Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Understanding the Social Behaviors of Cyberattackers Online and Offline Tom Holt, Ph.D. Assistant Professor Michigan State University Spartan Devils.

Similar presentations


Presentation on theme: "1 Understanding the Social Behaviors of Cyberattackers Online and Offline Tom Holt, Ph.D. Assistant Professor Michigan State University Spartan Devils."— Presentation transcript:

1 1 Understanding the Social Behaviors of Cyberattackers Online and Offline Tom Holt, Ph.D. Assistant Professor Michigan State University Spartan Devils Honeynet Chapter Max Kilger, Ph.D. Profiler The Honeynet Project Annual Honeynet Project Workshop Public Day Presentation March, 2011

2 2 Agenda Honeynet Project Multi-Disciplinary Approach Flashtalk #1: Russian Hacking Gangs Flashtalk #2: Economics of the Cybercrime Market Flashtalk #3: Malicious Motivations and Future Emerging Threats Coming attractions: Nationalism and the link between cyberterror and physical terror a “sneak peek” at our new study Summary

3 3 Honeynet Project Multi-Disciplinary Approach

4 Multidisciplinary Approach Honeynet Project Members Strong technical experts in many areas Social Scientists with technical backgrounds Criminologist – Tom Holt Social Psychologist – Max Kilger

5 Multi-Disciplinary Approach With a multi-Disciplinary approach you can explore important questions like: What motivates malicious acts on the web It’s not as simple as you might think How different motivations trigger different malicious behaviors The role of social networks In exploit diffusion In identifying malicious actors and attribution Predicting emerging threat scenarios

6 6 Flashtalk #1: Russian Hacking Gangs

7 Malware and Hackers How do we identify the hackers who have the ability to build the new tools and materials, relative to the larger population of semi-skilled users? Where and how do they sit in larger social networks? Few systematic unclassified examinations of the malware and hacker community have examined social ties and interests

8 On-line Resources The malware and hacking community utilize on-line resources that can be actively mined for information to explore these questions. This study will examine the social networks of the malware and hacking community in Russia and Eastern Europe using data generated from social networking blogs Blogs provide important information on: Current and emerging threats The relationships and behavior of attackers Locations, attitudes, beliefs

9 Self-Report Information Each LJ profile allows users to provide information on their: Location Education Biographies sometimes provide useful information on psychological status of the user or whether the journal is friends-only Interests can include political affiliation, geographical location as well as nonsense Friends people whom the users read and who can have access to ‘friends-only’ entries Also friend of people who read this journal and do not have access to protected entries Mutual friends both users added each other Communities LJ groups that the individual belongs to

10 Physical and e-mail address Team Associations Interests Associations

11 Data Set Number of Total Number BasicPaidPlus of Accounts Members BH Crew71327 104 CUP1204 16 Damage Lab10017 27 Hell Nights101 2 Hack Zona55058 117 MazaFaka1301 14 RU Hack504 9 Zloy64010 75 BH Crew 3 Missing account information. HackZona 4 missing account information Zloy 1 missing account information.

12 Country Locations CountryFrequencyPercent Belarus 3 2% China 1 1% Estonia 1 1% Germany 3 2% Jamaica 2 2% Kyrgyzstan 1 1% Laos 2 2% Moldova 1 1% Puerto Rico 1 1% Russian Federation10078% USA 1 1% Ukraine 1310% Number of Missing Entries = 235 (64.5%)

13 Extrapolating Data: Risk Risk scores were created and assigned based on open searches on the handle or forum name provided, along with additional detail 0: no risk 1: computer security blogger 2: low level hacker 3: high level hacker

14 Network Actors

15 Strength of Group Ties

16 Popularity – Risk Level

17 17 Flashtalk #2: Economics of the Cybercrime Market This study was funded by the National Institute of Justice Grant No. 2007-IJ-CX-0018

18 The Cybercrime Market: Purchasing Individuals interested in purchasing products from a seller must contact them privately ICQ E-mail Private messages in forum Buyers place orders and pay for services electronically Web money (WM) Yandex Escrow payments

19 The Process of Sales “You know me [contact me] in ICQ and obviously explain what I need to do... After that, as soon as I complete your order, you transfer money into my WebMoney purse. After that, you receive the product... To familiars (at least exchange couple of words in ICQ) I will give the product first. For all the rest, we work based on the scheme: money first, and then chairs after.”

