Every day, shadowy figures around the Internet reach out to touch your corporate IT infrastructure tens of thousands of times. They are seeking ways in; trying to find an exploited weaknesses that could be used to gain a foothold in your network. But who are these people? What motivates them, and can a better understanding of them help you to protect yourself against their attacks?
Traditional stereotypes depict computer hackers as pasty-faced social misfits, hunkered in basements intent on wreaking havoc for their own twisted satisfaction. In reality, though, their personalities and motivations are diverse. For some, computer hacking is an obsessive pastime, while for others, it is strictly business.
“The three main categories of motivation we see are philosophical, profit-based, or fame,” said Joe Stewart, director of malware research for the Counter Threat Unit of SecureWorks, the security arm of Dell. “Obviously there can be some degree of overlap in there.”
Why do they do it?
These three motivations can fuel different kinds of hacking activity. For example, profit is a key motive for criminals. That class of hacker will explore weaknesses in corporate infrastructure with one goal in mind: to extract as much money – or data of value – as possible.
Conversely, ‘hacktivists’ – those people driven by ideological or philosophical motives – are typically far more overt in their actions. They rely on making as big a splash as possible to demonstrate their cause. So, fame plays a part there, too.
Several such groups have appeared. Anonymous is by now well known as a loosely coupled group that set out to embarrass organizations with whom they disagree. Other groups, such as the Islamic terrorist group ISIS, are also using hacking as a form of ideological warfare. They too are loosely coupled, with lone wolves carrying out unauthorized attacks.
And then, there are advanced hacker groups with a seemingly geo-political focus, such as the APT30 group, which security firm FireEye believes may be state sponsored.
How to protect yourself
Can understanding the psychology and motivation of a hacker help a company to protect itself from attack? Stewart suggests that understanding a hacker’s motives may be more useful in deciding how to deal with them after a compromise has occurred.
You can spend hours trying to get inside an attacker’s head, but there is another way to better understand a potential assailant. CISOs can garner some useful intelligence about them based on their attack characteristics.
Ben Densham, CTO of penetration testing and security consulting firm Nettitude, says that threat intelligence services can help to help them realize who may be attacking the systems. These can be a significant advantage, he suggested.
“If an organization determines that it is being targeted by a particular criminal, it can implement appropriate countermeasures and even test their systems using tools, techniques and practices that mimic those of the criminals to establish how vulnerable they are,” said Densham.
More sophisticated attackers will do everything they can to avoid betraying their intentions, he says, in case it compromises their attack efforts. But even the most advanced attackers leave a trace that may help security professionals to piece together a profile of them. Often, different professional hacking groups exhibit similar kinds of behavior, and in some cases, even use recognizable tools.
Drawing them in
Chief information security officers may not relish the idea of waiting for someone to hack their systems so that they can pick over forensic data, but there is another approach: draw them in with a fake prize. In the past, honeypots have been a useful means of gathering intelligence about attacker behaviors.
Honeypots are typically computers set up to mimic an organization’s real infrastructure. By placing them logically close to the block of IP addresses used by a company, they can be used as decoys to draw in attackers, who can then be watched to see how they attempt system compromise.
“In some web application firewalls, they respond to the hacker as if the website had been compromised, even though it hadn’t,” said John Pescatore, director of emerging security trends at the SANS Institute, which trains corporate clients in cyber security techniques. “It occupies the attacker and collects their information.”
Honeypots may be difficult to use as decoys, given that attacks have evolved over the years. In the 1990s, attackers connected directly to servers and attempted to crack their security that way. These days, they may be just as likely to send a malware attachment via an email to an employee, and tempt them into opening it. It’s difficult to use a decoy infrastructure in cases like those.
Honeypots can form part of another, riskier approach that companies already compromised by a hacker can adopt: watching the attack unfold.
Rolf von Roessing, former international vice president of non-profit governance group ISACA, said that a knee-jerk reaction to a compromise would be to simply expunge the attacker and close off all vulnerabilities. Avoid that temptation, he suggested.
“Watch them carefully. Protect what they haven’t yet got. Let them do what they’re doing,” he said. A honeypot can be a key part of this strategy, diverting an attacker who is already in your system and quarantining them in an electronic ‘playpen’ that will occupy their attention.
While the attackers busy themselves hacking part of your system that are not a risk, your forensics team can be gathering evidence and understanding more about them.
A bold approach like this requires a significant amount of expertise and sophistication on the part of a company’s own threat response team. Be sure that you have invested enough in that expertise before you grab the tiger by its tail.