Hacker personas: inside the mind of a cybercriminal

Offender profiling is used by the police to identify likely suspects in a crime and analyze patterns to predict future offences. Creating personas for hackers has the same goal: stopping crimes and catching criminals.

Hacker personas are fictitious profiles created using observed behaviors from real hackers and actual attacks. By building these personas, organizations can work out what is the best defense against certain types of attacks and predict when they might next occur.

What makes hackers tick?

Hackers can come from wide variety of backgrounds, such as kids looking for notoriety, upset employees seeking revenge on their employer, or experts working for global cybercriminal rings. The level of their hacking skill can also range dramatically from computer whizz kids to less-capable “script kiddies” who essentially use pre-written exploits downloaded from the internet.

Broadly, hackers typically fall into three main categories:

  • Cybercriminals, normally motivated by financial gain
  • Activists also referred to as ‘hacktivists’ who are driven by political motivation
  • Government-sponsored networks of hackers who carry out cyber-warfare

Hacktivists have a political agenda and want to draw attention to a perceived wrong-doing or target a high-profile organization. They normally want to achieve one of three things: expose sensitive data, alter or deface information or launch a distributed denial of service (DDoS) attack, in which a multiple compromised computer system attacks a target, such as a website or server, bringing down the service. Hacktivists range from students to those with a great deal of technical experience.

Cybercriminals are often highly sophisticated. They typically work in teams utilizing different skills sets, with members sometimes hired on the dark web. These hackers normally plan their attacks very carefully. Attacks range from distributed ransomware to SQL injections and phishing.

Group mentality

Hackers are also increasingly banding together to support each other and create new threats. For example, Morpho, also known as Wild Neutron, is a well-funded group that has carried out several high-profile hacks on international enterprises including Apple and Microsoft using a zero-day software vulnerability.

The WannaCry ransomware attack, which spread like wildfire last year, is an example of the power of these groups. WannaCry targeted an exploit in systems running older versions of Windows and installed backdoors onto infected systems, encrypting data and demanding ransom payments in bitcoins. The attack is estimated to have affected over 300,000 computers across 150 countries.

Putting personas to the test

Personas are invaluable to penetration testers or ethical hackers who help organizations find vulnerabilities and risks to their infrastructures. Threat actions and threat actors or hackers are simulated to determine the risk to an organization, its assets and data. 

The data gained from these penetration tests are key to helping organizations put the right security levels in place and second guess what type of attacks are around the corner. It also helps to test the effectiveness of security teams.

Bring in the bug hunters

An ever-expanding attack surface has also seen the rise of so called “bug hunters”, who also use hacker personas to understand the way malicious agents work. These white hat hackers are paid bounties to uncover high impact vulnerabilities. 

Crowdsourced Bugcrowd, for example, offers pay-for-results bug capture and large scale human intelligence pen testing that claims to find seven times more critical issues than traditional pen testing methods, which are done in-house or via a consultancy.

According to Bugcrowd’s recent Mind of a Hacker report there is an increasing community of white hat hackers helping to combat cyberattacks. Bugcrowd itself boasts some 65,000 researchers, including penetration testers, security consultants and software engineers.

Attacks are only going up

The more connected we get, the more cyberattacks are going to increase. A research project carried out by the University of California in San Diego and the University of Twente in the Netherlands over a two-year period discovered that at any given time, a third of the internet is subject to denial-of-service attacks and it is only going to get worse.

“Put another way, the internet was targeted by nearly 30,000 attacks per day,” says Alberto Dainotti, a research scientist at CAIDA (Center for Applied Internet Data Analysis) at the University of California San Diego and the report’s principal investigator.

Cyberattacks are inextricably tied to our connected world, but if organizations can better understand cybercriminals they have a fighting chance at keeping them out.

Learn more about Orange Business’ Cyber Security Operations Center (CyberSOC), which detects cyberattacks and fraud attempts to fight cybercrime, here.
Jan Howells

Jan has been writing about technology for over 22 years for magazines and web sites, including ComputerActive, IQ magazine and Signum. She has been a business correspondent on ComputerWorld in Sydney and covered the channel for Ziff-Davis in New York.