1 motivations for malicious online behavior and consequent emerging cross-national cyberthreats max...
TRANSCRIPT
1
Motivations for Malicious Online Behavior and Consequent Emerging Cross-National
Cyberthreats
Max Kilger, Ph.D.Profiler
The Honeynet Project
Workshop on Cyber Security and Global AffairsZurich, Switzerland
July, 2010
2
Agenda
• Flashtopic: Honeynet Project• Motivations for Hacking• Social Structure of the Hacking
Community • Geo-political and Economic
Influences• Emerging Threats• Summary
3
Honeynet Project
4
Honeynet Project
• Non-profit (501c3) organization with Board of Directors.
• Over 40+ chapters in 28 countries• Global set of diverse skills and experiences• Open Source, share our research, tools and
findings at no cost to the public• We have nothing to sell
5
The Importance of Knowing Your Enemy
• Technical advances are important but often not
enough to characterize the nature of future threats…
• Understanding motivations and social forces important to help produce future threat scenarios
• This is where social scientists can assist…
6
The Importance of Knowing Your Enemy
• Two social scientists in the project – a social
psychologist and a criminologist
• Past research includes investigating hacking motivations, social structure of hacking community, analyzing social networks of Russian hacking gangs
• Current projects – • comparative study of Chinese and American hacking predictors • study to develop predictive model for probability civilian cyber
warrior
7
Motivations
8
Motivations in the Community - MEECES
• A play off the old FBI counter-intelligence term MICE
• MEECES • Money• Ego• Entertainment• Cause• Entry to social group• Status
9
Motivations: Money• No news to anyone - now by far the most common
motivator for blackhats
• Individuals motivated by money still often are found mostly within groups that share this motivation
• Emergence of “currencies” in use in the black hat community • Stolen credit cards• Stolen bank accounts• Root ownership of compromised machines• Exploits• Virtual assets (QQ coins)• “Secret” data
10
Motivations: Money• Money has a powerful effect on social structure and
social relations
• Money is fundamentally changing many elements within the hacking community
• Money also acts as a force to attract individuals who are outside the community
• Money as a social object gives these outsiders opportunities for power and prestige inside the hacking community that were formerly not available to them
11
Motivations: Ego
• Derived from the satisfaction that comes from overcoming technical obstacles and creating code that is elegant and innovative
• Idea of mastery over the machine – getting it to do what you want, often in spite of numerous security obstacles
• The community at large shares this common and very powerful motivation
• This core motivation still present and remains a strong social motivation within the community
12
Motivations: Entertainment
• This motivation arises from the consequences of an exploit
• Getting a device to do something unusual or novel• Bluejack bluetooth devices like phones and get
them to call porn lines
• Originally an uncommon motivation, it has gained momentum over the past years due in part to:• Infusion of less technical individuals into the digital space• Expanded social environment in the digital space
13
Motivations: Cause
• A rapidly evolving motivation in the hacking community
• Most common instance of this motivation – hacktivism:• the use of the Internet to promote a particular political, scientific or
social cause
• Original seed – “information should be free”
14
Motivations: Cause
• Recent examples of hacktivism
• Beginning in 2008 - project chanology, an attack on Scientology by Anonymous group
• 2008 – Chinese attacks on CNN in response to Western protests during Olympic Torch relay + accusations of biased media reports in the West
• 2009 – Efforts by groups to facilitate forums for online public protest by Iranians angered by Iranian election results
• 2009 -2010– Attacks on Australian government websites protesting the proposed filtering of Australian ISP traffic for “unsafe” materials on the Internet
15
Motivations: Cause
• There have been a significant increase in the instances of cause-motivated hacks over the past few years
• The seriousness and consequences of cause-motivated attacks has grown significantly
• Remember the phrase “civilian cyber warrior” – a special case of Cause we will return to a bit later…
16
Motivations: Entrance to a Social Group
• Hacking groups tend to be status homogeneous in nature
