Feeds

Auditing the mind of a hacker

FBI and security experts probe psyche

  • alert
  • submit to reddit

Reducing security risks from open source software

Security consultants are teaming up with clinical psychologists - including behavioural scientists from the FBI - to gain a better understanding of what drives and motivates hackers.

This should enable organisations to be more proactive in responding to security threats, according to Tom Parker, a member of a working group on "adversary characterisation". Better info feeds through to the refining of existing threat models, he says.

"We're working on developing a more accurate way of modelling attacks to be able to assess whether hackers will come back, how old they are and how skilled they might be," Parker, of managed security firm NetSec, said.

"You can gauge a hacker's level of skill to access whether someone is capable of using something they've written themselves, perhaps zero day exploits, or whether they will use only standard attack tools. We score their technical skills."

Manhunter

Skilled computer forensic investigators apply similar techniques already, but the collaboration between security specialists and behavioural scientists adds a psychological dimension to assessing IT security risks.

For instance, extortion threats against online bookmakers have become an increasing problem in recent months. Blackmail demands sent by email can betray a criminal's level of skill and state of mind, yielding valuable insights to defenders.

Even the email client used by the attacker is a clue - Pine users are more skilled that Outlook user, for example. And levels of anxiety and hostility can be gleaned from these emails.

Such assessments derive from the work of clinical psychologists, such as Eric Shaw, who advised the FBI in dealing with extortion demands against Bloomberg. The sting operation he helped orchestrate resulted in the entrapment and eventual conviction of Kazakstani hacker Oleg Zezov.

Shaw is also a member of adversary characterisation working group.

Know thy enemy

It is possible to make educated guesses about how attackers might decide to go after corporate asset, if you have a better idea of how much money hackers have at their disposal, how skilled they are and the technologies they use.

"With this understanding, it's possible to refine security and spend money where it most needed," Parker said.

A better understanding the relationship between a target and attacker allows defenders to gauge the capability and motive of the adversaries they might face, he said.

Media attention is often focused on script kiddies (relatively unskilled attackers), but Parker is far more concerned with the threat posed by professional hackers or insiders, whose elevated levels of access give them a head start in attacking IT systems. Parker backed up the general consensus that insiders pose the greatest risk for most organisations.

WarmTouch puts workers under the microscope

A software application called WarmTouch can detect signs of disgruntlement or psychology change in online communications. The tool can be used to provide early warning of possible problems. Companies can act on this information to mitigate the impact of insider, perhaps by restricting their access to sensitive systems or by stepping up monitoring.

All this sounds distinctly Big Brother-ish, but Parker points out that employment clauses commonly allow employee monitoring, enabling companies to stay legal even when using profiling software on their workers.

Adversary characterisation, many of those ideas derive from military strategy assessments, also has applications in Homeland Security. It can be applied in attempts to get a more accurate handle on "cyber-terrorism" risks.

Such risks are frequently overstated, of course, but it would be unwise to discount the possibility that terrorists might attack the IT systems of emergency services at the same time as carrying out a more traditional, bloody attack.

The work of Parker and his collaborators are to be explained in a book Adversary Characterisation - Auditing the Hacker Mind, due out in June. ®

Related stories

Bloomberg extortionist jailed for four years/a>
Bloomberg involved in Net sting
Online extortionists target Cheltenham
9/11 prompts more govt surveillance
El Reg badly misguided on cyber-terror threat
Fed: Cyberterror fears missed real threat
NetSec scoops up Defcom

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.