Motivations for Malicious Online Behavior and Consequent Emerging Cross-National Cyberthreats

Max Kilger, Ph.D.

Profiler The Honeynet Project Workshop on Cyber Security and Global Affairs Zurich, Switzerland July, 2010 1

Agenda

• • • • • • Flashtopic: Honeynet Project Motivations for Hacking Social Structure of the Hacking Community Geo-political and Economic Influences Emerging Threats Summary 2

Honeynet Project

3

Honeynet Project

• • • • • Non-profit (501c3) organization with Board of Directors.

Over 40+ chapters in 28 countries Global set of diverse skills and experiences Open Source, share our research, tools and findings at no cost to the public We have nothing to sell 4

The Importance of Knowing Your Enemy

• Technical advances are important but often not enough to characterize the nature of future threats… • Understanding motivations and social forces important to help produce future threat scenarios • This is where social scientists can assist… 5

The Importance of Knowing Your Enemy

• Two social scientists in the project – a social psychologist and a criminologist • Past research includes investigating hacking motivations, social structure of hacking community, analyzing social networks of Russian hacking gangs • Current projects – • • comparative study of Chinese and American hacking predictors study to develop predictive model for probability civilian cyber warrior 6

Motivations

7

Motivations in the Community MEECES

• A play off the old FBI counter-intelligence term MICE • MEECES • • • • • • Money Ego Entertainment Cause Entry to social group Status 8

Motivations: Money

• No news to anyone - now by far the most common motivator for blackhats • Individuals motivated by money still often are found mostly within groups that share this motivation • Emergence of “currencies” in use in the black hat community • • • • • • Stolen credit cards Stolen bank accounts Root ownership of compromised machines Exploits Virtual assets (QQ coins) “Secret” data 9

Motivations: Money

• Money has a powerful effect on social structure and social relations • Money is fundamentally changing many elements within the hacking community • Money also acts as a force to attract individuals who are outside the community • Money as a social object gives these outsiders opportunities for power and prestige inside the hacking community that were formerly not available to them 10

Motivations: Ego

• Derived from the satisfaction that comes from overcoming technical obstacles and creating code that is elegant and innovative • Idea of mastery over the machine obstacles – getting it to do what you want, often in spite of numerous security • The community at large shares this common and very powerful motivation • This core motivation still present and remains a strong social motivation within the community 11

Motivations: Entertainment

• This motivation arises from the consequences of an exploit • Getting a device to do something unusual or novel • Bluejack bluetooth devices like phones and get them to call porn lines • Originally an uncommon motivation, it has gained momentum over the past years due in part to: • • Infusion of less technical individuals into the digital space Expanded social environment in the digital space 12

Motivations: Cause

• A rapidly evolving motivation in the hacking community • Most common instance of this motivation – hacktivism: • the use of the Internet to promote a particular political, scientific or social cause • Original seed – “information should be free” 13

Motivations: Cause

• Recent examples of hacktivism • Beginning in 2008 - project chanology, an attack on Scientology by Anonymous group • 2008 – Chinese attacks on CNN in response to Western protests during Olympic Torch relay + accusations of biased media reports in the West • 2009 – Efforts by groups to facilitate forums for online public protest by Iranians angered by Iranian election results • 2009 -2010 – Attacks on Australian government websites protesting the proposed filtering of Australian ISP traffic for “unsafe” materials on the Internet 14

Motivations: Cause

• There have been a significant increase in the instances of cause-motivated hacks over the past few years • The seriousness and consequences of cause motivated attacks has grown significantly • Remember the phrase “civilian cyber warrior” – a special case of Cause we will return to a bit later… 15

Motivations: Entrance to a Social Group

• Hacking groups tend to be status homogeneous in nature • This implies there is a certain level of expertise necessary for induction into the group • Elegant code/exploits are one method for gaining acceptance into the group • Seeing more of this motivation given shifts in traditional society’s perspective on hacking 16