• This implies there is a certain level of expertise necessary for induction into the group
• Elegant code/exploits are one method for gaining acceptance into the group
• Seeing more of this motivation given shifts in traditional society’s perspective on hacking
17
Motivations: Status
• A powerful motivation within the hacking community
• Community as meritocracy• Skills and expertise in networks, operating systems, hardware,
security, etc. used as status characteristics• Your position in the status hierarchy – locally and globally –
depends in great part on these characteristics
• The decline of the hacking meritocracy• Non-trivial decreases in basing status upon skills and expertise –
probably due to the rise of money as a motivation
18
Social Structure of the Hacking Community
19
Dimensions of the Social Structure of the Hacking Community
39.7
21.9
11.4 10.89.2 9.1 8.7
75.7 5.6 5.4
4.3 4.3 4.3 3.72.7 2.5
1.1
30.3
18.7
12.4
7.4
4.46.4
8.57.5
5.2
2.5 2.8 2.54.6
2.5 3 2.2 1.5 0.72.8
0
5
10
15
20
25
30
35
40
45
tech
nology
derogat
ory
histo
ry
stat
us
mag
ic/re
ligio
n
selfr
efer
ence
pop refe
rence
soci
al c
ontrol
humor
aest
hetic
com
munic
atio
n
sym
bol
mea
sure
soci
al fu
nctio
n
met
asyn
tatic
recre
atio
n
book re
fere
nce art
com
m d
erogat
ory
Pe
rce
nt
of
To
tal E
ntr
ies
1994
2003
Note: Jargon File entry may be coded into multiple thematic categories
20
Geo-Political and Economic Influences
21
Geo-Political and Economic Influences
• There’s more at work than just micro-level and meso-level influences…there are macro-level forces at work as well
• The distribution of these motivations is dependent upon the geo-political and economic environment within a country or region
22
PRC Hacking Community• Threat just in terms of sheer numbers
• Difficult to estimate the number of blackhats in PRC• Darkvisitor website suggests 380,000 – but who knows…
• Current political, economic and social conditions• Incredible economic growth
• ~ 8.8% annual growth• Exponential adoption and integration of technology into everyday
life of younger Chinese citizens• The synergy of these economic and social forces is producing a
Chinese hacking community that is evolving at incredible speed
23
PRC Blackhat Community
• There is also a geo-political component to this• Incredibly strong sense of nationalism among many PRC blackhats
• Example: CNN attacks
• Synergistic interactions between PRC government entities and Chinese blackhat groups• You could spend a whole session just on this topic• An interesting recommended book:
• Wu, X., (2007). Chinese cyber nationalism: Evolution, characteristics and implications. Lanham, Maryland. Lexington Books.
24
PRC Blackhat Community
• Result: Significant number of hackers motivated by Money• Large community of virus writers
• Sell malware used to steal credentials, access to bank accounts and especially virtual assets
• Virtual assets especially targeted• QQ accounts, QQ coins, gaming assets• Recent paper cited one large virtual asset marketplace
(Zhuge et al, 2007)• Over 42,000 virtual asset shops• Almost 9 million transactions in 6 months
25
PRC Blackhat Community
• Whale phishing• Targeting US and other affluent executives • Use sophisticated social engineering techniques
• Hacking community seems to be paralleling the tremendous growth of the Chinese economy• Growing pools of financial assets
• We will see a potential consequence of this later in the presentation
26
Final Geo-Political Comment…
• How to evaluate the level and type of threat from these countries?
• One way might be to profile each country using demographic, economic, technology and motivation (MEECES) distributions to develop current and potential future cyberthreat assessments for each country
27
Emerging Threats
28
Emerging Threat:
Civilian Cyber Warrior
29
The Special Case of the Civilian Cyber Warrior
• Traditional forms of aggression• Personal costs
• Economic• Probability of getting caught• Legal consequences
• Historical and social significance of emergence of civilian cyber warrior• Key point – the social psychological significance of the event
• First time in history that an individual could cost-effectively attack a nation state
• The reassessment of the usual assumptions of the inequalities of the levels of power between nation states and citizens – establishes new relationships between institutions of society, government and individuals
30
Different Social Dimensions Under Investigation as Related to Civilian
Cyber Warrior Behavior
• Civilian Cyber Warrior study is concentrating on..
