Reverse Deception: Organized Cyber Threat Counter-Exploitation (43 page)

Kilger would like to suggest that in the past three to four years, a new epoch has begun. This new epoch might be called the epoch of the rise of the civilian cyber warrior. The power of computational devices and global digital networks has changed the traditional power relationship between the individual and the nation state. This particular shift in power relations will be the subject of discussion in
Chapter 10
.

Acquiring an Understanding of the Special Population

One of the prerequisites of effective profiling is a fundamental understanding of the special population being profiled, both from a theoretical and a practical perspective. Without this key expertise, it is quite difficult for profilers to place themselves in the mindset of the perpetrators.

The most optimal profiling foundation is one that incorporates theoretical as well as applied elements. While it is possible to derive benefit solely operating from an applied approach, a profile guided by theoretical understanding will allow the professional to provide effective advice in novel situations where past practical experience doesn’t apply.

A lot of theoretical and applied research literature exists. Here, I’ll provide brief synopses to give you a reasonable starting point from which to expand your foundational knowledge. Most of the synopses represent more recent research efforts of the past five or six years, given that a significant portion of the research prior to that was often atheoretical, often anecdotally based, and sometimes quite off the mark. Some of the theoretical perspectives discussed here will return to play a more expanded role in
Chapter 10
, which covers attribution.

Marcus Rogers has developed a taxonomy of hacker profiles (Rogers, 2005). He utilizes two dimensions—motivation and skill level—to build an eight-class taxonomy of hackers. The eight classes are novice, cyber punks, internals, petty thieves, virus writers, old guard hackers, professional criminals, and information warriors. More recently, Rogers added another class to his taxonomy (political activist) and divided the circumplex model of his taxonomy into four quadrants that represent four motivations for deviant computer behavior: financial, revenge, curiosity, and notoriety (Rogers, 2010).

Another researcher, Max Kilger (Kilger et al, 2004), has suggested that the hacking community is a strong meritocracy and proposed six possible motivational profiles for individuals within the hacking community (Kilger et al, 2004). These six motivations are money, ego, entrance to social group, cause, entertainment, and status.
⁵
They suggest that malicious and nonmalicious hacking groups are status homogenous in nature, in that most members, with the possible exception of the group leader, have similar skill levels across a wide range of areas of expertise, including kernel architectures, operating systems, network layers, and firmware. They also suggest that individuals within a specific hacking group usually share one of the six motivations listed.

More recently, Max Kilger and Tom Holt identified two main types of malicious actors: makecrafters and techcrafters (Holt and Kilger, 2008). While both types of individuals may have similar levels of skill, makecrafters are more oriented toward creating new and novel exploits. Techcrafters tend to work with existing technology and code, modifying and adapting existing exploits and known vulnerabilities. In a comparison of a control group of information security undergraduate students against a group of hackers in the wild, Holt and Kilger found that the in-the-wild group perceived themselves as more skillful and had more hacker friends than the university control group members. However, they failed to find any evidence that individuals of the in-the-wild group had less social control than individuals in the university control group.

A more simplistic unidimensional taxonomy has been developed by Raoul Chiesa and other researchers under the auspices of the United Nations Interregional Crime and Justice Research Institute (Chiesa et al, 2009). Their taxonomy contains nine classes of perpetrators ranked by level of skill. The classes of offenders are, in ascending order of skill level, wanna be lamer, script kiddie, cracker, ethical hacker, quiet paranoid skilled hacker, cyber warrior, industrial spy, government agent, and military hacker. Motivations for malicious online behavior include intellectual curiosity, love of technology, conflict with authority, political reasons, and escape from family society.

While most of the research cited here is relevant to cyber profiling, one of the most directly targeted books about the processes of cyber profiling,
Cyber Adversary Characterization
(Parker et al, 2004), approaches the subject area of profiling malicious online actors by describing different processes involved in developing an effective profile. The authors introduce the idea of the adversarial property model, where the properties of the environment, attacker, and target are used. Each of these three model elements can have an effect on the other. Examples of the adversary environment include the state of law enforcement where the adversary resides, the level of peer pressure encouraging the adversary to commit the attack, and the cultural/political environment within which the adversary lives. Attacker properties that they consider important include the following:

Resources available to the attacker, such as the amount of time available to mount the attack

The level of skill and knowledge the attacker possesses

The temporal window within which the attack is feasible

The level of financial resources available to assist in the attack

The presence of an initial access point that increases the probability of a successful start to the attack

In addition, there are idiosyncratic properties of the target that make it more or less vulnerable to attack.

Using these properties as input to their theoretical model, Parker and his coauthors hypothesize that adversaries evaluate the properties just discussed and formulate a number of attack metrics that taken together suggest the likelihood that a specific attack will take place. These metrics include a payoff/impact metric given a successful attack that resembles a typical return on investment. In the case where the payoff exceeds the resources expended in the attack, the attack is more likely to occur. Other metrics they discuss include perceived probability of success given an attempt, perceived probability of detection given an attempt, perceived probability of attribution of adversary given an attempt, perceived consequences to adversary given detection, and attribution and adversary uncertainty given the attack parameters.

One important detail that often is missed in the
Cyber Adversary Characterization
discussion is that these metrics place a lot of emphasis on the attempt to attack, rather than the attack itself. Why concentrate on an attempt to attack rather than the attack? Because in a significant number of cases, especially in the earlier years of the history of malicious online activity, a premeditated and carefully planned attack on a target was not present. More often, it was merely serendipitous that an attack on a target came to pass for an online attacker. Perhaps it is the discovery of a previously unknown vulnerability by the actor or the emergence of a particular target into the public sphere that instigates the initial thoughts that coalesce into an attack attempt. Although currently there is a much higher proportion of preplanned attacks than there was in the early history of computer crime, this concept of the germinating source of an attempted attack should not be forgotten. More than one serious computer incident has been the result of pure intellectual curiosity, rather than premeditated malicious intent.

A cyber profiler within the FBI, Steve Bongardt, discusses how the agency’s traditional tool, CIA, can be deployed in the area of digital crime under the assumption, often used by profilers, that “behavior reflects personality” (Bongardt, 2010). Bongardt goes on to say:

The goal of the profiler of a computer intrusion is the same as the profiler of a violent crime: determine the motive(s) of the offender, focus an investigation for investigators, assess potential future threat or escalation of the perpetrator(s), provide recommendations for an investigative strategy, and finally, an interview strategy once subjects have been identified and are to be interviewed. If enough information about the offense is available, a behavioral composite of the offender might be constructed. The more behavioral and physical (or digital) evidence available to analyze from a crime scene, the better the analysis or this retroactive “profile.” The same is true of a digital crime scene.