vulnerabilities in the tool, and so the online offender must move on to another tool.
In some cases, especially for advanced persistent threats, the offenders will use multiple tools (weapons) in order to reach their objective. The complexity, number, and sequence in which the tools are used; the manner in which they are used; and the sophistication of those tools are also important markers for profilers to use in developing offender profiles. These characteristics are useful in assisting the profiler in building an estimation of the skill level of the offender. The presence of evidence that suggests that a large number of diverse, sophisticated, or uncommon tools has been used in an attack may mean that more than one offender is behind the malicious acts or that the target is dealing with an extremely skilled and dangerous adversary.
In addition, the unique sequence and combination of tools may assist the profiler in determining if a series of attacks is attributable to the same individual or group. The same multiple tools used in the same sequence in a series of attacks in the same manner suggests that the same or related offenders may be committing the attacks.
8
Note that there are situations where this signature may change. It may be due to something simple, such as the need to change strategies to attack a different operating system platform, or it might be something more sophisticated, such as offenders changing their attack strategy to alter their attack signature and avoid linking previous attacks to the current one underway.
If the profiler suspects that a team of offenders is responsible for a series of attacks, then a change in the specific tools, sequence, complexity, or manner in which the attack is deployed could also signal the addition of new talent to the offender’s team. Remember that perpetrators of advanced persistent attacks may be more likely to persist in their efforts to commit numerous malicious acts. In some cases, you must consider that the makeup of a cyber-crime gang is dynamic in nature and may change over time.
Many more characteristics of weapon and tool use may be useful to profilers. It is one of the key profile factors that can enable the profiler to build a rich and effective profile for investigators to utilize. The characteristics of tool use will be further discussed in
Chapter 10
.
Socially Meaningful Communications and Connections
Human beings are amazing social animals.
9
Our world is constructed socially, guided by interpersonal and cultural norms, values, and a broad range of simple to complex social processes. The early erroneous myths that “computer hackers” were nonsocial or antisocial individuals were quite wrong, and our understanding of individuals who formed in-depth relationships with the operating systems, programming languages, and hardware that make up digital technology suffered for a number of years from this fallacy.
Traditional criminal profilers discovered early on that violent criminals were also social animals. The ability of profilers to place themselves in the social milieu of offenders committing serious, often very vicious crimes was an important part of better understanding criminals’ motives and personalities. Such understanding provided data to develop an effectual profile of the individual or individuals responsible for a specific crime or series of crimes.
Understanding the mindset of violent criminals was important to the FBI even from the early 1970s, during the tenure of Howard Teten, and continuing with Douglas, Hazelwood, and their colleagues (for an early example, see Hazelwood and Douglas, 1980). Much of this earlier work focused on the psychological states of the offenders in question, and this more psychological bent continues to this day in much of the traditional criminal profiling work. Often, if the offender was known, family and friends of the suspect were interviewed to gather information that would assist the profiler in developing a psychological profile of the suspect. Psychopathology still plays a significant part in the profiling process for the Behavioral Analysis Units at Quantico (FBI BAU-2, 2005).
While Canter has focused on the field of investigative psychology, he also has examined traditional criminal behavior from a more social psychological perspective (Canter and Alison, 2000). This is also the tactic that the remainder of this discussion in cyber profiling will adopt. The abundance of evidence and clues present in the digital realm on the social psychological level suggests that it may be a more initially fruitful analysis level to employ when developing a profile of a malicious online actor.
Social beings that they are, humans have this propensity to communicate in meaningful symbols (Mead, 1932).This exchange of meaningful symbols plays an important part in the formation of the self. George Herbert Mead conjectured that the self was made up of the “I” and the “Me.” Mead stated that the Me component of the self represents the “organized set of attitudes of others” (Mead, 1934); that is, a large component of people’s concept of self is their interpretation of other people’s attitudes toward them. Mead’s concept of the I was the creative, individualistic responses of people to their environment and the attitudes of others toward them.
Kilger pointed out the digital version of this construct—the meaningful symbols that can be found online that are relevant to a specific person—form what he called a “digital individual” (Kilger, 1994). This digital individual is a virtual representation of the online self-identity of the individual, and in our case, the specific offender. This means that this online self-identity—this digital individual—can be reconstructed from the meaningful symbols present online. This socially based reconstruction can provide some key insights into the mindset, motivations, and behaviors of the offender.
There are many forms and environments in which these relevant meaningful symbols can be found and used to assist in the development of an effective profile. Sometimes meaningful symbols are left at the crime scene in the form of a note. The audience for these notes may be the friends or family of the victim, or even the crime investigators. These kinds of notes also sometimes are found at virtual crime scenes. Often, they are addressed to the system administrator of the compromised server or network, admonishing them for their lack of skill in keeping their network or servers secure. There may be contextual or linguistic clues in the note that provide some hints as to the motivation or objectives of the offender.
Text-based clues to the identity of the offender may also be available in various chat and IRC forums. As sometimes is the case in traditional crime, where a perpetrator discloses or brags about a specific crime to a friend or acquaintance, online offenders may boast of a specific illegal act in a chat room that they frequent. Sometimes there may not be a reference, but other clues as to specific motivations and personality characteristics may emerge in a chat dialogue that make a particular suspect more or less likely to have committed a specific act.
IRC chat logs can have even more use in developing a profile of a suspected offender. Remember that there are multiple social actors engaged in conversation, exchanging meaningful symbols, in the IRC chat room. This means that the trained profiler can examine the IRC logs for evidence of specific social processes occurring that may provide clues to specific characteristics of the actors involved.
For example, the online community in general and the hacking community specifically is a strong meritocracy (Kilger, 2004). This means that there are likely to be status processes at work during the discussion; that is, a status hierarchy is likely to exist among the members of the IRC chat. Status characteristics theory suggests that higher status actors speak more, are given more action opportunities (such as opportunities to speak), receive more positive unit evaluations (such as positive comments about something that was said), and higher levels of influence among a task group (Berger et al, 1977). If you employ this social psychological theory against an IRC chat, and count up each of the status markers for each of the participants, you will be able to develop a good idea of the status hierarchy in the group: who is the leader, who has the second highest status, and who has the lowest status among the members of the IRC chat.