Motivations: Status

• A powerful motivation within the hacking community • Community as meritocracy • • Skills and expertise in networks, operating systems, hardware, security, etc. used as status characteristics Your position in the status hierarchy – locally and globally – depends in great part on these characteristics • The decline of the hacking meritocracy • Non-trivial decreases in basing status upon skills and expertise – probably due to the rise of money as a motivation 17

Social Structure of the Hacking Community

18

Dimensions of the Social Structure of the Hacking Community 45 40 39.7

1994 2003 35 30.3

30 25 20 21.9

18.7

15 10 5 0 te chn ol og y de rog at ory hi st ory 11.4

12.4

10.8

7.4

9.2

4.4

9.1

6.4

8.7

8.5

7 7.5

5.7

5.2

5.6

2.5

5.4

2.8

4.3

2.5

4.3

4.6

4.3

2.5

3.7

3 2.7

2.2

2.5

1.5

1.1

0.7

st m at us agi c/ re ligi se on lfr ef er enc po p e re fe re nc soc e ia l c on tr ol hu m or ae st he tic m un ic at ion com sy m bo l m ea sure soc ia l f un ct ion m et as ynt at ic re cr ea bo tion ok r ef er enc e com m ar t de rog at ory 2.8

19 Note: Jargon File entry may be coded into multiple thematic categories

Geo-Political and Economic Influences

20

Geo-Political and Economic Influences

• There’s more at work than just micro-level and meso level influences…there are macro-level forces at work as well • The distribution of these motivations is dependent upon the geo-political and economic environment within a country or region 21

PRC Hacking Community

• Threat just in terms of sheer numbers • • Difficult to estimate the number of blackhats in PRC Darkvisitor website suggests 380,000 – but who knows… • Current political, economic and social conditions • Incredible economic growth • ~ 8.8% annual growth • Exponential adoption and integration of technology into everyday life of younger Chinese citizens • The synergy of these economic and social forces is producing a Chinese hacking community that is evolving at incredible speed 22

PRC Blackhat Community

• There is also a geo-political component to this • Incredibly strong sense of nationalism among many PRC blackhats • Example: CNN attacks • Synergistic interactions between PRC government entities and Chinese blackhat groups • • You could spend a whole session just on this topic An interesting recommended book: • Wu, X., (2007).

Chinese cyber nationalism: Evolution, characteristics and implications.

Lanham, Maryland

.

Lexington Books.

23

PRC Blackhat Community

• Result: Significant number of hackers motivated by Money • Large community of virus writers • Sell malware used to steal credentials, access to bank accounts and especially virtual assets • Virtual assets especially targeted • • QQ accounts, QQ coins, gaming assets Recent paper cited one large virtual asset marketplace (Zhuge et al, 2007) • • Over 42,000 virtual asset shops Almost 9 million transactions in 6 months 24

PRC Blackhat Community

• Whale phishing • • Targeting US and other affluent executives Use sophisticated social engineering techniques • Hacking community seems to be paralleling the tremendous growth of the Chinese economy • Growing pools of financial assets • We will see a potential consequence of this later in the presentation 25

Final Geo-Political Comment…

• How to evaluate the level and type of threat from these countries?

• One way might be to profile each country using demographic, economic, technology and motivation (MEECES) distributions to develop current and potential future cyberthreat assessments for each country 26

Emerging Threats

27

Emerging Threat: Civilian Cyber Warrior

28

•

The Special Case of the Civilian Cyber Warrior

Traditional forms of aggression • Personal costs • • • Economic Probability of getting caught Legal consequences • Historical and social significance of emergence of civilian cyber warrior • Key point – the social psychological significance of the event • First time in history that an individual could attack a nation state

cost-effectively

• The reassessment of the usual assumptions of the inequalities of the levels of power between nation states and citizens – establishes new relationships between institutions of society, government and individuals 29

Different Social Dimensions Under Investigation as Related to Civilian Cyber Warrior Behavior

•

Civilian Cyber Warrior study is concentrating on..

