understanding the social behaviors of cyberattackers online and offline
DESCRIPTION
Understanding the Social Behaviors of Cyberattackers Online and Offline. Tom Holt, Ph.D. Assistant Professor Michigan State University Spartan Devils Honeynet Chapter Max Kilger, Ph.D. Profiler The Honeynet Project. Annual Honeynet Project Workshop Public Day Presentation March, 2011. - PowerPoint PPT PresentationTRANSCRIPT
1
Understanding the Social Behaviors of Cyberattackers Online and Offline
Tom Holt, Ph.D.Assistant Professor
Michigan State UniversitySpartan Devils Honeynet Chapter
Max Kilger, Ph.D.Profiler
The Honeynet Project
Annual Honeynet Project WorkshopPublic Day Presentation
March, 2011
2
Agenda• Honeynet Project Multi-Disciplinary Approach
• Flashtalk #1: Russian Hacking Gangs
• Flashtalk #2: Economics of the Cybercrime Market
• Flashtalk #3: Malicious Motivations and Future Emerging Threats
• Coming attractions: Nationalism and the link between cyberterror and physical terror a “sneak peek” at our new study
• Summary
3
Honeynet Project
Multi-Disciplinary Approach
Multidisciplinary Approach• Honeynet Project Members
• Strong technical experts in many areas
• Social Scientists with technical backgrounds• Criminologist – Tom Holt• Social Psychologist – Max Kilger
Multi-Disciplinary Approach• With a multi-Disciplinary approach you can explore
important questions like:
• What motivates malicious acts on the web• It’s not as simple as you might think• How different motivations trigger different malicious behaviors
• The role of social networks• In exploit diffusion• In identifying malicious actors and attribution
• Predicting emerging threat scenarios
6
Flashtalk #1:
Russian Hacking Gangs
Malware and Hackers
• How do we identify the hackers who have the ability to build the new tools and materials, relative to the larger population of semi-skilled users?• Where and how do they sit in larger social
networks?
• Few systematic unclassified examinations of the malware and hacker community have examined social ties and interests
On-line Resources• The malware and hacking community utilize on-line
resources that can be actively mined for information to explore these questions.
• This study will examine the social networks of the malware and hacking community in Russia and Eastern Europe using data generated from social networking blogs• Blogs provide important information on:
• Current and emerging threats• The relationships and behavior of attackers• Locations, attitudes, beliefs
Self-Report Information• Each LJ profile allows users to provide information on their:
• Location • Education • Biographies sometimes provide useful information on psychological
status of the user or whether the journal is friends-only • Interests can include political affiliation, geographical location as well
as nonsense • Friends
• people whom the users read and who can have access to ‘friends-only’ entries
• Also friend of• people who read this journal and do not have access to protected entries
• Mutual friends • both users added each other
• Communities• LJ groups that the individual belongs to
Physical and e-mail address
Team Associations
Interests
Associations
Data SetNumber
of Number of Number ofTotal
NumberBasic Paid Plus of
Accounts Accounts Accounts MembersBH Crew 71 3 27 104CUP 12 0 4 16Damage Lab 10 0 17 27Hell Nights 1 0 1 2Hack Zona 55 0 58 117MazaFaka 13 0 1 14RU Hack 5 0 4 9Zloy 64 0 10 75
BH Crew 3 Missing account information. HackZona 4 missing account information Zloy 1 missing account information.
Country LocationsCountry Frequency PercentBelarus 3 2%China 1 1%Estonia 1 1%Germany 3 2%Jamaica 2 2%Kyrgyzstan 1 1%Laos 2 2%Moldova 1 1%Puerto Rico 1 1%Russian Federation 100 78%USA 1 1%Ukraine 13 10%
Number of Missing Entries = 235 (64.5%)
Extrapolating Data: Risk• Risk scores were created and assigned based
on open searches on the handle or forum name provided, along with additional detail• 0: no risk• 1: computer security blogger• 2: low level hacker• 3: high level hacker
Network Actors
Strength of Group Ties
Popularity – Risk Level
17
Flashtalk #2:
Economics of the Cybercrime Market
This study was funded by the National Institute of JusticeGrant No. 2007-IJ-CX-0018
The Cybercrime Market: Purchasing
• Individuals interested in purchasing products from a seller must contact them privately• ICQ• E-mail• Private messages in forum
• Buyers place orders and pay for services electronically• Web money (WM)• Yandex• Escrow payments
The Process of Sales
“You know me [contact me] in ICQ and obviously explain what I need to do. . . After that, as soon as I complete your order, you transfer money into my WebMoney purse. After that, you receive the product. . . To familiars (at least exchange couple of words in ICQ) I will give the product first. For all the rest, we work based on the scheme: money first, and then chairs after.”