20 The Cybercrime Market: Materials ResourcesNumber of % of Buy % of Sell % of Posts Total Posts Total Post Total Cybercrime 219 30 39 17.8 180 82.2 Services ICQ Numbers 73 10 9 12.3 64 87.7 Malware 246 34 103 41.9 143 58.1 Services Other 92 13 22 23.9 70 76.1 Stolen Personal 92 13 21 22.8 71 77.2 Information Total722 100 194 26.9 528 73.1

21 Pricing Information For Cybercrime Services* (from Chu et al. 2010) Minimum Maximum Average Count Count Product Price Price Price With Price No Price DDoS** 0.4125.00 14.26 22 7 Proxy 0.50 200.00 42.53 9 11 Spam Services Databases 0.50 100.00 45.43 10 23 Services 0.50 700.00 50.91 12 11 Tools 2.00 180.00 59.11 9 6 Webhosting and Services Hosting 0.85 300.00 48.89 14 16 Registration 9.00 150.00 50.17 6 4 *Due to significant missing data, hacking services, domain sales, and VPN service pricing are not included here ** Due to variation in pricing, DDoS estimates are based on the stated hourly rate or an average hourly rate based on prices for 24 hour attacks.

22 The Cybercrime Market: Social Dynamics Three normative orders shaped relationships and actions in these cybercrime markets Low prices Customer service Trust

23 23 Flashtalk #3: Malicious Motivations and Future Emerging Threats

24 24 Motivations in the Community - MEECES A play off the old FBI counter-intelligence term MICE MEECES Money Ego Entertainment Cause Entry to social group Status

25 25 Motivations: Money No news to anyone - now by far the most common motivator for blackhats Individuals motivated by money still often are found mostly within groups that share this motivation Emergence of “currencies” in use in the black hat community Stolen credit cards Stolen bank accounts Root ownership of compromised machines Exploits Virtual assets (QQ coins) “Secret” data

26 26 Motivations: Money Money has a powerful effect on social structure and social relations Money is fundamentally changing many elements within the hacking community Money also acts as a force to attract individuals who are outside the community Money as a social object gives these outsiders opportunities for power and prestige inside the hacking community that were formerly not available to them

27 27 Motivations: Ego Derived from the satisfaction that comes from overcoming technical obstacles and creating code that is elegant and innovative Idea of mastery over the machine – getting it to do what you want, often in spite of numerous security obstacles The community at large shares this common and very powerful motivation This core motivation still present and remains a strong social motivation within the community

28 28 Motivations: Entertainment This motivation arises from the consequences of an exploit Getting a device to do something unusual or novel Bluejack bluetooth devices like phones and get them to call porn lines Originally an uncommon motivation, it has gained momentum over the past years due in part to: Infusion of less technical individuals into the digital space Expanded social environment in the digital space

29 29 Motivations: Cause A rapidly evolving motivation in the hacking community Most common instance of this motivation – hacktivism: the use of the Internet to promote a particular political, scientific or social cause Original seed – “information should be free”

30 30 Motivations: Cause Recent examples of hacktivism Beginning in 2008 - project chanology, an attack on Scientology by Anonymous group 2008 – Chinese attacks on CNN in response to Western protests during Olympic Torch relay + accusations of biased media reports in the West 2009 – Efforts by groups to facilitate forums for online public protest by Iranians angered by Iranian election results 2009 -2010– Attacks on Australian government websites protesting the proposed filtering of Australian ISP traffic for “unsafe” materials on the Internet 2010 – current – Wikileaks disclosure of thousands of classified documents and diplomatic cables

31 31 Motivations: Cause There have been a significant increase in the instances of cause-motivated hacks over the past few years The seriousness and consequences of cause- motivated attacks has grown significantly Remember the phrase “civilian cyber warrior” – a special case of Cause we will return to a bit later…

32 32 Motivations: Entrance to a Social Group Hacking groups tend to be status homogeneous in nature This implies there is a certain level of expertise necessary for induction into the group Elegant code/exploits are one method for gaining acceptance into the group Seeing more of this motivation given shifts in traditional society’s perspective on hacking

33 33 Motivations: Status A powerful motivation within the hacking community Community as meritocracy Skills and expertise in networks, operating systems, hardware, security, etc. used as status characteristics Your position in the status hierarchy – locally and globally – depends in great part on these characteristics The decline of the hacking meritocracy Non-trivial decreases in basing status upon skills and expertise – probably due to the rise of money as a motivation

