A great paper has posted online that details the social dynamics of hackers, authored by Thomas Holt and Max Kliger of the Honeynet Project. The paper is worth a read for many reasons but, in our opinion, we like their suggested taxonomy for “The Distribution of Skill in the Hacker Community.” This taxonomy very much reflects what we’ve seen with our hacker research. Most notably, we identified this structure in our February 2012 report detailing a hacktivist attack.
Here's the taxonomy (click to BIGGIFY):
The question we asked upon reading the paper: What does hierarchy mean for your defensive strategy? Here are Tal’s recommendations:
- Hacker type: Unskilled hackers
- Attack style: Use existing tools "as is" with no changes.
- Defensive strategy: Constantly updated negative security model (i.e., signatures) to identify known exploits.
- Hacker type: Semi-skilled hackers
- Attack style: Use existing tools, but with some "mix and match" ability.
- Defensive strategy:
- Anti automation – to identify the use of the tools, regardless of their specific functionality.
- Online updating reputation services – to automatically learn from the experience of others in a timely manner.
- Hacker type: Skilled hackers
- Attack style: Use genuine new exploits and tools
- Defensive strategy:Scanner integration to hot patch application specific vulnerabilities – even the best hacker cannot exploit a nonexisting vulnerability.
- Positive security model (i.e., profiling) that allows mitigating previously unknown threats by detecting anomalies.
- Advanced correlation engines that incorporates both positive and negative security models.
- Research team to envision, explore and analyze emerging exploits and threats.
Some technology observations:
- Most antivirus vendors focus on stopping unskilled hackers and some semi-skilled ones. This is why antivirus is failing us today.
- IPS/IDS only address the lowest tier which is why hacktivists have been successful at breaching applications and taking data.
- Some technologies, such as a good WAF, should cover the whole spectrum.