The Cybercrime Market: MaterialsResources Number of % of Buy % of Sell % of
Posts Total Posts Total Post TotalCybercrime 219 30 39 17.8 180 82.2Services
ICQ Numbers 73 10 9 12.3 64 87.7 Malware 246 34 103 41.9 143 58.1Services
Other 92 13 22 23.9 70 76.1 Stolen Personal 92 13 21 22.8 71 77.2InformationTotal 722 100 194 26.9 528 73.1
Pricing Information For Cybercrime Services* (from Chu et al. 2010) Minimum Maximum Average Count Count
Product Price Price Price With Price No Price DDoS** 0.41 25.00 14.26 22 7
Proxy 0.50 200.00 42.53 9 11
Spam Services
Databases 0.50 100.00 45.43 10 23
Services 0.50 700.00 50.91 12 11 Tools 2.00 180.00 59.11 9 6 Webhosting and Services Hosting 0.85 300.00 48.89 14 16
Registration 9.00 150.00 50.17 6 4• *Due to significant missing data, hacking services, domain sales, and VPN service pricing are not included here• ** Due to variation in pricing, DDoS estimates are based on the stated hourly rate or an average hourly rate based on prices
for 24 hour attacks.
The Cybercrime Market: Social Dynamics
• Three normative orders shaped relationships and actions in these cybercrime markets
• Low prices
• Customer service
• Trust
23
Flashtalk #3:
Malicious Motivations and Future Emerging
Threats
24
Motivations in the Community - MEECES
• A play off the old FBI counter-intelligence term MICE
• MEECES • Money• Ego• Entertainment• Cause• Entry to social group• Status
25
Motivations: Money• No news to anyone - now by far the most common
motivator for blackhats
• Individuals motivated by money still often are found mostly within groups that share this motivation
• Emergence of “currencies” in use in the black hat community • Stolen credit cards• Stolen bank accounts• Root ownership of compromised machines• Exploits• Virtual assets (QQ coins)• “Secret” data
26
Motivations: Money• Money has a powerful effect on social structure and
social relations
• Money is fundamentally changing many elements within the hacking community
• Money also acts as a force to attract individuals who are outside the community
• Money as a social object gives these outsiders opportunities for power and prestige inside the hacking community that were formerly not available to them
27
Motivations: Ego
• Derived from the satisfaction that comes from overcoming technical obstacles and creating code that is elegant and innovative
• Idea of mastery over the machine – getting it to do what you want, often in spite of numerous security obstacles
• The community at large shares this common and very powerful motivation
• This core motivation still present and remains a strong social motivation within the community
28
Motivations: Entertainment• This motivation arises from the consequences of an
exploit
• Getting a device to do something unusual or novel• Bluejack bluetooth devices like phones and get
them to call porn lines
• Originally an uncommon motivation, it has gained momentum over the past years due in part to:• Infusion of less technical individuals into the digital space• Expanded social environment in the digital space
29
Motivations: Cause• A rapidly evolving motivation in the hacking
community
• Most common instance of this motivation – hacktivism:• the use of the Internet to promote a particular political, scientific or
social cause
• Original seed – “information should be free”
30
Motivations: Cause• Recent examples of hacktivism
• Beginning in 2008 - project chanology, an attack on Scientology by Anonymous group
• 2008 – Chinese attacks on CNN in response to Western protests during Olympic Torch relay + accusations of biased media reports in the West
• 2009 – Efforts by groups to facilitate forums for online public protest by Iranians angered by Iranian election results
• 2009 -2010– Attacks on Australian government websites protesting the proposed filtering of Australian ISP traffic for “unsafe” materials on the Internet
• 2010 – current – Wikileaks disclosure of thousands of classified documents and diplomatic cables
31
Motivations: Cause• There have been a significant increase in the
instances of cause-motivated hacks over the past few years
• The seriousness and consequences of cause-motivated attacks has grown significantly
• Remember the phrase “civilian cyber warrior” – a special case of Cause we will return to a bit later…
32
Motivations: Entrance to a Social Group
• Hacking groups tend to be status homogeneous in nature
• This implies there is a certain level of expertise necessary for induction into the group
• Elegant code/exploits are one method for gaining acceptance into the group
• Seeing more of this motivation given shifts in traditional society’s perspective on hacking
33
Motivations: Status• A powerful motivation within the hacking community
• Community as meritocracy• Skills and expertise in networks, operating systems, hardware,
security, etc. used as status characteristics• Your position in the status hierarchy – locally and globally –
depends in great part on these characteristics
• The decline of the hacking meritocracy• Non-trivial decreases in basing status upon skills and expertise –
probably due to the rise of money as a motivation
Near-Term Emerging Threats• Civilian Cyber Warrior
• Hacking Groups Aggregating Different Forms of Power
• Loose Coupling of Virtual and Violent Criminal Activity
• Large Scale Collection of Information by Nation States for CI
35
Emerging Threat Example:
Civilian Cyber Warrior
36
The Special Case of the Civilian Cyber Warrior
• Traditional forms of aggression• Personal costs
• Economic• Probability of getting caught• Legal consequences
• Historical and social significance of emergence of civilian cyber warrior• Key point – the social psychological significance of the event
• First time in history that an individual could cost-effectively attack a nation state
• The reassessment of the usual assumptions of the inequalities of the levels of power between nation states and citizens – establishes new relationships between institutions of society, government and individuals
37
Different Social Dimensions Under Investigation as Related to Civilian
Cyber Warrior Behavior• Civilian Cyber Warrior study is concentrating on..
