The Hacker's Profiling Project
The Hacker's Profiling Project (HPP) began between 2003 and 2004, due to a combination of events. First of all, one of the authors of this book, Raoul Chiesa, started getting involved in criminal profiling. Italian authors such as Picozzi, Zappala, and Lucarelli fascinated him, and when taken in conjunction with John Douglas' analysis methods, mentioned at the beginning of this book, he started seeing definite links and analogies with the world of hacking.
The second triggering factor was a lecture he gave during a criminology master's course held by UNICRI, where "the first Italian ethical hacker" (as Raoul Chiesa is described by national and international media) finds among his students Stefania Ducci. Stefania was intrigued and started looking into computer crime and hacking in particular. At the end of the lesson, she contacted Raoul and, in the months that follow, she devours all the literature on the subject she can lay her hands on.
A thorough online search begins, looking for models for hacker's profiling as they see it and understand it. But nothing of that nature existed-only parts of the concept of what a hacker is, with reference to criminology. All they could find is purely criminological research, where the assumption is that a hacker is by definition a criminal, or technological studies such as the Honeynet Project, or studies dealing with the social or psychological side. The problem all these studies had in common was that none of them made the connections among different points of view, approaches, and backgrounds.
The HPP was created with one first fundamental rule: don't judge, but analyze. Link up information and sources of widely different origins, open up to the underground communities, and listen, analyze, and finally offer a view, an interpretation, and a profiling model that will be based on years of research, experience, and passionate interest.
The HPP Working Group (WG) firmly believes in what it is doing, and results obtained to date can confirm our intuition. The WG is made up of hackers (obviously, in all senses of the term), criminologists, psychologists, and sociologists, all contributing their experience and wanting to practice in the field their research project. The HPP has grown over the last two years, but we feel we are still in the start-up phase.
The sections in this chapter shows in detail the single steps that make up the project. However, we must point out from the start-to avoid any disappointment-that, at the moment, we are at the beginning of Phase 3 of the project, whereas the planning of Phase 4 will begin as this book is about to be published. In a nutshell, we can say that what we are trying to do is "analyze the problem of cybercrime using a totally different approach from what was used in the past, going directly to the source."
The HPP project has the following main objectives (Table 4.1):
- Analyze the hacking phenomenon-technological, social and economic-in all its aspects, using both a technical and a psychological approach.
- Understand the various motivations, and identify the various players involved.
- Observe (real) criminal acts "in the field."
- Apply profiling methods to the data collected.
- Learn from the information acquired and spread the information. The sections that follow will show how we mean to fulfill these objectives by analyzing in detail each step of the HPP project.
The Planning Phase
HPP is based on purely voluntary contributions of time and personal means by the researchers involved in the project. This is important to recognize so that the reader can understand the timing of the entire project. The schedule that follows summarizes the planning of HPP, and the next one will illustrate the situation at the time of going to print. These are the first two phases, which took place in parallel from 2005 to 2007 (and will continue as "ongoing input" to bolster the method and its dissemination). The third and fourth phases are in progress at the moment and will get to the heart of the matter only next year. In 2009, further steps will be taken to finish the project within the next three years.
Phase 1: Theoretical Data Collection
During the first phase, the main objective was preparing and distributing a questionnaire tailored to the world we were about to explore: the hacker underground.
The methodology used, as we will show in detail in the next section, had to be different from the "standard approach," and preparation of the questionnaires was a painstaking process, starting out first with three distinct documents and finishing with the present set, made up of two types of questionnaires with three different channels of distribution and dissemination.
In Table 4.2, the planning phase is defined as "completed/ongoing." This means that the planning of the questionnaire has been concluded, but it continues as a parallel task; in other words, it can be modified, integrated, and improved if necessary. Meanwhile, distribution will carry on, and so will the analysis; we daily receive questionnaires, suggestions, and advice from people who didn't know us and who learned of our project through conferences, events, simple word of mouth, or articles published online, or who read about us on a friend's blog. After reading this book, someone probably will fill out and send us the questionnaire. That's why we describe this step as a "continuous-input" phase.
