Hacker Profiling Stirs Controversy

Profiling is controversial -- even among hackers. A project to develop profiles of different types of hackers has some researchers up in arms and others intrigued.

The Hackers Profiling Project (HPP), headed up by the Institute for Security and Open Methodologies (ISECOM), is trying to get closer to the criminal mind behind the hack so organizations can better respond to an attack. ISECOM envisions a methodology where you can identify the type of attacker who hit you based on forensic data that correlates with his or her "profile."

But some white-hat hackers don't like the idea of hacker profiling. "I think it is a horribly flawed idea. It is going to paint the wrong picture and in no way will it be helpful in the tracking of attackers. No real criminal is going to go and fill out a profile form," says Marc Maiffret, CTO and chief hacking officer for eEye Digital Security. "So what you will have is simple wannabe hacker kids and what-not filling out the form and then creating some misguided perception of what a criminal hacker really is like."

Researcher HD Moore says he doesn't see the point of the project and doesn't plan to participate in the questionnaire.

Others researchers, meanwhile, are intrigued by the idea of getting a better handle on who's behind an attack, as well as on their fellow hackers, good and bad.

"I think it's interesting to know about the major demographics of any society -- it helps us understand ourselves and make informed decisions on what to do as a group. Not that hackers are a tight-knit group, but we all collectively can make informed decisions based on better knowledge of ourselves," says RSnake, founder of ha.ckers.org. He says he'd be willing to participate in the project's questionnaire. "There is one thing hackers are, and that is smart, so being armed with information is useful."

Profiling is a key component to a cybercrime investigation, says Jeremiah Grossman, CTO of White Hat Security. "It would be interesting to know what methods the criminal justice field used to develop profiles of suspects," he says. "If the HPP is able to develop a similar profiling methodology for 'hackers,' they could potentially take logs from a computer security incident and apply against the known models. Could this work for information security or forensic analysis as it does in criminal justice? I think it could and it's worth the time investment to find out."

But Grossman says making this work won't be easy. "It'll probably be a lengthy process to gather enough real-world data, especially questionnaire data, then correlate it in a meaningful way. Then it's another matter to prove if your conclusions are accurate," he says. "They might be able to overcome this part by analyzing the limited number of hacking cases that we've seen so far."

The HPP, meanwhile, is soliciting hackers to fill out a questionnaire that surveys them on who they are and their technical know-how, as well as their motivations for what they do. The project will combine that data with data gathered from honeynet systems that record attacks, as well as other research. The end result would be a matrix of sorts that helps determine a hacker's technical skills, location, and purpose for an attack and to help find other evidence he or she leaves behind.

Raoul Chiesa, director of communciations at ISECOM, notes that there are two types of questionnaires, the public one on its site, and a private one that he and his researchers have given to hackers they "know," he says. That ensures the validity of their responses, he says.

"The questionnaire's answers are not the unique inputs we rely on," Chiesa says. "The HPP Project is a five-year research study and as for now, we have just finished the second year of activity. More phases are upcoming, and the data we'll gather will be much deeper than the questionnaires."

The final phase is to distribute a free methodology for profiling attackers, he says, which will take three more years. "We simply think we are on the right path, and from so many countries of the world, people, professionals, companies, and [government] agencies are showing us their strong interest in our research."

eEye's Maiffret says the trouble with hacker profiling is pinning down the criminals themselves. "It is not like the real world where you find DNA evidence that tracks back to a person and then matches a profile to them or something of that nature," he says. "Tracking down computer criminals is a technical challenge currently, not a social one."

— Kelly Jackson Higgins, Senior Editor, Dark Reading