Just a couple of weeks ago the world was rocked by the news that CIA Director John Brennan’s AOL email account (apparently that’s still a thing) had been hacked. Immediately, speculation began. Had it been Chinese hackers with 0-days? The Russian military using stolen passwords?
Nope. Turns out it was a bored teenager, who, using social engineering of support staff, was able to gain control of his account and leak sensitive information.
A Virtual Potpourri of Cybercrime Actors and Motivations
At first this might seem shocking. How can one of the most powerful people in the world be hacked by some pimply faced teen?
It’s much more common than most people seem to realize. Run of the mill hackers are by far the most common of the cyberwar combatants, and they are also the most diverse group. Ranging in skill levels from the very best of the best, to unskilled attackers, often referred to as “script kiddies”, these attackers are also the most unpredictable.
Their targets range from personal, to corporate, to government, and the tools they use range from bleeding edge “0-day” attacks (new attacks that are unknown/undetectable), social engineering, phishing, DDOS, password cracking/reuse, to regular “off-the-shelf” attacks.
The motivations of these attackers are also as diverse as the attacks they use. Some do it for bragging rights, others to learn hacking skills. Some hack for revenge or rebellion, others for political motivation, and some of the most destructive hackers are driven by mental illness. Luckily for the world, most of these attackers are not well funded, but that in no means reduces their impact on the internet.
Profiling The Cyber Threat
From a profiling point of view, this makes the lives of those defending networks much more difficult. With such a diverse set of motivations and skillsets, it’s almost impossible to track such a disparate group of actors. Obviously this can be especially problematic for the threat intelligence analyst trying to do incident response.
Unlike cybercriminals who have fewer forums to haunt and thus are often easier to track, general hackers have thousands of sites they can hang out on and learn the tricks of the trade. Because of this diversity, having tools like Shadow Dragon’s Spotter and AliasDB can be invaluable in identifying established hackers.
For newer hackers, following their online presence can also be made easier with tools like Maltego and SocialNet, as well as some other emerging tools. But for the threat intelligence analyst, the sheer number of new hackers coming online on a daily basis, means that profiling this group of attackers is nearly impossible for most shops.
Prepping Your Incident Response
Prior to the inevitable attack occurring, ensure your incident response plan includes the necessary tools to do forensic analysis, proper evidence collection and handling, and of course, attacker profiling. Knowing the capabilities of your attacker will usually guide your response to an incident.
A script kiddie can be shut down 99% of the time by ensuring you are patched, whereas an advanced attacker leveraging 0-days is an entirely different kettle of fish, usually requiring external resources to assist with analysis and remediation.
No matter the type of attacker you end up being saddled with, your best use of time and resources is on securing your enterprise and reducing your organization’s threat profile. The harder you make it for someone to penetrate your perimeter, the fewer attackers that can overcome these obstacles.
On the up side, the longer your hackers have been around, the higher the likelihood that ShadowDragon’s tools or other organizations have some intelligence on them. While that might not seem like much, in the cyberwar arena, every little bit helps.
Unfortunately, the reality is, with the non-stop flow of new actors flooding onto the stage, you’re playing virtual Russian roulette with who shows up on your doorstep. Your best strategy is to make sure your doorstep is as hardened as possible.
Next Up: Criminals