What we were looking for with Phase 1 of the HPP was a solid foundation on which to base our research, starting out with the "commonly recognized" nine categories of hackers. In this way, it became possible to eliminate one category right from the start of the first two phases of the project, the so-called "37337 K-rAdiRC #hack 0-day exploitz" guy, which nowadays can be covered by script-kiddies. It also became possible to add a new one, the military hacker, or hackers in the service of the armed forces of various countries. This "discovery" was due to two main factors: a careful study and selection of public and confidential texts and literature, which directly or indirectly proved the involvement of hackers in military activities, and also personally meeting people who were or still are in this type of profession during conferences and foreign hack meetings.
As we have repeatedly said during the official presentation of HPP and in articles and interviews given to the media following the official launch of the project by ISECOM (June 2006), HPP is not based on the questionnaires but rather wants to use them as a starting point to verify whether this knowledge base really gives a true picture of all the different categories of hackers.
As already stated, criminal profiling starts drawing a profile by examining established general profiles, ideas, and concepts, and in this way arrives at the profile of a specific individual. In the case of hackers, though, as there are no predefined models yet, given that this is still a largely unexplored field which is still in evolution, the opposite process had to be followed. Therefore, we started from a study of individual hacking cases and single hacker profiles we had produced on the basis of the literature available on the subject so as to develop one or more general models and profiles, which could then be applied to different types of hackers.
In other words, we started from the specific to develop the general. These general models and theories will allow us to process and perfect single criminal profiles, just as in all present cases of criminal profiling.
The data obtained from literature on real hacking cases and from the questionnaires (inductive method) will be cross-referenced with data obtained from the "crime scene" (deductive method), producing, by means of a "hybrid" method, one or more criminal profiles.
In order to do this, the questionnaires were distributed through targeted research partners selected on the basis of criteria that were strategic to the study itself, and with the help of members of the digital underground who are actively participating in HPP. As you will see in the section explaining how the questionnaires were prepared, the approach chosen for the project proved to be fundamental, as was the cooperation between the various participants-some clearly coming from the underground (hackers) and others who were more "traditional" researchers (psychologists, criminologists, legal experts)-and their individual way of life. The sum of all these factors, quite an explosive mix, has led to the first, important results.
Even though these are "just" questionnaires, the HPP core team believes that results to date, added to the planning and dissemination methods used, are a definite step forward in observing and understanding the world of hacking, which is truly a phenomenon of primary importance that has been underestimated and partly misunderstood in the last few years. It has many facets and has much to contribute to the information and communication society-for better or for worse, some might add.
Phase 2: Observation
The key word for the second HPP phase is "observe." Observe in the field is the category we are discussing: hackers. Observe them in the ideal environment, their conferences.
Here, too, the core team had to carefully think through the correct approach, methodology, and strategy to use. First of all, it was decided that we had to be present from the inside, taking part as speakers at these events, and never as "visitors." This allowed us to be present on the same footing as the other participants and not as wannabes.
Our second choice was that of aiming for a comprehensive, international view, so we covered European, North American, Asian, and Australian events. The third factor was choosing to take part in both declaredly underground events and in slightly (not officially) commercial ones that were still representative and a meeting point for local communities in certain countries or geographical areas.
For all these reasons, we attended a series of events with rather self-explanatory names such as "Hack in the Box," "NoConName," "Hack.lu," "IT Underground," "OpenExp," "PH Neutral," "CCCmeetings & ChaosDays," "Confidence," and "0Sec," plus other more "traditional" market-related ones such as Eurosec, ISACA meetings, IDC, InterOp, and Ticino Communications Forum.
The idea was to identify and establish what relations exist between the more famous speakers from the international security underground and look at their "official" relations during conferences and updating sessions, which are distinct from the official or unofficial meetings within the hacker community.
In all these cases, the core team was represented principally by Alessio Pennasilico, Elisa Bortolani, and Raoul Chiesa as de facto members of the underground community, where relational behaviors certainly deserve their own analysis.
