Kilger_holt Public Day

8/7/2019 Kilger_holt Public Day

1/43

1

Understanding the Social Behaviors of Cyberattackers Online and Offline

Tom Holt, Ph.D. Assistant Professor

Michigan State UniversitySpartan Devils Honeynet Chapter

Max Kilger, Ph.D.Profiler

The Honeynet Project

Annual Honeynet Project WorkshopPublic Day Presentation

March, 2011


2/43

2

A genda

Honeynet Project Multi-Disciplinary Approach

Flashtalk #1: Russian Hacking Gangs

Flashtalk #2: Economics of the CybercrimeMarket

Flashtalk #3: Malicious Motivations andFuture Emerging Threats

Coming attractions: Nationalism and the linkbetween cyberterror and physical terror a sneak peek at our new study

Summary


3/43

3

H oneynet Project

Multi-DisciplinaryA pproach


4/43

Multidisciplinary A pproach

Honeynet Project MembersStrong technical experts in many areas

Social Scientists with technical backgroundsCriminologist Tom Holt

Social Psychologist Max Kilger


5/43

Multi-Disciplinary A pproach

With a multi-Disciplinary approach you can exploreimportant questions like:

What motivates malicious acts on the webIts not as simple as you might think

How different motivations trigger different maliciousbehaviors

The role of social networksIn exploit diffusionIn identifying malicious actors and attribution

Predicting emerging threat scenarios


6/43

6

F lashtalk #1:

Russian H ackingGangs


7/43

Malware and H ackers

How do we identify the hackers who have the abilityto build the new tools and materials, relative to thelarger population of semi-skilled users?

Where and how do they sit in larger socialnetworks?

Few systematic unclassified examinations of themalware and hacker community have examinedsocial ties and interests


8/43

On-line Resources

The malware and hacking community utilize on-lineresources that can be actively mined for informationto explore these questions.

This study will examine the social networks of themalware and hacking community in Russia andEastern Europe using data generated from socialnetworking blogs

Blogs provide important information on:Current and emerging threatsThe relationships and behavior of attackersLocations, attitudes, beliefs


9/43

Self-Report InformationEach LJ profile allows users to provide information on their:

LocationEducationBiographies sometimes provide useful information on psychologicalstatus of the user or whether the journal is friends-onlyInterests can include political affiliation, geographical location as wellas nonsenseFriends

people whom the users read and who can have access to friends-onlyentries

Also friend of people who read this journal and do not have access to protected entries

Mutual friendsboth users added each other

CommunitiesLJ groups that the individual belongs to


10/43

Physical and e-mailaddress

TeamAssociations

Interests

Associations


11/43

Data Set

Number of Number of Number of

TotalNumber

Basic Paid Plus of Accounts Accounts Accounts Members

BH Crew 71 3 27 104CUP 12 0 4 16Damage Lab 10 0 17 27Hell Nights 1 0 1 2Hack Zona 55 0 58 117MazaFaka 13 0 1 14RU Hack 5 0 4 9Zloy 64 0 10 75

BH Crew 3 Missing account information.HackZona 4 missing account information

Zloy 1 missing account information.


12/43

Country LocationsC ountry Frequency PercentBelarus 3 2%China 1 1%Estonia 1 1%

Germany 3 2%Jamaica 2 2%Kyrgyzstan 1 1%Laos 2 2%Moldova 1 1%

Puerto Rico 1 1%Russian Federation 100 78%USA 1 1%Ukraine 13 10%

Number of Missing Entries = 235 (64.5%)


13/43

Ex trapolating Data: Risk

Risk scores were created and assigned based onopen searches on the handle or forum nameprovided, along with additional detail

0: no risk1: computer security blogger 2: low level hacker

3: high level hacker


14/43

Network A ctors


15/43

Strength of Group Ties


16/43

Popularity Risk Level


17/43

17

F lashtalk #2:

E conomics of theCybercrime Market

This study was funded by the National Institute of JusticeGrant No. 2007 -IJ-CX- 0018


18/43

The Cybercrime Market:

PurchasingIndividuals interested in purchasing products from aseller must contact them privately

ICQ

E-mailPrivate messages in forum

Buyers place orders and pay for services

electronicallyWeb money (WM)YandexEscrow payments


19/43


20/43

The Cybercrime Market:

