Auditing the mind of a hacker

Security consultants are teaming up with clinical psychologists - including behavioural scientists from the FBI - to gain a better understanding of what drives and motivates hackers.

This should enable organisations to be more proactive in responding to security threats, according to Tom Parker, a member of a working group on "adversary characterisation". Better info feeds through to the refining of existing threat models, he says.

"We're working on developing a more accurate way of modelling attacks to be able to assess whether hackers will come back, how old they are and how skilled they might be," Parker, of managed security firm NetSec, said.

"You can gauge a hacker's level of skill to access whether someone is capable of using something they've written themselves, perhaps zero day exploits, or whether they will use only standard attack tools. We score their technical skills."

Manhunter

Skilled computer forensic investigators apply similar techniques already, but the collaboration between security specialists and behavioural scientists adds a psychological dimension to assessing IT security risks.

For instance, extortion threats against online bookmakers have become an increasing problem in recent months. Blackmail demands sent by email can betray a criminal's level of skill and state of mind, yielding valuable insights to defenders.

Even the email client used by the attacker is a clue - Pine users are more skilled that Outlook user, for example. And levels of anxiety and hostility can be gleaned from these emails.

Such assessments derive from the work of clinical psychologists, such as Eric Shaw, who advised the FBI in dealing with extortion demands against Bloomberg. The sting operation he helped orchestrate resulted in the entrapment and eventual conviction of Kazakstani hacker Oleg Zezov.

Shaw is also a member of adversary characterisation working group.

Know thy enemy

It is possible to make educated guesses about how attackers might decide to go after corporate asset, if you have a better idea of how much money hackers have at their disposal, how skilled they are and the technologies they use.

"With this understanding, it's possible to refine security and spend money where it most needed," Parker said.

A better understanding the relationship between a target and attacker allows defenders to gauge the capability and motive of the adversaries they might face, he said.

Media attention is often focused on script kiddies (relatively unskilled attackers), but Parker is far more concerned with the threat posed by professional hackers or insiders, whose elevated levels of access give them a head start in attacking IT systems. Parker backed up the general consensus that insiders pose the greatest risk for most organisations.

WarmTouch puts workers under the microscope

A software application called WarmTouch can detect signs of disgruntlement or psychology change in online communications. The tool can be used to provide early warning of possible problems. Companies can act on this information to mitigate the impact of insider, perhaps by restricting their access to sensitive systems or by stepping up monitoring.

All this sounds distinctly Big Brother-ish, but Parker points out that employment clauses commonly allow employee monitoring, enabling companies to stay legal even when using profiling software on their workers.

Adversary characterisation, many of those ideas derive from military strategy assessments, also has applications in Homeland Security. It can be applied in attempts to get a more accurate handle on "cyber-terrorism" risks.

Such risks are frequently overstated, of course, but it would be unwise to discount the possibility that terrorists might attack the IT systems of emergency services at the same time as carrying out a more traditional, bloody attack.

The work of Parker and his collaborators are to be explained in a book Adversary Characterisation - Auditing the Hacker Mind, due out in June. ®

Related stories

Bloomberg extortionist jailed for four years/a>
Bloomberg involved in Net sting
Online extortionists target Cheltenham
9/11 prompts more govt surveillance
El Reg badly misguided on cyber-terror threat
Fed: Cyberterror fears missed real threat
NetSec scoops up Defcom