Read an Excerpt
Blackhatonomics
An Inside Look at the Economics of Cybercrime
By Will Gragido Daniel Molina John Pirc Nick Selby Andrew Hay
ELSEVIER
Copyright © 2013 Elsevier, Inc.
All right reserved.
ISBN: 978-1-59749-976-7
Chapter One
Psychological and Cultural Trends
CONTENTS
Introduction 1
Psychology of
Attackers 2
Some Background on
Cybercrime Legislation 2
Enter the Hackers 3
Psychology of
Victims 5
It's Not the Crimes
That Are New, It's Their
Execution 6
Attackers' Familiarity
with Human
Psychology 7
We All Want to Help 7
The Recruitment
Spreadsheet Gambit: RSA
Security 7
The Idiot in the Window
Affair: HBGary Federal 8
Motivations and
Event-Driven
Trends 8
Politically Motivated
Attacks 9
Philosophically
Motivated Attacks 9
Financially Motivated
Attacks 9
References 9
INFORMATION IN THIS CHAPTER:
* Psychology of Attackers
* Psychology of Victims
* Attackers' Familiarity with Human Psychology
* Motivations and Event-Driven Trends
INTRODUCTION
When the average nontechnical person reads the newspaper and sees stories about Chinese hackers launching cyber espionage attacks against U.S. chemical companies, the whole thing sounds, frankly, a little Mission: Impossible. As they extend their arms and rapidly curl their index and middle fingers while they say the word spies or espionage, we can almost hear the air-quoted wink as Fortune 500 executives discuss the subject.
The second decade of the 21st century has seen rapid and highly disruptive technical innovation. However, the reason for the prevalence and success of cybercrime is not technical, but rather psychological and cultural: Generally speaking, we have not adapted quickly enough to see (let alone believe) the vulnerabilities that have been created by our intense reliance on the Internet and our constant connectivity to it.
Criminals, though, as they have historically, have quickly adapted to the new and improved Web speed of crime.
At the same time, we have observed that the gulf between the mindset of the attackers and the mindset of the victims symbiotically creates a perfect storm, which is peculiar to this specific moment in history. Never before have the speed of technological advancement, relative slowness in crafting and adopting new legislation, and psychology of criminals and victims combined to create an atmosphere that so encourages and rewards an illegal activity.
In this chapter, we'll examine these vulnerabilities, and the cultural and psychological barriers that prevent us as a society from taking more serious action. This is probably the least technical chapter in this book, but it sets the stage for the cyber attackers we describe later to enter our lives and our companies, and to so successfully relieve us of the intellectual property which, until recently, created the barrier to competing with Western, specifically American, high-technology firms.
PSYCHOLOGY OF ATTACKERS
We can think of few criminal enterprises in which the risks are so low and the potential rewards are so high than that of cybercrime. In this book, when we speak of hackers we are speaking of professional criminal hackers, or those hired by them and acting on their behalf.
Some Background on Cybercrime Legislation
It's a great time to be a cybercriminal: Not only have the laws of most countries not yet caught up with the technology (let alone the crime), but the politics of creating cybercrime laws are mired in a power struggle between agencies in single countries, and are stuck in an absolute gridlock when more than one country is involved. For the past several years, the FBI has struggled in turf wars with other federal, state, and local agencies to reign dominant in the investigation and prosecution of cybercrimes, while other, arguably more capable and proactively talented agencies, such as the United States Secret Service and U.S. Marshals Service (and some agencies which might be simply more contextually appropriate, such as the U.S. Postal Service), are left to fight for table scraps at the budgetary banquet. Simply put, no lawmaker understands this stuff enough to argue very effectively for or against anything yet.
Lastly, it still just isn't very sexy to sponsor cybercrime legislation. Constituents do not yet have the situational awareness necessary to rally behind it, let alone demand it, or they are too caught up in fixing physical infrastructure problems to care much about this "exotic" and seemingly remote problem: To them, cybercrime is the stuff of movies, or something that happens to someone else.
Even a cursory glance through proposals over the past couple of years to strengthen cybercrime law reveals a range of ineffectual options: from the overly broad and relatively meaningless National Security Council Strategy to Combat Transnational Organized Crime to congressional folks of one flavor or another baying for "tougher" "cybercrime" "Legislation". For the most part, these proposals fall into the knee-jerk category of "Oh, crud, some of my constituents got cyber-robbed and I had better get something done, dammit." This means we get some real whirligig doozies of cyber stinkers, usually centered on the completely false premise that lengthening sentences for computer intrusions is worth doing. It is not. There are laws against hacking, and they come with stiff prison sentences. The problem is not the deterrent nature of the prison sentence, but simplifying the process of establishing the facts of a cybercrime case, articulating the crime and the accompanying mental state of the perpetrator to a jury, and getting the jury and the judge to understand that (a) a crime took place and (b) that guy in the defense dock did it—provided anyone could identify the defendant and that the jurisdictional fruit salad cooperated enough for him to be sitting in court.
No, the problem is not that the sentences are insufficiently severe. The problem is that no cops other than a small number of feds are empowered, prepared, and trained to investigate cybercrime. These numbers are so small that simple resource-based triage means less than 0.01 percent of cybercrimes are even investigated, let alone prosecuted.
