Reverse Deception: Organized Cyber Threat Counter-Exploitation (100 page)

At the high end of the information spectrum, it is much more difficult to develop automated tools that can efficiently and accurately analyze or taxonomize socially meaningful symbols. While there are a number of ongoing efforts to develop tools such as sentiment-identification engines (Saplo, Alchemy, and others) and WarmTouch to assess the level of threat posed by a specific insider (Shaw and Stroz, 2004), the automation of the analysis of socially meaningful objects is still in its very early stages. Automation is important in that analysts are often forced to sift through very large bodies of data to extract meaningful interpretations. This is especially true in the intelligence community, where these tools must be deployed against vast warehouses of rich data elements.

Extracting feature-rich information out of data types that are typically lower on the data-richness spectrum is a primary goal. The ability to extract socially meaningful data from low-level data that is easier to collect and analyze in an automated fashion would be of significant value to profilers and investigators. However, keeping in mind some of the concepts about the limits of information transmission originally hypothesized by Shannon and extensively explored by experts in information theory today, the challenges of successfully mining social meaning-rich data from these low-level data sources have slowed the development of this type of approach.

In summary, as you explore some of the specific profiling vectors discussed in the following sections, keep in mind the preceding discussion about levels of information, both technical and socially meaningful, present in the data you collect and analyze.

Profiling Vectors

Now we will examine four profiling vectors: time, motivations, social networks, and skill level. These are just a few of the many vectors that may be helpful in profiling cyber attackers. Also, this material should not be taken as a definitive enumeration of all the potential ways in which a specific vector may be exploited, but rather as a jumping-off point for further exploring them.

Time

The value of time as a profiling vector may appear to the beginning profiler as deceptively simple and low level in nature, but it is difficult to overestimate its importance. The value of time, especially when linked to other socially meaningful information, can often be invaluable. Part of this is due to the fact that time has significant social meaning in most cultures. Time as a socially important force has been the object of examination for social scientists since at least as far back as 1913 (Bergson, 1913). Cultural anthropologists and social psychologists have made efforts to study the effects of time on cultures and people.
¹

From a social perspective, time organizes many everyday activities: work, school, sleeping, eating, and so on. The nature of the relationship between humans and time is often circadian in nature, with activities bound within 24-hour rhythms. The temporal nature for these kinds of activities often is normatively prescribed both in terms of time of day and duration. Work and school activities for many cultures usually occur at regular times during the day or sometimes evening. Time for sleep often is reserved for hours after darkness has set in for many cultures. These daily activities also typically take up a significant amount of contiguous time within a 24-hour period.

A similar observation applies to the temporal aspects of hacking behavior. Individuals often spend significant amounts of contiguous time engaged in hacking, coding, testing, communication, attacks, and other computer-related activities. Because computer-related hacking activities and obligatory activities (such as work) are typically difficult to engage in simultaneously, individuals must organize and manage their time within a 24-hour day. This increases the likelihood that malicious actors are going on their computers for extensive periods of time and often during similar time periods of the day.

The first consequence of this is that you are more likely to see temporal patterns for nonautomated APTs that are guided by a human actor. If an examination of your security logs shows a reconnaissance or attack preparation during a specific time of the day, then there is a higher probability that further activity, including the actual attack, may occur during a similar time period. It may also be the case that the attackers are aware of the time zone in which the intended server or computer network is located and has chosen a time when they believe there is the least chance of being detected. This time may coincide with heavy network traffic that they can hide in, or it may correlate with the attackers’ belief that there will be fewer actual information security personnel on duty at the time of the intended intrusion.

There are several advantages that this temporal pattern may hold for the profiler and information security personnel. First, if these technical personnel are present during the actual time of the intrusion, there may be actions that they can take that will allow them access to greater information about the activities of the intruder. Second, if the profiler or information security personnel have planned some sort of active engagement with the intruder, such as attempting to involve him in a live online conversation, then knowing when the malicious actor is likely to appear is a distinct advantage.

Another benefit to somewhat regular temporal patterns of activity by malicious actors is that you can make an attempt to narrow down the geographical area from which they are launching their attack. Each location on earth lies within a particular time zone. Coupled with the previous discussion of culturally and socially driven activities in time, you can sometimes use that information to concentrate investigative efforts on certain time zones, and set aside specific time zones that are more likely to hold malicious actors. It often is useful for the profiler to build a “time of day” timeline of observed malicious activity.

This logic gets a bit of additional traction in that often human activities revolve around specific days of the week. This means that the international dateline can be useful in discriminating between weekdays and weekends—while it is daylight on a Friday in the United States, it may be Saturday morning in China.

