Reverse Deception: Organized Cyber Threat Counter-Exploitation (99 page)

Although this information does not exactly identify the true physical identity of the criminal (
focus
) behind the threat, it is useful. It can be sent to law enforcement, used for counterintelligence purposes to counter the threat, or be used in other nefarious ways that would flat out damage the criminals’ ability to do what they desire to do.

Conclusion

Not everyone is capable of generating their own exploits that will pass legal review for use on operational or live networks. However, there are techniques out there that can help you analyze and better understand the actual persons behind the keyboard on the other end analyzing the stolen data from your enterprise.

Threat research requires the ability to adapt and respond to evolutionary technologies from threats such as SpyEye. Through traffic analysis and taxonomy, you can gain a very eye-opening perspective on these types of threats and can begin developing intelligent defense systems that tackle very specific advances conducted by malicious actors on the Internet. This type of research enables development of preemptive defenses, enabling networks to remain protected against these types of attacks. This chapter discussed some of the tactics and tools that can play a role in actively engaging an active threat within your enterprise.

CHAPTER

10

Attack Attribution

O
ne of the key elements in the practical application of profiling to a problem is the issue of objectives. Defining the optimal outcome(s) of a profiling operation is one of the first tasks that should be undertaken before the project is even launched. While it might seem like the most obvious and single-minded outcome is the identification, pursuit, and prosecution of a specific malicious online actor or group of actors, in reality, a number of outcomes should be examined before the profiling mission is deployed. For example, the identification and detention of an individual could be the end of a series of maneuvers whose sole purpose is the prosecution of a single perpetrator, or it could signal the opening act of a maneuver to acquire an important asset from which additional valuable intelligence could be acquired.

Under different circumstances, the objective of profiling techniques may be to gather and accumulate valuable intelligence that, when examined in aggregate and placed within analytical frameworks as simple as a taxonomy or as complex as a large, multivariate statistical model, could be used in subsequent operations to assist in identification, pursuit, and prosecution activities. The development of sophisticated databases that contain relational links between specific bits of information—people, places, codes, and other pieces of evidence—can provide important clues as to the identities, motives, and locations of perpetrators known or as yet unknown.

A longer-term objective involves deploying profiling techniques and strategies as one of a number of information-gathering tools used in building data sets to facilitate the analysis of more abstract, macro-level complex organizational and social structures that are emerging and evolving within the hacking and cyber criminal subcultures. These objectives belong somewhat more naturally in the realm of the intelligence analyst than the criminal investigator, but there are applicable lessons to be learned for both categories of professionals. For example, collecting and analyzing data on the elements of the social structure of the hacking community and its evolution over the past ten years can assist both the intelligence analyst and the criminal investigator in determining the nature, shape, and probability of near-term or future perils that may emerge within the cyber threat matrix.

As another example, changes in the distribution of motives of malicious online actors may also be useful in assisting members of the intelligence community, law enforcement agencies, and information security professionals in resource planning, tool or sensor innovations and deployment, and proactive defensive/offensive measures development.

In this chapter, we will discuss profiling techniques and strategies that are centered more on the objectives of identification, pursuit, and prosecution. In the course of these discussions, we will examine in more detail some of the profiling vectors briefly outlined in
Chapter 4
.

We will also discuss the application of profiling data and analytical techniques that represent more strategic than tactical objectives. This approach is focused on developing a more comprehensive understanding of how social forces and technology shape behavior within the hacking and cyber criminal communities. There are distinct social norms, values, and social-control mechanisms embedded in these communities. Gathering information about these characteristics and social processes can give the analyst a better understanding of how these forces help guide behavior. Understanding how these processes evolve over time can help the analyst gain some insight on how the threat environment may change over the longer term due to shifts in these social forces. This understanding then also helps with the development of cyber threat scenarios likely to emerge in the near term. This type of strategic analysis is a key element in developing longer-term strategic thinking about how the cyber threat matrix may evolve. On this basis, analysts may create threat scenarios that have predictive and logistical value, and that also facilitate discussions on how current policies and actions may have an impact on future threats, probabilities, and consequences.

In the final section of the chapter, we will turn our attention to an emerging archetype that appears to have the potential to become a very serious threat within the cyber threat matrix: the civilian cyber warrior.

A Brief Note About Levels of Information Present in Objects

Before we engage in an examination of some of the profiling vectors, let’s take a look at some inherent characteristics of information or evidence that can have a nontrivial effect on the strategies and outcomes of using some of those vectors.

In a very crude analogy to the theoretical notions of information theory first formulated by Claude Shannon, profiling to a certain extent deals with an analogous process of examining and extracting information (signal) from evidential objects that may also contain other useless bits of information (noise) (Shannon, 1948).

Evidential objects or observations obtained during an investigation involving profiling techniques may contain different levels of information, and there are limits to the amount of useful information inherent in each object. For example, a packet may contain information in terms of its size and content that is useful in identifying a specific type of attack, while the contents of a single line in an IRC conversation may speak volumes about the motives or identity of a malicious actor. In a way, this is analogous to Shannon’s notion of channel capacity, where there is a tight upper bound on the amount of information that can be reliably transmitted over a communications channel. Some channels will have very high upper bounds in terms of carrying information, and other channels will have much lower upper bounds.

Such evidentiary clues, which taken together form a pattern, allow the profiler to produce a signature that can be used, for example, to link together other incidents or attacks that can be attributed to that actor.

At the other end of the spectrum are IRC chat messages, text from e-mail messages or websites, photographic images or graphic illustrations, or even full-motion video. Their content may take the form of concrete pieces of information, such as nicknames, geographical locations, language used, specific technical skills, and claims of responsibility for specific attacks. These types of rich evidence also often include important socially meaningful clues that the profiler can use to provide a much broader and deeper profile of the individual or individuals in question. For example, different types of statements made by the participants in an IRC chat room may indirectly reveal who is likely to be the leader of a hacking gang through the analysis of the different types and frequency of statements made by the participants.

In another example, the profiler can assemble a list of potential cyber gang members, associates, and friends though a simple analysis of the pages of a social networking website. An examination of an online video may assist the profiler in identifying an offender by his use of dialect or culturally specific idioms in text-based postings, audio clips, or video clips. Accents within the video or audio clip may also be useful in identifying the ethnic origins of potential suspects. References to specific music, products, or culturally relevant items may also be useful clues.

The use of specific phrases is also a potential identification marker. The identification of FBI mole Robert Hanssen was greatly assisted when counterintelligence agents came across a specific and peculiar phrase—“the purple-pissing Japanese”—that had been used by the mole and recognized by one of the agents as something that he had heard Robert Hanssen say in the past (Wise, 2002).

Each element along this information spectrum also has its own unique characteristics when it comes to analysis of the data. At the low end of the spectrum, analysts can develop automated analytical tools that assist the profiler in sifting through the data for signatures that can identify malicious actors, which may then help link them to hitherto unattributed cyber crimes.