MaterialsResources Number of % of Buy % of Sell % of

Posts Total Posts Total Post TotalCybercrime 219 30 39 17.8 180 82.2Services

ICQ Numbers 73 10 9 12.3 64 87.7

Malware 246 34 103 41.9 143 58.1Services

Other 92 13 22 23.9 70 76.1

Stolen Personal 92 13 21 22.8 71 77.2InformationTotal 722 100 194 26.9 528 73.1


21/43

Pricing Information For C ybercrime Services* (from Ch u et al. 2010)Minimum Maximum Average Count Count

Product Price Price Price With Price No Price

DDoS** 0.41 25.00 14.26 22 7

Proxy 0.50 200.00 42.53 9 11

Spam Services

Databases 0.50 100.00 45.43 10 23

Services 0.50 700.00 50.91 12 11

Tools 2.00 180.00 59.11 9 6

Webhosting and Services

Hosting 0.85 300.00 48.89 14 16

Registration 9.00 150.00 50.17 6 4 *Due to significant missing data, hacking services, domain sales, and VPN service pricing are not included here ** Due to variation in pricing, DDoS estimates are based on the stated hourly rate or an average hourly rate based on prices

for 24 hour attacks.


22/43

The Cybercrime Market: SocialDynamics

Three normative orders shaped relationshipsand actions in these cybercrime markets

Low prices

Customer service

Trust


23/43

23

F lashtalk #3:

MaliciousMotivations andF uture E merging

Threats


24/43

24

Motivations in the Community -

M EE C E S A play off the old FBI counter-intelligenceterm MICE

MEECESMoney

EgoEntertainmentCauseEntry to social group

Status


25/43

25

Motivations: MoneyNo news to anyone - now by far the most commonmotivator for blackhats

Individuals motivated by money still often are foundmostly within groups that share this motivation

Emergence of currencies in use in the black hatcommunity

Stolen credit cardsStolen bank accountsRoot ownership of compromised machinesExploitsVirtual assets (QQ coins)Secret data


26/43

2 6

Motivations: MoneyMoney has a powerful effect on social structure andsocial relations

Money is fundamentally changing many elementswithin the hacking community

Money also acts as a force to attract individuals whoare outside the community

Money as a social object gives these outsidersopportunities for power and prestige inside thehacking community that were formerly not availableto them


27/43

27

Motivations: E go

Derived from the satisfaction that comes fromovercoming technical obstacles and creating codethat is elegant and innovative

Idea of mastery over the machine getting it to dowhat you want, often in spite of numerous securityobstacles

The community at large shares this common andvery powerful motivation

This core motivation still present and remains astrong social motivation within the community


28/43

28

Motivations: E ntertainment

This motivation arises from the consequences of anexploit

Getting a device to do something unusual or novelBluejack bluetooth devices like phones and getthem to call porn lines

Originally an uncommon motivation, it has gainedmomentum over the past years due in part to:Infusion of less technical individuals into the digital spaceExpanded social environment in the digital space


29/43

29

Motivations: Cause

A rapidly evolving motivation in the hackingcommunity

Most common instance of this motivation hacktivism:

the use of the Internet to promote a particular political, scientific or social cause

Original seed information should be free


30/43

30

Motivations: Cause

Recent examples of hacktivism

Beginning in 2008 - project chanology, an attack on Scientology by Anonymous group

2008 Chinese attacks on CNN in response to Western protestsduring Olympic Torch relay + accusations of biased media reportsin the West

2009 Efforts by groups to facilitate forums for online public protestby Iranians angered by Iranian election results

2009 -2010 Attacks on Australian government websites protestingthe proposed filtering of Australian ISP traffic for unsafe materialson the Internet

2010 current Wikileaks disclosure of thousands of classified

documents and diplomatic cables


31/43

31

Motivations: Cause

There have been a significant increase in theinstances of cause-motivated hacks over the past fewyears

The seriousness and consequences of cause-motivated attacks has grown significantly

Remember the phrase civilian cyber warrior aspecial case of Cause we will return to a bit later


32/43

32

Motivations: E ntrance to a

Social GroupHacking groups tend to be status homogeneous innature

This implies there is a certain level of expertisenecessary for induction into the group

Elegant code/exploits are one method for gainingacceptance into the group

Seeing more of this motivation given shifts intraditional societys perspective on hacking


