Feeds

Auditing the mind of a hacker

FBI and security experts probe psyche

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

Security consultants are teaming up with clinical psychologists - including behavioural scientists from the FBI - to gain a better understanding of what drives and motivates hackers.

This should enable organisations to be more proactive in responding to security threats, according to Tom Parker, a member of a working group on "adversary characterisation". Better info feeds through to the refining of existing threat models, he says.

"We're working on developing a more accurate way of modelling attacks to be able to assess whether hackers will come back, how old they are and how skilled they might be," Parker, of managed security firm NetSec, said.

"You can gauge a hacker's level of skill to access whether someone is capable of using something they've written themselves, perhaps zero day exploits, or whether they will use only standard attack tools. We score their technical skills."

Manhunter

Skilled computer forensic investigators apply similar techniques already, but the collaboration between security specialists and behavioural scientists adds a psychological dimension to assessing IT security risks.

For instance, extortion threats against online bookmakers have become an increasing problem in recent months. Blackmail demands sent by email can betray a criminal's level of skill and state of mind, yielding valuable insights to defenders.

Even the email client used by the attacker is a clue - Pine users are more skilled that Outlook user, for example. And levels of anxiety and hostility can be gleaned from these emails.

Such assessments derive from the work of clinical psychologists, such as Eric Shaw, who advised the FBI in dealing with extortion demands against Bloomberg. The sting operation he helped orchestrate resulted in the entrapment and eventual conviction of Kazakstani hacker Oleg Zezov.

Shaw is also a member of adversary characterisation working group.

Know thy enemy

It is possible to make educated guesses about how attackers might decide to go after corporate asset, if you have a better idea of how much money hackers have at their disposal, how skilled they are and the technologies they use.

"With this understanding, it's possible to refine security and spend money where it most needed," Parker said.

A better understanding the relationship between a target and attacker allows defenders to gauge the capability and motive of the adversaries they might face, he said.

Media attention is often focused on script kiddies (relatively unskilled attackers), but Parker is far more concerned with the threat posed by professional hackers or insiders, whose elevated levels of access give them a head start in attacking IT systems. Parker backed up the general consensus that insiders pose the greatest risk for most organisations.

WarmTouch puts workers under the microscope

A software application called WarmTouch can detect signs of disgruntlement or psychology change in online communications. The tool can be used to provide early warning of possible problems. Companies can act on this information to mitigate the impact of insider, perhaps by restricting their access to sensitive systems or by stepping up monitoring.

All this sounds distinctly Big Brother-ish, but Parker points out that employment clauses commonly allow employee monitoring, enabling companies to stay legal even when using profiling software on their workers.

Adversary characterisation, many of those ideas derive from military strategy assessments, also has applications in Homeland Security. It can be applied in attempts to get a more accurate handle on "cyber-terrorism" risks.

Such risks are frequently overstated, of course, but it would be unwise to discount the possibility that terrorists might attack the IT systems of emergency services at the same time as carrying out a more traditional, bloody attack.

The work of Parker and his collaborators are to be explained in a book Adversary Characterisation - Auditing the Hacker Mind, due out in June. ®

Related stories

Bloomberg extortionist jailed for four years/a>
Bloomberg involved in Net sting
Online extortionists target Cheltenham
9/11 prompts more govt surveillance
El Reg badly misguided on cyber-terror threat
Fed: Cyberterror fears missed real threat
NetSec scoops up Defcom

The smart choice: opportunity from uncertainty

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.