Feeds

Auditing the mind of a hacker

FBI and security experts probe psyche

  • alert
  • submit to reddit

Protecting against web application threats using SSL

Security consultants are teaming up with clinical psychologists - including behavioural scientists from the FBI - to gain a better understanding of what drives and motivates hackers.

This should enable organisations to be more proactive in responding to security threats, according to Tom Parker, a member of a working group on "adversary characterisation". Better info feeds through to the refining of existing threat models, he says.

"We're working on developing a more accurate way of modelling attacks to be able to assess whether hackers will come back, how old they are and how skilled they might be," Parker, of managed security firm NetSec, said.

"You can gauge a hacker's level of skill to access whether someone is capable of using something they've written themselves, perhaps zero day exploits, or whether they will use only standard attack tools. We score their technical skills."

Manhunter

Skilled computer forensic investigators apply similar techniques already, but the collaboration between security specialists and behavioural scientists adds a psychological dimension to assessing IT security risks.

For instance, extortion threats against online bookmakers have become an increasing problem in recent months. Blackmail demands sent by email can betray a criminal's level of skill and state of mind, yielding valuable insights to defenders.

Even the email client used by the attacker is a clue - Pine users are more skilled that Outlook user, for example. And levels of anxiety and hostility can be gleaned from these emails.

Such assessments derive from the work of clinical psychologists, such as Eric Shaw, who advised the FBI in dealing with extortion demands against Bloomberg. The sting operation he helped orchestrate resulted in the entrapment and eventual conviction of Kazakstani hacker Oleg Zezov.

Shaw is also a member of adversary characterisation working group.

Know thy enemy

It is possible to make educated guesses about how attackers might decide to go after corporate asset, if you have a better idea of how much money hackers have at their disposal, how skilled they are and the technologies they use.

"With this understanding, it's possible to refine security and spend money where it most needed," Parker said.

A better understanding the relationship between a target and attacker allows defenders to gauge the capability and motive of the adversaries they might face, he said.

Media attention is often focused on script kiddies (relatively unskilled attackers), but Parker is far more concerned with the threat posed by professional hackers or insiders, whose elevated levels of access give them a head start in attacking IT systems. Parker backed up the general consensus that insiders pose the greatest risk for most organisations.

WarmTouch puts workers under the microscope

A software application called WarmTouch can detect signs of disgruntlement or psychology change in online communications. The tool can be used to provide early warning of possible problems. Companies can act on this information to mitigate the impact of insider, perhaps by restricting their access to sensitive systems or by stepping up monitoring.

All this sounds distinctly Big Brother-ish, but Parker points out that employment clauses commonly allow employee monitoring, enabling companies to stay legal even when using profiling software on their workers.

Adversary characterisation, many of those ideas derive from military strategy assessments, also has applications in Homeland Security. It can be applied in attempts to get a more accurate handle on "cyber-terrorism" risks.

Such risks are frequently overstated, of course, but it would be unwise to discount the possibility that terrorists might attack the IT systems of emergency services at the same time as carrying out a more traditional, bloody attack.

The work of Parker and his collaborators are to be explained in a book Adversary Characterisation - Auditing the Hacker Mind, due out in June. ®

Related stories

Bloomberg extortionist jailed for four years/a>
Bloomberg involved in Net sting
Online extortionists target Cheltenham
9/11 prompts more govt surveillance
El Reg badly misguided on cyber-terror threat
Fed: Cyberterror fears missed real threat
NetSec scoops up Defcom

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.