Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Eight Faces of a Hacker

Profilers decipher who they are, why they do it as new subcategories start to emerge

"If you know the enemy and you know yourself, you need not fear the result of a hundred battles." -- Sun Tzu, The Art of War

"Who are those guys?" -- Paul Newman, Butch Cassidy and the Sundance Kid

You fight against them every day: hackers, attackers, insiders. You know what they do, but not who they are. They are often nameless, usually faceless. You'd like to be able to guess their next move, but that can be pretty difficult when you don't even know what motivates them or why they're attacking you.

Is there a way to "profile" a hacker, the way the police might profile an arsonist or a serial killer? Not exactly. But quietly, a collection of university researchers and law enforcement agencies has been developing a taxonomy of the hacker community, much as an entomologist studies and classifies insects. And police and security experts hope that taxonomy will eventually help them identify and root out the vermin.

"To address the problems created by hackers, it is apparent that we need more than just technical controls," says Marc Rogers, a professor at Purdue University and author of the industry's most widely-used taxonomy of the hacker community. "We also need to start understanding the individuals behind the attacks."

The effort to understand the psychology of hackers and attackers is nothing new. Psychological studies of "phone phreaks" can be found as far back as the early 1980s, and MessageLabs is publishing a study on internal "company devils" today. The idea behind most of the studies is the same: to break the stereotype of the hacker as a socially-inept male teenager sitting behind a PC in his parents' basement.

There is no single profile of a hacker, inside or outside the company, Rogers says in the most recent update of his taxonomy paper. In fact, the idea of lumping all hackers into a single group is "analagous to attempting to understand criminal activity by lumping the entire spectrum of traditional criminals (i.e., shoplifters to homicidal psychopaths) into one generic group," he says. "The idea seems ludicrous, yet this is what we are currently doing with the criminal domain of computer crimes."

There has been a "huge shift" in hacker profiles in the last few years, as motives shift from curiosity to financial gain, says Rogers, who has worked with law enforcement agencies on hacker profiling and computer forensics. But security managers should also be wary of oversimplifying the new threats as well, he advised.

"For years, vendors treated the 'cyber-punk' as the boogeyman, and they built at least some of their business on the fear that some brilliant teen would launch a virus," Rogers says. "Now some of them are painting organized crime as the boogeyman, spreading this notion that the Russian mafia is out to get every business."

In reality, there are lots of different types of attackers, Rogers states. His taxonomy breaks them up into eight different categories, each with different characteristics and motivations. The taxonomy is frequently used by law enforcement agencies and other researchers as a starting point for profiling computing attackers. "It's a long way from perfect, but I wanted to give people something to shoot at."

1. The Novice
Sometimes called "script kiddies," this group is typically young, with limited skills, whose primary motivation is thrill seeking and ego stroking. In order to prove their worth, they attempt to "rack up" trophies, often using pre-written software.

2. The Cyber Punk
This group comes closest to fitting the traditional view of the hacker -- young males with some skills and programming capabilities with a desire for attention and, sometimes, monetary gain. They typically choose high-profile targets, and they often choose vandalism over outright data theft.

3. The Internal
These are the insiders -- those who use their internal system privileges to gain access to unauthorized data. They generally fall into two subcategories: disgruntled employees seeking revenge and those who are looking to use the data for financial gain.

4. The Petty Thief
Traditional criminals who learn how to hack in order to expand their field of targets. They usually are not skilled at first, but they sometimes become skilled over time. Their sole motivation is money.

To Page 2

5. The Old Guard
Motivated by curiosity and the need for an intellectual challenge, these highly skilled individuals are capable of writing code and scripts. Espousing the ideology of the first-generation hackers, they usually have no criminal intent but will readily post the scripts and code they develop.

6. The Virus Writer
This group is still being defined, Rogers says. It is made up mostly of young males, who tend to age out of the group once they hit their mid to late twenties. This group differs from the Cyber Punks in that its motivation is more along the lines of revenge or curiosity than notoriety.

