HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Top questions to help you think like a cyber criminal

Screen Shot 2013-12-11 at 22.23.17.pngThe last post I wrote on “knowing your enemy” left me somewhat unsatisfied. Thinking like a cyber criminal requires you to both understand and empathize with an attacker to the level that is possible. This concept is more important than just a few paragraphs, so I thought to myself, “if I could sit down with a real cyber criminal and ask questions, what would I want to know?” Here is the list of questions I came up with and some context on why I want to know. In some cases I tried to add the types of data that might give us some clue to the answers without a cooperative bad guy to answer questions. This type of information is important to the complicated problems of attacker attribution, detection and calculated response.

Geography and Sociology:Most of this information can only come from open-source intelligence collected against specific groups and individuals.

  • What is the attacker’s background?
  • How did life and economic circumstances lead them to this outcome?
  • What region / country are they from?
  • What is their native language? What other languages do they speak? There are linguistic idiosyncrasies that can identify mother tongue and thus likely geographic origin.
  • How strong is local cyber law enforcement? International collaboration? Are they likely to be held accountable.
  • How important is anonymization tradecraft to this attacker?
  • How prevalent is local corruption? Is it a social norm or aberrant behavior? This can indicate whether to look for criminal psychologies or to expect purely rational action. Transparency international can give you a good sense of this once you know their geography.

Skill, capability and tradecraft: These are items that can be discerned by the observed actions of an attacker in log files across the breadth of an attack.

  • What are their technology focus areas? Specialization? There is a lot of information to be gained from their personal technology choices.
  • How important is being stealthy to them? Post breach lateral spread can be highly visible or very slow and stealthy.
  • What is their technical skill level? Tools only, systems, programmer or zero-day researcher. Age, education and experience can be seen here.
  • What technical mannerism do they have? Are these repeated or do they change during the attack, this can indicate kill chain specialists working together.
  • How much social engineering is involved in their methodology? This is always the weakest point to attack... "A resume is the most powerful hacking tool..." This also shows how important non-attribution is to them, as avoiding direct social engineering is a sign of a paraniod attacker or...
  • Do intangibles (observed personality) change from one attack stage to the next? Again this shows specialization…
  • What anonymization tradecraft do they employ? E.g.. Correlation with Tor exit nodes or bot hosts, etc...

Economics and Underground Market Dynamics:This information is likely only available to the focused investigator or someone in a position to understand the end-game monetization of the attack.

  • How do they plan to monetize? Hosts, accounts, bots, spam, credit card #’s, code, exploits… self-contained attack or within the larger underground marketplace?
  • How do they engage with their intermediaries both up and down stream?
  • What are their alternate career opportunities? Do they have a way out? Hackers within some organized criminal gangs are “employed for life”...
  • What resources are they likely to have access to? Test labs, high-end software, attack testing on purchased vs. stolen resources
  • How large is their immediate network of collaborators?
  • Where do their known associates exist in the underground marketplace?

Ideology and objective:This is visible in the overt or covert reason for the attack, and traditionally is called impact analysis.

  • What ideology or category of ideology are they advancing? Criminal, religious, nationalist, activist, anarchist, economic, social…
  • How committed are they? This can often be determined from the list above as certain motivations are more powerful than others.
  • What is their specific immediate objective?
  • How persistent will they be in the face of an active defense?
  • How much ego or bureaucracy (structure) can be observed? This can show how deeply they are integrated into a larger organization.

Personality:There are many indication of personality in attacks and these are the questions that can help understand the implications of that observed personality.

  • What might deter them?
  • What is their tolerance for risk?
  • What effect would a public statement to them have? Damage Assessment or psychological deterrence?
  • What criminal psychological deviations may be involved?

These questions have all kinds of ramifications for the defender and even informed guesses based on observed evidence can help you "think like a bad guy". For more information on how HP’s enterprise security products can help you defend your critical information, visit hp.com/go/espservices

Tags: Defense| HP| security
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Top Kudoed Posts
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.