34 Near-Term Emerging Threats Civilian Cyber Warrior Hacking Groups Aggregating Different Forms of Power Loose Coupling of Virtual and Violent Criminal Activity Large Scale Collection of Information by Nation States for CI

35 35 Emerging Threat Example: Civilian Cyber Warrior

36 36 The Special Case of the Civilian Cyber Warrior Traditional forms of aggression Personal costs Economic Probability of getting caught Legal consequences Historical and social significance of emergence of civilian cyber warrior Key point – the social psychological significance of the event First time in history that an individual could cost-effectively attack a nation state The reassessment of the usual assumptions of the inequalities of the levels of power between nation states and citizens – establishes new relationships between institutions of society, government and individuals

37 37 Different Social Dimensions Under Investigation as Related to Civilian Cyber Warrior Behavior Civilian Cyber Warrior study is concentrating on.. Dependent variables Willingness to commit acts of cyberterror against another country Willingness to commit acts of cyber terror against their own country Willingness to commit acts of physical terror against another country Willingness to commit acts of physical terror against their own country

38 38 Different Social Dimensions Under Investigation as Related to Civilian Cyber Warrior Behavior Civilian Cyber Warrior study is concentrating on.. Independent predictor variables including Level of skill Hours per week using computer Prior minor malicious acts using a computer Level of nationalism Level of ethnocentrism Country of orign Demographics

39 39 10) Imagine that the country of Bagaria has recently promoted national policies and taken physical actions that have had negative consequences to the country that you most closely associate as your home country or homeland. These policies and actions have also resulted in significant hardships for the people in your home country. What actions do you think would be appropriate for you to take against Bagaria given their policies and physical actions against your home country? You may choose as many actions as you think the situation warrants. In this scenario, you may assume that you have the necessary skills to carry out any of the actions below. Option# ResponsesResponse % Total responses 235100.00% Do nothing: let your country work it out on its own 8937.87% Write a letter to government of Bagaria protesting their actions 12653.62% Participate in a protest at an anti-Bagaria rally 13356.60% Travel to Bagaria and protest at their country’s capitol building 5623.83% Travel to Bagaria and confront a Bagarian senior government official about their policies 4720.00% Travel to Bagaria and sneak into a military base to write slogans on buildings and vehicles 31.28% Travel to Bagaria and physically damage an electrical power substation 62.55% Travel to Bagaria and damage a government building with an explosive device 20.85% Graph this questionraph this question Sneak peak at preliminary data – more data is coming …

40 40 11) Aside from physical activity, what on-line activities do you think would be appropriate for you to take against Bagaria given their policies and physical actions against your home country? You may choose as many actions as you think the situation warrants. In this scenario, you may assume that you have the necessary skills to carry out any of the actions below. Option# ResponsesResponse % Total responses 235100.00% Do nothing : let your country work it out on its own 8536.17% Post a comment on a social networking website like Facebook or Twitter that criticizes the Bagarian government 17775.32% Deface the personal website of an important Bagarian government official 2611.06% Deface an important official Bagarian government website 2410.21% Compromise the server of a Bagarian bank and withdraw money to give to the victims of their policies and actions 125.11% Search Bagarian government servers for secret papers that you might be able to use to embarrass the Bagarian government 208.51% Compromise one or more Bagarian military servers and make changes that might temporarily affect their military readiness 156.38% Compromise one of Bagaria’s regional power grids which results in a temporary power blackout in parts of Bagaria 62.55% Compromise a nuclear power plant system that results in a small release of radioactivity in Bagaria 10.43% Sneak peak at preliminary data – more data is coming …

41 41 Summary

42 42 Points to Hopefully Take Away… Understanding the nature of the relationship between people and technology may help you predict where the next threat vectors are going to emerge The elements of the hacking community social structure are still there, but in different form and distribution The motivations of the hacking community are still there but their form, shape and consequences have changed, often dramatically Constructing scenarios of emerging threats can help you anticipate and plan in a fast evolutionary threat environment

43 43 Contact Information Tom Holt, Ph.D. holtt@msu.edu Max Kilger, Ph.D. Maxk@smrb.com


Download ppt "1 Understanding the Social Behaviors of Cyberattackers Online and Offline Tom Holt, Ph.D. Assistant Professor Michigan State University Spartan Devils."

Similar presentations


Ads by Google