Testing the applicability of hacker typologies and models: A comparative case study of Fancy Bear and The Shadow Brokers
| Název práce v češtině: | Komparativní analýza hackerských skupin The Shadow Brokers a Fancy Bear: testování aplikovatelnosti typologií a modelů |
|---|---|
| Název v anglickém jazyce: | Testing the applicability of hacker typologies and models: A comparative case study of Fancy Bear and The Shadow Brokers |
| Klíčová slova: | Typologie hackerů, Kategorizace hackerů, Profilování aktérů kybernetických hrozeb, Fancy Bear, The Shadow Brokers; |
| Klíčová slova anglicky: | Hacker Typologies, Hacker Categorization, Cyber Threat Actor Profiling, Fancy Bear, The Shadow Brokers; |
| Akademický rok vypsání: | 2020/2021 |
| Typ práce: | diplomová práce |
| Jazyk práce: | angličtina |
| Ústav: | Katedra bezpečnostních studií (23-KBS) |
| Vedoucí / školitel: | prof. PhDr. RNDr. Nikola Hynek, Ph.D., M.A. |
| Řešitel: | skrytý - zadáno vedoucím/školitelem |
| Datum přihlášení: | 16.06.2021 |
| Datum zadání: | 16.06.2021 |
| Datum a čas obhajoby: | 21.09.2022 09:00 |
| Místo konání obhajoby: | Pekařská 16, JPEK313, 313, Malá učebna, 3.patro |
| Datum odevzdání elektronické podoby: | 31.07.2022 |
| Datum proběhlé obhajoby: | 21.09.2022 |
| Oponenti: | doc. PhDr. Vít Střítecký, M.Phil., Ph.D. |
| Kontrola URKUND: | |
| Zásady pro vypracování |
| Planned thesis outline
- Introduction - Conceptual/theoretical framework = introduction to the models and concepts - Analysis of the hacker groups: o Who are they: Using the existing evidence to paint a picture of who the group can be ▪ Modus operandi: How do they work? • History of action: Culture of their practices/what makes them special? What do they target? What do they do with it? How do they publish and sell? Who do they sell to? = creating the criteria to show what is studied in cyber security in security studies • Testing the applicability of Cyber Kill Chain based on those criteria • Outcome of the test • Adaptation of Cyber Kill Chain ▪ Motivation: Why do they do it? • Testing different typology of hackers categorization techniques and models on a modern hacker group • Finding out the most appropriate one - Conclusions |
| Seznam odborné literatury |
| References
Hollinger Richard C. Computer hackers follow a guttman-like progression. Sociol Soc Res 1988;72:199e200. http://www. phrack.com/issues.html?issue¼22&id¼7. Chantler Nicholas. Profile of a computer hacker. florida: infowar; 1996. Landreth Bill. Out of the inner circle: a hacker's guide to computer security. Microsoft Press; 1985. Lockhead Martin. GAINING THE ADVANTAGE Applying Cyber Kill Chain® Methodology to Network Defense. https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/Gaining_the_Advantage_Cyber_Kill_Chain.pdf Rogers Marcus K. A two-dimensional cirumplex approach to the developement of hacker taxonomy. Digit Investing 2006;3(2): 97-102. http://refhub.elsevier.com/S1742-2876(15)00083-3/sref37. Gevirtz Morris. The History of the Word “Hacker”. https://deepgram.com/blog/the-history-of-the-word-hacker-2/. Lockhead Martin. GAINING THE ADVANTAGE Applying Cyber Kill Chain® Methodology to Network Defense. https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/Gaining_the_Advantage_Cyber_Kill_Chain.pdf Seebruck, Ryan. A typology of hackers: Classifying cyber malfeasance using a weighted arc circumplex mode. Digital Investigation. Volume 14: 36-45, 2015. https://www.sciencedirect.com/science/article/pii/S1742287615000833. |
| Předběžná náplň práce v anglickém jazyce |
| Introduction to the topic
In today’s world, technology dominates most of our lives. The speed of its development corresponds with its implementation into a daily routine of any average person. With the advantages that technology brings us, however, also come new issues and threats that the experts must deal with. Due to the diversification of the population on the Internet, a wider and more diverse spectrum of cyber activity appears every day. Amongst the users who use the Internet for sharing and getting information without any bad intentions, are actors who consciously take an advantage of the loopholes in security systems, who find ways to break through cyber walls which were made to protect data and who harm institutions, governments, and other users. The Internet has changed and grown so much since it was established, that it comes as no surprise that a term used to describe this type of actors also changed its meaning. It was already in 1970s when the word “hacker” was used as a tech term. Back in those times a hacker was any enthusiast with advanced computer technology