Reverse Deception: Organized Cyber Threat Counter-Exploitation (104 page)

Skill Level

A lot of attention has been paid to the level of skill a malicious online actor possesses. As discussed in
Chapter 4
, skill level plays an important part in attempting to build a taxonomy of different types of malicious online actors (see Rogers, 2005, for example). This makes sense, given that in APTs, skill level is an important profile signature of an attack and the people behind it. The attacker’s skill level also serves as a key indicator of the level of threat posed to other assets owned by the potential victim, as well as suggesting the magnitude of threat posed to the computing community at large.

A significant improvement on these efforts was put forth in a study by Donn Parker and fellow researchers, where they examine two theoretical characterization metrics: the skill set and level of skills possessed by the attacker, and the application of those skills to a specific attack event (Parker et al, 2004). Parker and his associates utilize information from the postattack analysis to fill in the details for these two attacker characteristics. They suggest evaluating the ease with which the tools used for the attack are deployed. Someone who is an expert on the theory and mechanics of a particular tool is likely to use it in a more efficient and elegant manner than an attacker who is not so familiar with the tool. There are likely to be fewer mistakes and misapplications of the tool by individuals who are well acquainted with its methods and mechanics.

The availability of the tools used in the attack is also important, as Parker notes. The suspected distribution frequency of the tools gives the analyst an idea of the size of the potential pool of suspects. If it is a tightly held or rarely seen tool, then its distribution may also be highly restricted. In the case of rare tools being used, the enhancement of the skill analysis with a social network analysis may help illuminate the pathway that the tools have taken and highlight individuals who may have come into possession of those tools. Parker and his associates also suggest that skill levels required for the attack may be mitigated by other contextual or situational factors. For example, if the attack comes from inside the targeted network or organization, then the skills necessary to pierce the organization’s external firewalls and security systems may not be necessary for the attack’s successful outcome.

Finally, Parker and his associates suggest that more advanced adversaries may deploy feints or diversions that indicate a less competent or skilled adversary. The intent of these activities may be to obfuscate the true skill level of the attacker or to bury the APT within a cloud of more numerous, less skilled, attack traffic.

Consistent with this multidimensional approach is the idea of separating the skill level of the individuals responsible for the attack into a number of interrelated factors. These factors include, but are not limited to, the following:

The platform under attack

An enumeration and assessment of the sophistication of the different tools that were or likely to have been used in the construction of the attack

The depth and sophistication of any preattack reconnaissance

The presence and sophistication of any social engineering tactics used

The presence or absence of feints, diversions, or deliberately planted evidence trails

The level/sophistication of the efforts deployed to cover up evidence of the attack and/or intrusion

Making the effort to produce this complex attack signature provides several benefits to the defenders. First, it provides a signature that can be used and compared against other attacks to assess the likelihood that the attacks are either directly or indirectly linked. Second, the attack signature can be compared to multidimensional skill level characteristics of malicious online actors (with known or unknown identities) present in a database. This assumes that a previous concerted effort has been made to gather intelligence and data on the skill levels of malicious online actors in the areas addressed by the attack signature. Proactively building and updating a comprehensive database of these individuals and their skill characteristics is a forward-looking strategy that may have significant benefits and payoffs in linking specific actors to specific attacks. Such a database may also provide a foundational basis for gathering intelligence in other relevant areas.

One source of data for this skill and tool utilization database is the information extracted from postattack analyses. In this case, skill levels, tools utilized, presence or absence of feints, level of skill deployed in covering up the attack, and other factors can be attached to tables within the database that use specific attacks as the basic unit of analysis.

A second and perhaps even more important source of data for this profiling database is the rich and detailed data that can be accumulated from text-based intelligence. Data sources that can be useful in building this dimension of the profiling database include conversations gleaned from IRC chat forums, text-based materials from websites that belong to individual hackers or hacking groups, and legally obtained e-mail communications. Intelligence can also be gleaned from visual materials by closely examining photos or video posted on individual or group websites. Books, manuals, empty software boxes, CD labels, and other items shown in these photos and videos can be useful in determining possession of specific skills on specific platforms.

One issue that often comes up when dealing with the use of self-reported claims of skill and expertise is the bias in self-reported skills. Fortunately, when the researcher understands the nature and consequences of the strong meritocracy that exists within the hacking community, it becomes clear that the self-report skill-based information acquired online, especially in places like IRC chat rooms, is probably a reasonably accurate assessment of the individual’s actual skills. An attempt by an individual to claim skills that he does not have will almost always be challenged by other individuals within the hacking group or social network.

Overstating or misleading others in the community about one’s skill level is a serious norm violation in a strong meritocracy. Such claims will almost always result in attempts by other individuals within the violator’s social network to engage in social-control statements and actions to let the individual know he has violated a core community norm. These social-control actions might come in the form of text-based attacks on the violator in an IRC chat room, directly challenging the skill and expertise claims that the violator has made. Members of the community may also post derogatory comments about the violator on other lists or websites. Continued violation of this norm may lead to more aggressive social-control behaviors, such as efforts to compromise the violator’s personal computer or network as a shaming mechanism. Continued attempts to claim unearned expertise may lead to the expulsion of the violator from the hacking gang. Thus, claims of expertise within hacking groups are not taken lightly.

In the case of criminal gangs, where some of the individuals are members of more traditional organized crime elements, overstated claims of skill and expertise in technical areas may temporarily escape retribution due to the fact that these criminal outsiders often do not possess the technical expertise to quickly uncover the misleading information. However, if the overstated skill claims result in the repeated failure of the claimant to produce successful outcomes in the criminal venture, the reaction of the traditional criminal element of the gang may be much more unpleasant than the hazing performed by typical hackers. Also, over time, a small but important group of criminal outsiders may have gained the necessary technical expertise. This event may short-circuit some of the issues surrounding the skill gap between members of the hacking community and more traditional criminal outsiders.

In any case, understanding the strong meritocracy of the community assists the profiler or analyst in determining which pieces of skill-related information have a high, medium, or low level of validity. Those skill claims that are exposed to the scrutiny of the group member’s peers and skill superiors are likely to be fairly accurate. Those claims of expertise that have not been similarly exposed to others who know the claimant are more apt to be suspect in terms of validity.