Phase 3: Archiving
As already stated, this phase will enter into full force during 2008 and 2009, and it is the more difficult step. Setting up a database for the distributed analysis and correlation of the questionnaires was not complicated as such; the fields necessary for the database were planned and defined, as were security policies and data management. Then, the questionnaires received (and those sent using a consolidation and validation-check routine) were entered in the first database. The real problem was the approach to follow for the honey-net database.
On the one hand, as we will see in the next section, the main difference with the key concepts of a "standard" honey-net the WG had to deal with was the different approach: not how, but why, and who; the motives underlying the attack, and not simply intrusion techniques. This meant splitting the planning phase into two subsections: the fields of the questionnaire on one side and a "protean monster" that keeps changing shape on the other. We define it a "monster," because we believe that the structure of the second database is part of the core of the project; each single action, behavior, modus operandi, signature, style, difference, and anomaly was covered and included in the database (DB) so as to allow maximum flexibility during the post incident analysis.
In our case, we deliberately decided to go further and challenge the so-called science of computer forensics, until we could find statistically and objectively more advanced models, relying on the methods and experience of computer forensics only for collecting the technical evidence.
Phase 4: "Live" Data Collection
The fourth phase consists in setting up the systems on new generation, highly tailored, honey-net networks.
What do we mean by "new generation"? Up to now, the minimum common denominator of honey-net systems was the fact that they supplied the analyst with raw data exactly as intercepted from-and typed in by-the intruder, which would then be interpreted with the use of dedicated tools. A sort of "balcony view" of the computer-crime scene, watching firsthand what the attacker was doing as it was happening. Let's face it: it's a dream scenario for a criminal profiler.
The Honeynet.org project was set up a few years ago by Lance Spitzner, a well-known information security (IS) guru. Today, it covers 23 countries, has a considerable number of research partners, and, what is more important, analyzes in the field the activities of intruders. All this leads to various results:
- Identify and analyze attacks based on vulnerabilities and exploits, viruses, and 0-day worms.
- Analyze the modus operandi of the attacker.
- Observe attack trends.
- Forecast attack trends on the basis of geography, economics, and local spread of IT.
- Demonstrate "in the field" the speed of system violation according to its operating system.
As for HPP, the structure of the database registering the information received from the honey-nets we will implement will be finished in 2008 and will be operational in 2009. We'd rather not add anything more on the subject, as this is one of the "hot activities" of the project.
Phase 5: G&C Analysis
This phase will have strong gap-analysis activities, in the purest risk analysis (RA) tradition, joined with a correlation of the data collected through the questionnaire and present on the database with data collected from the honey-nets, and comparing it all with profiles obtained from the literature on the subject.
This work is necessary to "whittle down" our profiling method, allowing us at the same time to cross-check it with historical, literary, psychological, criminological, and field work information. The final objective is the creation of a pilot model that can be fine-tuned in the next phase.
Phase 6: HPP Live Assessment (24 / 7)
The third-to-last phase covers a final assessment of the profiles and a strict correlation with the modus operandi derived from the data obtained in Phase 4, a de facto application in the field of the profiling model previously defined.
This is an extremely important and critical step, as it will allow us to understand and see with our own eyes whether our methodology is valid. We have called this step "live assessment," as our intention is that of placing HPP in the field, applying it to real live cases in existing companies and functioning IT structures.
Phase 7: Final Profiling
The seventh phase of HPP is a last revision and a final-fine tuning of the profiles previously used as de facto standards thanks to the results obtained up to this point.
We will then be able to define hacker categories, and we will probably witness the official birth of new categories that are already under study by our analysts at the moment but haven't yet produced enough material to allow a clear description of them.
Phase 8: Dissemination of the Model
The last step of the project will be the final processing of all the data gathered and, more importantly, we will start to lay down the HPP methodology. This is our final objective: to make available to the world at large a free profiling methodology that can be applied to computer crimes.
Our hope is that once the HPP method has been publicly released, there will be a general increase of awareness throughout all the stakeholders in the information security sector, from the smallest to the largest, which will produce new thoughts to be pondered and analyzed and a new kind of consciousness in all those who not only use the Net-and computer science in general-but to all intents and purposes "live" it.
About the Author