"If you know the enemy and you know yourself, you need not fear the result of a hundred battles." -- Sun Tzu, The Art of War
"Who are those guys?" -- Paul Newman, Butch Cassidy and the Sundance Kid
You fight against them every day: hackers, attackers, insiders. You know what they do, but not who they are. They are often nameless, usually faceless. You'd like to be able to guess their next move, but that can be pretty difficult when you don't even know what motivates them or why they're attacking you.
Is there a way to "profile" a hacker, the way the police might profile an arsonist or a serial killer? Not exactly. But quietly, a collection of university researchers and law enforcement agencies has been developing a taxonomy of the hacker community, much as an entomologist studies and classifies insects. And police and security experts hope that taxonomy will eventually help them identify and root out the vermin.
"To address the problems created by hackers, it is apparent that we need more than just technical controls," says Marc Rogers, a professor at Purdue University and author of the industry's most widely-used taxonomy of the hacker community. "We also need to start understanding the individuals behind the attacks."
The effort to understand the psychology of hackers and attackers is nothing new. Psychological studies of "phone phreaks" can be found as far back as the early 1980s, and MessageLabs is publishing a study on internal "company devils" today. The idea behind most of the studies is the same: to break the stereotype of the hacker as a socially-inept male teenager sitting behind a PC in his parents' basement.
There is no single profile of a hacker, inside or outside the company, Rogers says in the most recent update of his taxonomy paper. In fact, the idea of lumping all hackers into a single group is "analagous to attempting to understand criminal activity by lumping the entire spectrum of traditional criminals (i.e., shoplifters to homicidal psychopaths) into one generic group," he says. "The idea seems ludicrous, yet this is what we are currently doing with the criminal domain of computer crimes."
There has been a "huge shift" in hacker profiles in the last few years, as motives shift from curiosity to financial gain, says Rogers, who has worked with law enforcement agencies on hacker profiling and computer forensics. But security managers should also be wary of oversimplifying the new threats as well, he advised.
"For years, vendors treated the 'cyber-punk' as the boogeyman, and they built at least some of their business on the fear that some brilliant teen would launch a virus," Rogers says. "Now some of them are painting organized crime as the boogeyman, spreading this notion that the Russian mafia is out to get every business."
In reality, there are lots of different types of attackers, Rogers states. His taxonomy breaks them up into eight different categories, each with different characteristics and motivations. The taxonomy is frequently used by law enforcement agencies and other researchers as a starting point for profiling computing attackers. "It's a long way from perfect, but I wanted to give people something to shoot at."
1. The Novice
Sometimes called "script kiddies," this group is typically young, with limited skills, whose primary motivation is thrill seeking and ego stroking. In order to prove their worth, they attempt to "rack up" trophies, often using pre-written software.
2. The Cyber Punk
This group comes closest to fitting the traditional view of the hacker -- young males with some skills and programming capabilities with a desire for attention and, sometimes, monetary gain. They typically choose high-profile targets, and they often choose vandalism over outright data theft.
3. The Internal
These are the insiders -- those who use their internal system privileges to gain access to unauthorized data. They generally fall into two subcategories: disgruntled employees seeking revenge and those who are looking to use the data for financial gain.
4. The Petty Thief
Traditional criminals who learn how to hack in order to expand their field of targets. They usually are not skilled at first, but they sometimes become skilled over time. Their sole motivation is money.
Motivated by curiosity and the need for an intellectual challenge, these highly skilled individuals are capable of writing code and scripts. Espousing the ideology of the first-generation hackers, they usually have no criminal intent but will readily post the scripts and code they develop.
6. The Virus Writer
This group is still being defined, Rogers says. It is made up mostly of young males, who tend to age out of the group once they hit their mid to late twenties. This group differs from the Cyber Punks in that its motivation is more along the lines of revenge or curiosity than notoriety.
7. The Professional Criminal
Highly-trained IT experts who use their skills for financial gain. They tend never to be caught or even come to the attention of the authorities, Rogers says. These are the "hired guns" employed by organized criminal groups.
8. The Information Warrior
Motivated by patriotism, these individuals use their skills to disrupt the command and control of a rival nation. They are typically highly trained and highly skilled.
These categories have remained fairly stable since Rogers developed the taxonomy in 1999, but many subcategories are evolving all the time, Rogers says. "I expect this to develop like an ornithology, where people take the basic structure and develop taxonomies for the subgroups."
One category that has gotten a good deal of attention from researchers is the Internal group, which has been difficult to study because of companies' reluctance to share information about insider threats and break-ins. Several researchers have published studies on the topic in the last two years.
The Secret Service and Carnegie Mellon University in 2005 released a paper that says there are no common demographics among insiders who damage or steal customer data, but there are indicators of risk.
Thirty-three percent of subjects were perceived by management as 'difficult,' and 19 percent were viewed as disgruntled by other employees. Twenty-seven percent had come to the attention of a supervisor or a co-worker for behavior concerns, and another 27 percent had prior arrests, the study says. While 42 percent of those motivated by greed were female, only 4 percent of those motivated by disgruntlement were female.
In a study published last year, Eric Shaw, a professor at George Washington University, reported that most of the insiders they studied displayed four basic traits: a history of negative social and personal experience; a lack of social skills; a sense of entitlement; and ethical flexibility. These traits, combined with a right stress factors and opportunities, can lead to a higher incidence of insider attacks, he said.
But such studies may overlook the more frequent instance of accidental security exposure from inside the company. In a study being published today, MessageLabs found that the "devils" in most companies are not those that intentionally steal or damage company data, but who expose it to outsiders by breaking company security protocols.
According to MessageLabs, the danger comes from young, tech-savvy junior-level sales types who are under pressure to meet their quotas.
"The problem is that the more you lock down your systems, the less usable they become," notes Paul Wood, senior analyst at MessageLabs. "These people are under pressure to meet their objectives -- they are moving quickly and they don't have time for systems that aren't usable. So they'll use their technical skills to find a way around the policy."
These company "devils" are natural multi-taskers who will use any means necessary to get their jobs done -- including IM, wireless, VOIP, and email -- from any access point, and without regard for security policy, Wood explained. Their intent is not malicious, but they may create avenues for security breach without knowing it, he says.
Tim Wilson, Site Editor, Dark Reading