7. The Professional Criminal
Highly-trained IT experts who use their skills for financial gain. They tend never to be caught or even come to the attention of the authorities, Rogers says. These are the "hired guns" employed by organized criminal groups.

8. The Information Warrior
Motivated by patriotism, these individuals use their skills to disrupt the command and control of a rival nation. They are typically highly trained and highly skilled.

These categories have remained fairly stable since Rogers developed the taxonomy in 1999, but many subcategories are evolving all the time, Rogers says. "I expect this to develop like an ornithology, where people take the basic structure and develop taxonomies for the subgroups."

One category that has gotten a good deal of attention from researchers is the Internal group, which has been difficult to study because of companies' reluctance to share information about insider threats and break-ins. Several researchers have published studies on the topic in the last two years.

The Secret Service and Carnegie Mellon University in 2005 released a paper that says there are no common demographics among insiders who damage or steal customer data, but there are indicators of risk.

Thirty-three percent of subjects were perceived by management as 'difficult,' and 19 percent were viewed as disgruntled by other employees. Twenty-seven percent had come to the attention of a supervisor or a co-worker for behavior concerns, and another 27 percent had prior arrests, the study says. While 42 percent of those motivated by greed were female, only 4 percent of those motivated by disgruntlement were female.

In a study published last year, Eric Shaw, a professor at George Washington University, reported that most of the insiders they studied displayed four basic traits: a history of negative social and personal experience; a lack of social skills; a sense of entitlement; and ethical flexibility. These traits, combined with a right stress factors and opportunities, can lead to a higher incidence of insider attacks, he said.

But such studies may overlook the more frequent instance of accidental security exposure from inside the company. In a study being published today, MessageLabs found that the "devils" in most companies are not those that intentionally steal or damage company data, but who expose it to outsiders by breaking company security protocols.

According to MessageLabs, the danger comes from young, tech-savvy junior-level sales types who are under pressure to meet their quotas.

"The problem is that the more you lock down your systems, the less usable they become," notes Paul Wood, senior analyst at MessageLabs. "These people are under pressure to meet their objectives -- they are moving quickly and they don't have time for systems that aren't usable. So they'll use their technical skills to find a way around the policy."

These company "devils" are natural multi-taskers who will use any means necessary to get their jobs done -- including IM, wireless, VOIP, and email -- from any access point, and without regard for security policy, Wood explained. Their intent is not malicious, but they may create avenues for security breach without knowing it, he says.

— Tim Wilson, Site Editor, Dark Reading

  • MessageLabs Ltd.
  • ArcSight Inc.
  • BackgrounD Software Inc.
  • Javelin Strategy and Research

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio
     

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 6/1/2020
    Stay-at-Home Orders Coincide With Massive DNS Surge
    Robert Lemos, Contributing Writer,  5/27/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-13757
    PUBLISHED: 2020-06-01
    Python-RSA 4.0 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing exces...
    CVE-2020-13758
    PUBLISHED: 2020-06-01
    modules/security/classes/general.post_filter.php/post_filter.php in the Web Application Firewall in Bitrix24 through 20.0.950 allows XSS by placing %00 before the payload.
    CVE-2020-9291
    PUBLISHED: 2020-06-01
    An Insecure Temporary File vulnerability in FortiClient for Windows 6.2.1 and below may allow a local user to gain elevated privileges via exhausting the pool of temporary file names combined with a symbolic link attack.
    CVE-2019-15709
    PUBLISHED: 2020-06-01
    An improper input validation in FortiAP-S/W2 6.2.0 to 6.2.2, 6.0.5 and below, FortiAP-U 6.0.1 and below CLI admin console may allow unauthorized administrators to overwrite system files via specially crafted tcpdump commands in the CLI.
    CVE-2020-13695
    PUBLISHED: 2020-06-01
    In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user has sudo privileges to execute grep as root without a password, which allows an attacker to obtain sensitive information via a grep of a /root/*.db or /etc/shadow file.