June 05, 2012

The Social Dynamics of Hacking

A great paper has posted online that details the social dynamics of hackers, authored by Thomas Holt and Max Kliger of the Honeynet Project.  The paper is worth a read for many reasons but, in our opinion, we like their suggested taxonomy for “The Distribution of Skill in the Hacker Community.”  This taxonomy very much reflects what we’ve seen with our hacker research.  Most notably, we identified this structure in our February 2012 report detailing a hacktivist attack.

Here's the taxonomy (click to BIGGIFY):


The question we asked upon reading the paper:  What does hierarchy mean for your defensive strategy?  Here are Tal’s recommendations:

  • Hacker type:  Unskilled hackers
    • Attack style:  Use existing tools "as is" with no changes. 
    • Defensive strategy:  Constantly updated negative security model (i.e., signatures) to identify known exploits.
  • Hacker type:  Semi-skilled hackers
    • Attack style:  Use existing tools, but with some "mix and match" ability.
    • Defensive strategy: 
      1. Anti automation – to identify the use of the tools, regardless of their specific functionality.
      2. Online updating reputation services – to automatically learn from the experience of others in a timely manner.
  • Hacker type:  Skilled hackers
    • Attack style:  Use genuine new exploits and tools
    • Defensive strategy:Scanner integration to hot patch application specific vulnerabilities – even the best hacker cannot exploit a nonexisting vulnerability.
      1. Positive security model (i.e., profiling) that allows mitigating previously unknown threats by detecting anomalies.
      2. Advanced correlation engines that incorporates both positive and negative security models.
      3. Research team to envision, explore and analyze emerging exploits and threats.

 Some technology observations:

  • Most antivirus vendors focus on stopping unskilled hackers and some semi-skilled ones.  This is why antivirus is failing us today.
  • IPS/IDS only address the lowest tier which is why hacktivists have been successful at breaching applications and taking data.
  • Some technologies, such as a good WAF, should cover the whole spectrum. 




Authors & Topics:

Share on LinkedIn


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.