33/43

33

Motivations: Status

A powerful motivation within the hacking community

Community as meritocracySkills and expertise in networks, operating systems, hardware,security, etc. used as status characteristicsYour position in the status hierarchy locally and globally depends in great part on these characteristics

The decline of the hacking meritocracyNon-trivial decreases in basing status upon skills and expertise probably due to the rise of money as a motivation


34/43

Near-Term E merging Threats

Civilian Cyber Warrior

Hacking Groups Aggregating Different Forms of Power

Loose Coupling of Virtual and Violent Criminal Activity

Large Scale Collection of Information by NationStates for CI


35/43

35

E merging Threat Ex ample:

Civilian Cyber Warrior


36/43


37/43

37

Different Social Dimensions Under Investigation as Related to Civilian

Cyber Warrior Behavior C ivilian C yber Warrior study is concentrating on..

Dependent variablesWillingness to commit acts of cyberterror against another countryWillingness to commit acts of cyber terror against their owncountryWillingness to commit acts of physical terror against another

countryWillingness to commit acts of physical terror against their owncountry


38/43

38

Different Social Dimensions Under Investigation as Related to Civilian

Cyber Warrior Behavior C ivilian C yber Warrior study is concentrating on..

Independent predictor variables includingLevel of skillHours per week using computer Prior minor malicious acts using a computer Level of nationalism

Level of ethnocentrismCountry of orignDemographics


39/43

39

10) Imagine that the country of Bagaria has recently promoted national policies and taken physical actions thathave had negative consequences to the country that you most closely associate as your home country or homeland.These policies and actions have also resulted in significant hardships for the people in your home country. What

actions do you think would be appropriate for you to take against Bagaria given their policies and physical actionsagainst your home country? You may choose as many actions as you think the situation warrants. In this scenario,you may assume that you have the necessary skills to carry out any of the actions below.

Option # Responses Response %Total responses 235 100.00%

Do nothing: let your country work it outon its own 89 37.87%

Write a letter to government of Bagariaprotesting their actions 126 53.62%

Participate in a protest at an anti-Bagariarally 133 56.60%

Travel to Bagaria and protest at their countrys capitol building 56 23.83%

Travel to Bagaria and confront aBagarian senior government officialabout their policies

47 20.00%

Travel to Bagaria and sneak into amilitary base to write slogans onbuildings and vehicles

3 1.28%

Travel to Bagaria and physically damagean electrical power substation 6 2.55%

Travel to Bagaria and damage agovernment building with an explosivedevice

2 0.85%

Sneak peak at preliminary data more data is coming


40/43

40

11) Aside from physical activity, what on-line activities do you think would be appropriate for you to takeagainst Bagaria given their policies and physical actions against your home country? You may choose as manyactions as you think the situation warrants. In this scenario, you may assume that you have the necessary skillsto carry out any of the actions below.

Option # Responses Response %Total responses 235 100.00%

Do nothing : let your country work it out onits own 85 36.17%

Post a comment on a social networkingwebsite like Facebook or Twitter thatcriticizes the Bagarian government

177 75.32%

Deface the personal website of animportant Bagarian government official 26 11.06%

Deface an important official Bagariangovernment website 24 10.21%

Compromise the server of a Bagarian bankand withdraw money to give to the victimsof their policies and actions

12 5.11%

Search Bagarian government servers for secret papers that you might be able to useto embarrass the Bagarian government

20 8.51%

Compromise one or more Bagarian militaryservers and make changes that mighttemporarily affect their military readiness

15 6.38%

Compromise one of Bagarias regionalpower grids which results in a temporarypower blackout in parts of Bagaria

6 2.55%

Compromise a nuclear power plant systemthat results in a small release of radioactivity in Bagaria

1 0.43%Sneak peak at preliminary data more data is coming


41/43

41

Summary


42/43

42

Points to H opefully Take A way

Understanding the nature of the relationship betweenpeople and technology may help you predict where thenext threat vectors are going to emerge

The elements of the hacking community social structureare still there, but in different form and distribution

The motivations of the hacking community are still therebut their form, shape and consequences have changed,often dramatically

Constructing scenarios of emerging threats can help youanticipate and plan in a fast evolutionary threatenvironment


43/43

4 3

Contact Information

Tom Holt, Ph.D.

[email protected]

Max Kilger, Ph.D.

[email protected]

Documents

Kilger_holt Public Day