The profiler can also construct a database of important national holidays, anniversaries, birthdates, and similar dates from countries around the world. Many of these dates are idiosyncratic to a specific country as a national holiday, so changes in activities and activity level are likely to take place. The nature of some of these dates may increase the chances that the malicious actor will surface (for example, on a nationally mandated holiday). In other cases, a holiday season may do just the opposite. In the case of the Islamic holidays of Ramadan, individuals are proscribed from eating during the day and must wait until sunset to break the fast. By the end of the day, most Ramadan observants are hungry, and the first thing they are going to do is break the fast. This means that an intrusion during the first hour or so during the evening may be less likely if the malicious actor is an observant Muslim.

Establishing a time zone for the offender may also be useful in more proactive strategies where the profiling team wishes to manipulate the behavior of the target. For example, knowing the time zone within which an individual lives can suggest how physically alert the target may be at any given time that person is observed online. Catching the target when he is more likely to be tired and less likely to make careful, informed decisions may be useful in increasing the odds that a particular person may be manipulated into performing the actions desired by the profiling team.

In summary, time can be a valuable data point for the profiler. When taken together with other pieces of the picture, the temporal vector of a profile may provide some valuable insight into the identity and location of the malicious actor or actors.

Motivations

Motivations can be an important component of the profile of a malicious online actor or group of actors. Motivational profiles can assist defenders in highlighting their most attractive targets within their organization. Max Kilger lays out six main motivations for malicious behavior on the Internet: money, ego, entrance to social group, cause, entertainment, and status, or MEECES for short (Kilger, 2010).
²

Money

Money is now by far the most frequent motivation for malicious acts online. However, money is not necessarily the most common motivating factor for APTs. There are still a large number of “soft targets” on the Internet that have significant monetary payoffs that do not require the skill level or level of effort typically required for an APT, and these targets are often amenable to large-scale automated attacks.

These large-scale criminal attacks use a multitude of tactics, such as phishing e-mail messages, infection of documents, flash animations, malware for “drive-by” infection of website visitors, presentation of scareware messages that dupe users into downloading fake antivirus software, and a host of other strategies. These are effective techniques whose main characteristics are the ability to scale the threat to encompass a very large potential pool of victims and the automated installation and collection of valuable financial data, such as bank account and credit card numbers, personal passwords to financial sites, and other personally identifiable information.

The ratio of financial return to effort to deploy the malware is quite high, so to some extent, this reduces the attractiveness of the often less automated APT attacks. However, this does not mean that money is still not an important motivation for some advanced threat attacks. When the financial value of a potential target for an advanced threat is high, there will be malicious actors who are willing to put in the additional effort, expertise, and time necessary to make a “low and slow” attack successful.

An additional item worth noting are the changes that significant amounts of money can bring to the normal social relationships within the hacking or cyber criminal gang. The hacking community has been described as a strong meritocracy (Kilger et al, 2004). Traditionally, an individual’s position within the status hierarchy of the hacking group has almost exclusively been determined by the level of technical skill and expertise that member brought to the group. This status position has validity within the person’s home hacking group, as well as within the hacking community as a whole.

In the early days of the hacking community, hacking for money was often looked down on as a violation of the community’s norms and values—that is, the rules that community members are expected to follow, as well as the beliefs and objectives that are shared among members. Individuals who used their computer skills to illicitly obtain funds were labeled as deviant within the community and often shunned.

As the hacking community matured, more opportunities arose to use technical skills to illegally obtain money or other financial goods. This began to attract individuals who, in addition to reasonable technical skills, also had a dominant interest in financial gain by illegitimate means. It also tempted members of the hacking community who had previously resisted or had not even thought of using their skills and expertise to illegally acquire financial and material resources. As individuals who collectively were violating the norms of the hacking community, they naturally began to band together into criminal hacking crews whose main objective was to use their technical skills for financial gain through illicit or illegal methods. As the incidence of these individuals continued to grow, individuals motivated by money began to diffuse through the community, often by having membership in multiple hacking groups, some mainly driven by motivations other than money.

As the motivation of money continued to propagate through the hacking community, it brought with it associations with individuals who were also highly motivated by money, but did not have the technical skills to carry out attacks for monetary gain. These individuals sometimes belonged to traditional organized crime gangs, especially those found in former republics of the Soviet Union. These outsiders held status in their own organizations through more traditional means, such as violence and money. As these outsiders connected with similarly motivated individuals in the hacking community, tenuous alliances between these groups of individuals formed.

Ego

Ego is the second of the six motivations for malicious online behavior outlined by Kilger. This particular motivation is not just restricted to the behaviors of individuals with malicious intent, but can also apply across the entire spectrum of individuals, including typical white-hat network defenders.

Ego refers to the positive psychological feelings that one accrues when successfully overcoming some significant technical hardware or software challenge. This might be something as simple as getting a device to perform some function it normally would not do to something as difficult as defeating a sophisticated security software suite without leaving a trace of the attack. This motivation has been around since the early beginnings of the hacking community and continues to motivate individuals to produce elegant code. Tom Holt refers to this motivation as “mastery,” and suggests that it is one of three traits that researchers have consistently observed over time within the hacking subculture (Holt, 2007).