•

Independent variables including

• Attitudes towards legitimacy of authority • Locus of control – internal versus external • • • Propensity for political activism Level of nationalism Level of interest in world events •

Explore two variations of dependent variables

• • Propensity for civilian cyberwarrior against foreign nation states 30 Propensity for domestic civilian cyberwarrior

Emerging Threat: Developing Economic, Political and Social Power of Hacking Groups

31

Hacking Groups Aggregating Different Forms of Power

• Acquisition of knowledge and resources • • • • Internet provides access to wide bodies of knowledge Internet allows lower visibility of preparations Internet provides a source of mentors Significant source of funds through legal and illegal means • Effectiveness • • • • Lowering the probabilities in the risk assessment Increasing the probability of success Increasing the likelihood of engaging multiple actors Orders of magnitude increase in potential damage 32

Hacking Groups Aggregating Different Forms of Power

• Conditions for emergence • • Coalescence of external group identity Formation of internal infrastructure • Identifiable leadership • Ideological mission statements • Institutional neglect or failure to pursue/co-opt • • • Civil authorities Law enforcement Government • Emergence of “quasi-states within nation states” with the ability to effectively threaten host and foreign nations 33

Loose Coupling of Virtual and Violent Criminal Activity

34

Emergence of Loosely Coupled Criminal Enterprises

• Loose coupling of cyber and violent actors • Factors facilitating the emergence • Ability to efficiently collect personally identifiable information from the web • Establishment of anonymous or pseudo-anonymous electronic means of payment • Increasing presence of in-country foreign nationals bonded by ethnic or national ties to other out-of-country individuals pursuing cybercrimes 35

Emergence of Loosely Coupled Criminal Enterprises

• Example of Loosely Coupled Criminal Enterprise • Cybercrime group collects PII about target • Cybercrime group contacts target and presents demand along with physical threat • Victim complies with demand – cybercrime group collects money electronically and moves on 36

Emergence of Loosely Coupled Criminal Enterprises

• Example of Loosely Coupled Criminal Enterprise • Target fails to comply with demand • • Cybercrime contacts loosely coupled violent crime group Violent crime group is given target details and desired action • Violent crime group commits action desired against target • Violent crime group collects payment via electronic system from cybercrime group 37

Large Scale Collection of Information by Nation States for CI

38

The Internet, Social Networks and Problems of Identification and Approach in CI

• Identification of potential recruits • In the past used to involve more risk and effort • • • • • Industry conference programs Published papers Organization phone directories Public records and publications Insertion of asset inside organization 39

The Internet, Social Networks and Problems of Identification and Approach in CI

• Identification of potential recruits can now be done remotely • Organizational affiliations, ethnic names, occupational targets • • Google searches Social and professional network searches • Friendster,facebook, linkedin, etc.

• Fee for service information services 40

The Internet, Social Networks and Problems of Identification and Approach in CI

• Approach vectors can also be acquired remotely • Social network can be constructed around target for friend of friend approach • • PII information often available Personal preferences, music, hobbies, likes and dislikes can be collected • Places frequented can be noted 41

The Internet, Social Networks and Problems of Identification and Approach in CI

• Useful CI information collection can be automated • Automated and quiet search/scraping of social networking sites for useful information then stored to inexpensive mass storage • “Banking the future” for potential recruits • Some nation states are very patient – willing to collect information on recruits who won’t be useful for years 42

Summary

43

Hacking Groups Aggregating Different Forms of Power

• Technical advances are important in the conflict to keep the Internet reasonably safe • Understanding the motivations of malicious actors important in providing a better understanding of the current threat matrix • Synthesizing technical, motivational, social structure and social dynamics dimensions is a key strategy to better understanding and preparing for future emerging cyberthreats 44

Contact Information

Max Kilger, Ph.D.

[email protected]

45