• Independent variables including• Attitudes towards legitimacy of authority• Locus of control – internal versus external• Propensity for political activism• Level of nationalism• Level of interest in world events
• Explore two variations of dependent variables• Propensity for civilian cyberwarrior against foreign nation states• Propensity for domestic civilian cyberwarrior
31
Emerging Threat:
Developing Economic, Political and Social Power of Hacking Groups
32
Hacking Groups Aggregating Different Forms of Power
• Acquisition of knowledge and resources• Internet provides access to wide bodies of knowledge• Internet allows lower visibility of preparations• Internet provides a source of mentors• Significant source of funds through legal and illegal
means
• Effectiveness• Lowering the probabilities in the risk assessment• Increasing the probability of success• Increasing the likelihood of engaging multiple actors• Orders of magnitude increase in potential damage
33
Hacking Groups Aggregating Different Forms of Power
• Conditions for emergence• Coalescence of external group identity• Formation of internal infrastructure
• Identifiable leadership• Ideological mission statements
• Institutional neglect or failure to pursue/co-opt• Civil authorities• Law enforcement• Government
• Emergence of “quasi-states within nation states” with the ability to effectively threaten host and foreign nations
34
Loose Coupling of Virtual and Violent Criminal Activity
35
Emergence of Loosely Coupled Criminal Enterprises
• Loose coupling of cyber and violent actors
• Factors facilitating the emergence• Ability to efficiently collect personally identifiable
information from the web
• Establishment of anonymous or pseudo-anonymous electronic means of payment
• Increasing presence of in-country foreign nationals bonded by ethnic or national ties to other out-of-country individuals pursuing cybercrimes
36
Emergence of Loosely Coupled Criminal Enterprises
• Example of Loosely Coupled Criminal Enterprise
• Cybercrime group collects PII about target
• Cybercrime group contacts target and presents demand along with physical threat
• Victim complies with demand – cybercrime group collects money electronically and moves on
37
Emergence of Loosely Coupled Criminal Enterprises
• Example of Loosely Coupled Criminal Enterprise
• Target fails to comply with demand• Cybercrime contacts loosely coupled violent crime group• Violent crime group is given target details and desired
action• Violent crime group commits action desired against
target• Violent crime group collects payment via electronic
system from cybercrime group
38
Large Scale Collection of Information by Nation States for CI
39
The Internet, Social Networks and Problems of Identification and
Approach in CI
• Identification of potential recruits
• In the past used to involve more risk and effort
• Industry conference programs• Published papers• Organization phone directories• Public records and publications• Insertion of asset inside organization
40
The Internet, Social Networks and Problems of Identification and
Approach in CI
• Identification of potential recruits can now be done
remotely
• Organizational affiliations, ethnic names, occupational targets
• Google searches• Social and professional network searches
• Friendster,facebook, linkedin, etc.• Fee for service information services
41
The Internet, Social Networks and Problems of Identification and
Approach in CI
• Approach vectors can also be acquired remotely • Social network can be constructed around target for friend of
friend approach• PII information often available• Personal preferences, music, hobbies, likes and dislikes can be
collected• Places frequented can be noted
42
The Internet, Social Networks and Problems of Identification and
Approach in CI
• Useful CI information collection can be automated• Automated and quiet search/scraping of social networking sites
for useful information then stored to inexpensive mass storage
• “Banking the future” for potential recruits• Some nation states are very patient – willing to collect
information on recruits who won’t be useful for years
43
Summary
44
Hacking Groups Aggregating Different Forms of Power
• Technical advances are important in the conflict to keep the Internet reasonably safe
• Understanding the motivations of malicious actors important in providing a better understanding of the current threat matrix
• Synthesizing technical, motivational, social structure and social dynamics dimensions is a key strategy to better understanding and preparing for future emerging cyberthreats
