Insider Threat Management

The Hacker Profile: Data Breach 101

Hacker trying to get information

The hacker is the most important component of any breach. Understanding who they are, what tools they use, and what their motives and objectives are is the first part to any defense against them. It’s important to note that hackers aren’t just external threats – they can also be trusted employees or vendors who slowly exfiltrate data from your internal systems.

THE HACKER PROFILE

In this day and age, not all hacking requires a strong knowledge of programming, but the more sophisticated hackers will know a number of programming languages, such as:

  • Assembly language is an extremely important language to know because it’s the basic language that processor can read
  • Bash scripting is also very important because it will allow a hacker to easily manipulate common Unix/Linux systems.
  • Perl is a popular choice because most web applications use PHP
  • Python or Ruby can help automate the tasks for mass collection of sensitive data
  • C allows you to understand how the memory works

COMMON HACKER PROFILES

The landscape of hackers has changed over time, especially as technology advances, but today we can put them into three categories based on their motives, including hacktivists, cyber criminals, and nation states.

HACKTIVIST

A hacktivist is a politically motivated attacker. Hacktivists have been around for ages but through the widespread access of technology, they have matured from lying in front of bull dozers to DDoS attacks on servers, to get their political message across. Here’s a small list of Hacktivist groups that you may have heard of:

  • Anonymous, a group of hackers known for a series of well-publicized attacks against government, religious, and corporate websites. They can be distinguished by wearing Guy Fawkes masks.
  • Lizard Squad, a hacking group known for attacking the PlayStation Network and Xbox Live services.
  • L0pht, was a hacker collective active between 1992 and 2000 and located in the Boston, Massachusetts area.
  • Honker Union is a group known for hacktivism, predominately from China, whose members launched a series of attacks on US government websites
  • DERP A hacker group that attacked several game sites in late 2013.

Although, most hacktivists work in silos and are unorganized, they can still do a lot of damage to businesses and government organizations. Hacktivists tend to use basic “script kiddie” tools like HOIC or LIOC that execute DDoS attacks, but some more advanced Hacktivists are using tools like SQLi (SQL injection into an app) to steal data for Doxing (collecting data for one’s own benefit).

CYBER CRIMINALS

This group has been around the longest and has one motive in mind; make money at the expense of others. Cyber criminals tend to be financed by organized crime and are the one’s getting the top news coverage for stealing billions of dollars from enterprises and consumers every year.

These criminals operate in underground “black markets” or “bazaars”, where they buy, sell, and trade attack toolkits, zero day exploit codes, and botnet services. They also buy and sell stolen personal information, intellectual property, credit card information etc. to use later to steal money from individuals, banks, and other businesses. As of late, they’ve been focusing on web exploit kits, such as Nuclear Pack, Blackhole, and Phoenix to use in automate drive-by attacks (i.e. when victims get infected by malware after merely visiting a website).

NATION STATES (OR STATE-SPONSORED) ATTACKERS

The newest and most organized hacker groups are funded by the government. Known as State-Sponsored attackers, they receive orders from the government and orchestrate operations that range from intellectual property theft to cyber espionage. These attackers get paid handsomely and are the best at their craft. Here are a few Nation States cyber security breaches that made the news:

  • Operation Aurora: an alleged attack from Chinese hackers who obtained access to Google and other well-known companies, stole IP, and sensitive US surveillance information.
  • The Stuxnet Incident: The attack was designed to compromise Iran’s nuclear capabilities and likely came from the US. The attack was extremely advanced, stealthy, and targeted a piece of malware that lived on both computers and controllers located in centrifuges.
  • The Anthem Attack: In this state-sponsored attack, Chinese hackers allegedly stole personal information from healthcare companies with intentions other than profit. The attackers seemed to be stealing social security numbers of defense contractors and government workers. It’s still a bit unclear as to what the Chinese government would do with this stolen information.

Unlike the other hackers’ tools, state-sponsored attackers create very customized and advanced attack code. Their attacks often incorporate previously undiscovered software vulnerabilities, called zero day, which have no fix or patch. They often leverage the most advanced attack and evasion techniques into their attack, using kernel level rootkits, stenography, and encryption to make it very difficult for you to discover their malware.

FINAL THOUGHTS 

Understanding the tools, motives, and objectives of these three hacker types should give you a better idea of what types of targets and resources each one is likely to attack. This will allow you to build defenses that are more tailored to handle specific attacks against the organization you are trusted to protect instead of trying to boil the ocean or cast a big net.

Subscribe to the Proofpoint Blog