• Dependent variables• Willingness to commit acts of cyberterror against another
country• Willingness to commit acts of cyber terror against their own
country• Willingness to commit acts of physical terror against another
country• Willingness to commit acts of physical terror against their own
country
38
Different Social Dimensions Under Investigation as Related to Civilian
Cyber Warrior Behavior• Civilian Cyber Warrior study is concentrating on..
• Independent predictor variables including• Level of skill• Hours per week using computer• Prior minor malicious acts using a computer• Level of nationalism• Level of ethnocentrism• Country of orign• Demographics
39
10) Imagine that the country of Bagaria has recently promoted national policies and taken physical actions that have had negative consequences to the country that you most closely associate as your home country or homeland. These policies and actions have also resulted in significant hardships for the people in your home country. What actions do you think would be appropriate for you to take against Bagaria given their policies and physical actions against your home country? You may choose as many actions as you think the situation warrants. In this scenario, you may assume that you have the necessary skills to carry out any of the actions below.
Option # Responses Response %Total responses 235 100.00%
Do nothing: let your country work it out on its own 89 37.87%
Write a letter to government of Bagaria protesting their actions 126 53.62%
Participate in a protest at an anti-Bagaria rally 133 56.60%
Travel to Bagaria and protest at their country’s capitol building 56 23.83%
Travel to Bagaria and confront a Bagarian senior government official about their policies
47 20.00%
Travel to Bagaria and sneak into a military base to write slogans on buildings and vehicles
3 1.28%
Travel to Bagaria and physically damage an electrical power substation 6 2.55%
Travel to Bagaria and damage a government building with an explosive device
2 0.85%
Graph this question
Sneak peak at preliminary data – more data is coming …
40
11) Aside from physical activity, what on-line activities do you think would be appropriate for you to take against Bagaria given their policies and physical actions against your home country? You may choose as many actions as you think the situation warrants. In this scenario, you may assume that you have the necessary skills to carry out any of the actions below. Option # Responses Response %
Total responses 235 100.00%Do nothing : let your country work it out on its own 85 36.17%
Post a comment on a social networking website like Facebook or Twitter that criticizes the Bagarian government
177 75.32%
Deface the personal website of an important Bagarian government official 26 11.06%
Deface an important official Bagarian government website 24 10.21%
Compromise the server of a Bagarian bank and withdraw money to give to the victims of their policies and actions
12 5.11%
Search Bagarian government servers for secret papers that you might be able to use to embarrass the Bagarian government
20 8.51%
Compromise one or more Bagarian military servers and make changes that might temporarily affect their military readiness
15 6.38%
Compromise one of Bagaria’s regional power grids which results in a temporary power blackout in parts of Bagaria
6 2.55%
Compromise a nuclear power plant system that results in a small release of radioactivity in Bagaria
1 0.43%
Sneak peak at preliminary data – more data is coming …
41
Summary
42
Points to Hopefully Take Away…
• Understanding the nature of the relationship between people and technology may help you predict where the next threat vectors are going to emerge
• The elements of the hacking community social structure are still there, but in different form and distribution
• The motivations of the hacking community are still there but their form, shape and consequences have changed, often dramatically
• Constructing scenarios of emerging threats can help you anticipate and plan in a fast evolutionary threat environment