By Tim Wilson
MARCH 29, 2007
"If you know the enemy and you know yourself, you need not fear the
result of a hundred battles." -- Sun Tzu, The Art of War
"Who are those guys?" -- Paul Newman, Butch Cassidy and the Sundance Kid
You fight against them every day: hackers, attackers, insiders. You know
what they do, but not who they are. They are often nameless, usually
faceless. You'd like to be able to guess their next move, but that can
be pretty difficult when you don't even know what motivates them or why
they're attacking you.
Is there a way to "profile" a hacker, the way the police might profile
an arsonist or a serial killer? Not exactly. But quietly, a collection
of university researchers and law enforcement agencies has been
developing a taxonomy of the hacker community, much as an entomologist
studies and classifies insects. And police and security experts hope
that taxonomy will eventually help them identify and root out the
"To address the problems created by hackers, it is apparent that we need
more than just technical controls," says Marc Rogers, a professor at
Purdue University and author of the industry's most widely-used taxonomy
of the hacker community. "We also need to start understanding the
individuals behind the attacks."
The effort to understand the psychology of hackers and attackers is
nothing new. Psychological studies of "phone phreaks" can be found as
far back as the early 1980s, and MessageLabs is publishing a study on
internal "company devils" today. The idea behind most of the studies is
the same: to break the stereotype of the hacker as a socially-inept male
teenager sitting behind a PC in his parents' basement.
There is no single profile of a hacker, inside or outside the company,
Rogers says in the most recent update of his taxonomy paper. In fact,
the idea of lumping all hackers into a single group is "analagous to
attempting to understand criminal activity by lumping the entire
spectrum of traditional criminals (i.e., shoplifters to homicidal
psychopaths) into one generic group," he says. "The idea seems
ludicrous, yet this is what we are currently doing with the criminal
domain of computer crimes."
There has been a "huge shift" in hacker profiles in the last few years,
as motives shift from curiosity to financial gain, says Rogers, who has
worked with law enforcement agencies on hacker profiling and computer
forensics. But security managers should also be wary of oversimplifying
the new threats as well, he advised.
"For years, vendors treated the 'cyber-punk' as the boogeyman, and they
built at least some of their business on the fear that some brilliant
teen would launch a virus," Rogers says. "Now some of them are painting
organized crime as the boogeyman, spreading this notion that the Russian
mafia is out to get every business."
In reality, there are lots of different types of attackers, Rogers
states. His taxonomy breaks them up into eight different categories,
each with different characteristics and motivations. The taxonomy is
frequently used by law enforcement agencies and other researchers as a
starting point for profiling computing attackers. "It's a long way from
perfect, but I wanted to give people something to shoot at."
1. The Novice
Sometimes called "script kiddies," this group is typically young, with
limited skills, whose primary motivation is thrill seeking and ego
stroking. In order to prove their worth, they attempt to "rack up"
trophies, often using pre-written software.
2. The Cyber Punk
This group comes closest to fitting the traditional view of the hacker
-- young males with some skills and programming capabilities with a
desire for attention and, sometimes, monetary gain. They typically
choose high-profile targets, and they often choose vandalism over
outright data theft.
3. The Internal
These are the insiders -- those who use their internal system privileges
to gain access to unauthorized data. They generally fall into two
subcategories: disgruntled employees seeking revenge and those who are
looking to use the data for financial gain.
4. The Petty Thief
Traditional criminals who learn how to hack in order to expand their
field of targets. They usually are not skilled at first, but they
sometimes become skilled over time. Their sole motivation is money.
5. The Old Guard
Motivated by curiosity and the need for an intellectual challenge, these
highly skilled individuals are capable of writing code and scripts.
Espousing the ideology of the first-generation hackers, they usually
have no criminal intent but will readily post the scripts and code they
6. The Virus Writer
This group is still being defined, Rogers says. It is made up mostly of
young males, who tend to age out of the group once they hit their mid to
late twenties. This group differs from the Cyber Punks in that its
motivation is more along the lines of revenge or curiosity than
7. The Professional Criminal
Highly-trained IT experts who use their skills for financial gain. They
tend never to be caught or even come to the attention of the
authorities, Rogers says. These are the "hired guns" employed by
organized criminal groups.
8. The Information Warrior
Motivated by patriotism, these individuals use their skills to disrupt
the command and control of a rival nation. They are typically highly
trained and highly skilled.
These categories have remained fairly stable since Rogers developed the
taxonomy in 1999, but many subcategories are evolving all the time,
Rogers says. "I expect this to develop like an ornithology, where people
take the basic structure and develop taxonomies for the subgroups."
One category that has gotten a good deal of attention from researchers
is the Internal group, which has been difficult to study because of
companies' reluctance to share information about insider threats and
break-ins. Several researchers have published studies on the topic in
the last two years.
The Secret Service and Carnegie Mellon University in 2005 released a
paper that says there are no common demographics among insiders who
damage or steal customer data, but there are indicators of risk.
Thirty-three percent of subjects were perceived by management as
'difficult,' and 19 percent were viewed as disgruntled by other
employees. Twenty-seven percent had come to the attention of a
supervisor or a co-worker for behavior concerns, and another 27 percent
had prior arrests, the study says. While 42 percent of those motivated
by greed were female, only 4 percent of those motivated by
disgruntlement were female.
In a study published last year, Eric Shaw, a professor at George
Washington University, reported that most of the insiders they studied
displayed four basic traits: a history of negative social and personal
experience; a lack of social skills; a sense of entitlement; and ethical
flexibility. These traits, combined with a right stress factors and
opportunities, can lead to a higher incidence of insider attacks, he
But such studies may overlook the more frequent instance of accidental
security exposure from inside the company. In a study being published
today, MessageLabs found that the "devils" in most companies are not
those that intentionally steal or damage company data, but who expose it
to outsiders by breaking company security protocols.
According to MessageLabs, the danger comes from young, tech-savvy
junior-level sales types who are under pressure to meet their quotas.
"The problem is that the more you lock down your systems, the less
usable they become," notes Paul Wood, senior analyst at MessageLabs.
"These people are under pressure to meet their objectives -- they are
moving quickly and they don't have time for systems that aren't usable.
So they'll use their technical skills to find a way around the policy."
These company "devils" are natural multi-taskers who will use any means
necessary to get their jobs done -- including IM, wireless, VOIP, and
email -- from any access point, and without regard for security policy,
Wood explained. Their intent is not malicious, but they may create
avenues for security breach without knowing it, he says.
Visit the InfoSec News Security Bookstore