Cybercrime legislation, therefore, is not being driven by demands by judges and juries and prosecutors and cops and city officials and stakeholders for better clarity into the issues and better tools with which to do the job. It is being driven by chest-pounding lawmakers seeking to "do something" about the problem.
Enter the Hackers
Against this backdrop, and keenly aware of their unique moment in history, are gangs of professional cybercriminals, most commonly referred to as "hackers," and state-sponsored entities whose sole mission is to disrupt the commercial infrastructures of enemy countries. Previous books on hackers and hacking tended to get weighed down by the personality traits of hackers—depicting mainly male, acne-faced teens and young adults dressed in black and perpetrating their crimes in black-lit rooms of various types. This has long ceased to be the case; in fact, it is a cliché to say that the days of sport hacking and attraction to hacking's seductive subculture have ended, replaced by an industry that exploits computer application vulnerabilities to allow establishment of presence on a network for the purpose of stealing intellectual property.
So, in this book, we're going to talk about the hackers who typically face large corporations. They are well financed, are organized, and have either analyzed the salability of the information they pilfer or are controlled by a government-sponsored group or organization. In fact, as we will discuss later, from the victims' standpoint it really doesn't matter whether the attackers are government, private sector, independent, or affiliated: They are among the group of people who understand, as David Etue so succinctly put it, that $10 million spent on hacking that steals $1 billion of R&D is a good deal.
Hacking has become the shortest distance between the intellectual property assets you have and those you want, and whether your hacker seeks glory, political advantage, philosophical or religious statements, or cold, hard cash, the psychology of today's professional hacker is merely that of the pragmatist.
They will never send in the A-team if the B-team or C-team can do the job less expensively and as effectively. They will never mount a single campaign when two or three or more can be launched simultaneously. They will never use a previously unseen attack if an oldie-but-goodie gets the job done. In fact, they will always seek the simplest undetectable attack, and then move to quickly understand and then totally dominate the target environment, until they have extracted their quarry and can leave the network. They prefer to do this undetected, but aside from some tactics, being detected by the victim is not a game-changer.
By dominating the Dynamic OODA loop of their victims, the attackers can play endless rounds of whack-a-mole at a very low cost, all the while understanding the cost to their victims in treasure, patience, stress, and professional relationships. Attackers take advantage of the fact that they often understand the playing field—that is, the network that is under attack—better than its owner. In fact, most contemporary and sophisticated attacks rely on the stability of the network to turn single attacks into data-theft endeavors that are long lasting and profitable for the attackers.
Since total dominance followed by exfiltration of the desired data is the goal, prior methodologies of understanding hacker motivations should be superseded with the concept that, if you're determined (for political, philosophical, theological, or financial reasons) to turn to crime, there's plenty of encouragement to make yours a cybercrime.
A former Microsoft employee and former FBI agent once stated it best: "If you commit a cybercrime, there's almost no chance you're going to be caught. If you are caught, there's almost no chance you're going to be prosecuted. If you are prosecuted, there's almost no chance you're going to be convicted. If you are convicted, there's almost no chance you'll serve the full sentence."
Police-Led Intelligence's Dave Henderson, a 15-year veteran police officer, cyber investigator and fugitive hunter, has said it even more succinctly: "If you're a reasonably intelligent criminal, you do the math. You can knock over a 7-Eleven or a bank [and] net three grand and a really good shot at an aggravated felony charge, or you can commit a cybercrime, net 100 times that, and if you're caught, stand a real good chance of doing no time whatsoever—because the cops aren't going to understand what happened and the feds are going to triage your crime out of their workflow." Throw in a single international hop into your attack, and the odds of capture diminish logarithmically toward zero.
If all that is true—and as investigators, incident response consultants, and police officers, we aver that it is—there's almost no reason for any self-respecting, reasonably intelligent criminal not to resort to cybercrime.
In addition, and this is the most important point to understand in this section on the psychology of the attacker, there's no reason for your attacker to go anything less than full bore. Armed with the knowledge that they are effectively immune from prosecution, professional cybercriminals are bold, audacious, relentless, remorseless, and utterly devoid of sympathy for their victims.
PSYCHOLOGY OF VICTIMS
On the other side of the chessboard sit the victims, who are as keenly unaware of their moment in history as the attackers are aware of it. Because so many of the most disruptive advances in technologies available to users have occurred on the server side, or back end, of the user experience, to users, detecting the full implications of these revolutionary technological changes is very difficult.
Consider, for example, that to the typical user of technology in a large enterprise, the entirety of the user experience is done through a Web browser, Microsoft Office, Outlook e-mail, and the occasional internal application. To this user, the fact that the browser is the gateway to a world of synchronous backup and server-side magic is totally invisible—and this is exactly the way it is supposed to be! And because most of the interactive work completed by this typical enterprise user consists of invisibly accessing massive stores of data, the user is almost entirely unaware of the power that his or her little terminal might afford an attacker.
(Continues...)
Excerpted from Blackhatonomics by Will Gragido Daniel Molina John Pirc Nick Selby Andrew Hay Copyright © 2013 by Elsevier, Inc.. Excerpted by permission of ELSEVIER. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.