skills. Since then, not only the meaning of the word has changed, but also its essence. Even the people not interested in technology have probably heard of the term “hacker group”. Maybe with relation to Russian hacker groups allegedly attacking the United States, or with relation to Stuxnet, with the 2007 attacks on Estonia, with the attack on Sony Pictures, or maybe they have at least heard a name of some infamous group, such as Anonymous, Fancy Bear or many others. Even though, the cyber experts dealing with these groups found ways to reveal the nature of the hackers, the actions on the Internet are now more than ever complex and complicated. Even if we manage to pinpoint the nationality of the attackers, there always is an issue with attribution of the attack. We have many IT experts who can find through code and other measures pieces of identity of the hackers, however, based on the existing literature, I believe, the field of cyber security needs to be studied in a greater depth from the perspective of security studies and with international relations in mind. The issue is not only with the attack, but with the attribution, identity, motivation, and lessons learned from the event. Therefore, I have decided to base my thesis on the existing literature of cyber security from both the field of IT and social sciences. Together with carefully picked cases I strive to contribute to the approaches and methods we utilize in our field of study by encompassing some of the techniques that are used by cyber experts. By merging these together, the goal of this thesis is to elevate the research, help it to be accordingly complex to the state of cyber affairs, and finally, to facilitate a new sophisticated approach to study cyber security issues. Research target, research question With my thesis I would like to contribute to the approaches and methods we utilize to conduct research on cyber security issues. For this reason, I am going to test the applicability of existing concepts. The first part of my thesis will focus on modus operandi of the hacker groups, defining appropriate criteria from the perspective of security studies and using the concept from the realm of IT, called Cyber Kill Chain, which was created by Lockhead Martin company to study cyber attacks and help identify and prevent cyber intrusion activity. This framework was made to be used by IT professionals and I would like to first, find out how it is suitable for social sciences, and second, propose adaptations so it can be used in our field of study. Therefore, the first research question will be as follows: How can the Cyber Kill Chain concept be used/adapted to the studied topic? Secondly, I will focus on the motivations of the hackers. For that reason, I will use the typology of hackers framework. I will analyze the categorizations techniques chronologically from researchers such as Landreth Bill, who was amongst the first authors to propose different types of hackers based on their skill and motivation. Secondly, Hollinger, who classifies hackers only by their skills and Chantler, who used motivation, ability, and experience in comparison. Ideally, the categorization would follow criteria such as identity of the hackers, their targets, methods, frequency of occurrence, goal and the scope of damage. Such data, however, are rarely available. Hence, the categorization scheme proposed by Roger, which focuses on skill and motivation (revenge, financial, notoriety and curiosity) is more suitable to follow. Roger created a circumplex model, on which built a researcher Ryan Seebruck, who then proposed a weighted arc circumplex model for the purposes of studying current hacker groups. On that account, the second research question is: How can we best provide typology of hackers? Literature review My thesis is testing two frameworks, therefore for the first one, which focuses on the modus operandi of the hacker groups, I am going to outline criteria, which would be used in social sciences to study this phenomenon based on the “Sociology of Social Practices: Theory or Modus Operandi of Empirical Research?” by Robert Smidt, who is a recognized author in security studies. And I will test the concept of Cyber Kill Chain to find out how it can be adapted. I plan to use Lockhead Martin article called “GAINING THE ADVANTAGE Applying Cyber Kill Chain® Methodology to Network Defense”. This article will serve me as a guideline of how this model can be applied to my chosen cases. I plan to combine the information from this source with other very important one, which played a role in inspiring me to write this thesis. A study called “MODELING FANCY BEAR CYBER ATTACKS: Designing a Unified Kill Chain for analysing, comparing and defending against cyber attacks“ from drs. Paul Pols. It is a study written for Cyber Security Academy, therefore it focuses mainly on the technological aspects of the Cyber Kill Chain model. The author tests it on the case of a hacker group called the Fancy Bear and I will be using his findings to help adjust the model for security studies and try to answer the research question how it can be used in the field of social sciences. For collecting data about the second hacker group, I will be analysing in the thesis, Shadow Brokers, I have found a website called SH20TAATSB18 run by a French security professional, who keeps an archive of all group’s activity. He also dedicated this website to a very specific analysis of The Shadow Brokers with the technological aspects as well as to the research about the group’s identity. It is not an ideal academic source, nevertheless, it is the only source I could find with that much information about the technical aspects of the group’s cyber activity. For other information about the group, I plan to use studies from Matthieu Suiche, who has also been researching the group for a long time and went into such depths, that the hackers themselves reacted to his research. Since the literature focuses mostly on the individual attacks rather than on the analysis of the hacker groups themselves, I plan to use many other articles and academical literature. As an example, at this stage of my work, I can list “Knowledge Seeking on The Shadow Brokers“ by Seung Ho Na and others, “The Shadow Brokers Cyber Fear Game-Changers“ by Comae technologies, and lastly “From cold to cyber warriors: the origins and expansion of NSA’s Tailored Access Operations (TAO) to Shadow Brokers“ by Steven Loleski. For more information, I will search for specific attacks and articles about them. The problem with the literature for this part of my thesis could be that most of the data come from cyber security professionals, more oriented on the IT perspective, therefore, I will have to expand my knowledge and vocabulary to comprehend it to a sufficient depth. For the second part, the typology of hackers, I will be using the previously mentioned literature. Starting with Landreth Bill, who in 1985 proposed categorizing hackers into five types, basing their differences on the skill and motivation, which encompasses mischief, intellectual challenge, thrill, ego boost, and criminal profit. In his period, another author, Richard C. Hollinger, tried to classify hackers, but only by their skills, and eight years later, there was another attempt by Nicolas Chantler, who used motivation, ability and experience as categorization criteria. The most suitable categorization for studying motivations of hackers was created by Marcus K. Rodgers, who, as mentioned above, categorizes hackers based on skill and motivation (revenge, financial, notoriety, and curiosity). The reason why I find this categorization most suitable, is because it acknowledges ideological motivations, whereas the others, even though Chantler for example provides more complex categorization scheme, do not. I am focusing my thesis on most likely Russian state-linked group, where I believe, ideology would play a big part in their motivations. Finally for the second part, I will use a study by Ryan Seebruck, who takes in mind previous typologies and tries to update them, so they could be usable even with the newly emerging types of hacker groups, such as hacktivists and crowdsourcers, whose motivations are more ideologically and socially motivated. He reclassifies previous types or taxonomies, such as curiosity, notoriety, revenge and financial gain to recreation, prestige, revenge, and profit, while also adding a fifth category – ideology. Regarding literature, I predict there will not be many, if any problems with this part of my thesis, because the research of typology of hackers is sufficient. That being said, I will look not only into typologies, but also taxonomies. These terms are often used interchangeably by researchers, even though we can depict certain nuances between them. Taxonomies tend to categorize dimensions based on empirical observations and measurable traits. For my thesis however, I would use the term typologies, since the data being collected are qualitative. Conceptual and theoretical framework, research hypotheses This thesis is going to answer the research questions regarding the Cyber Kill Chain model and the typology of hackers. The Cyber Kill Chain is a framework from the Lockhead Martin company, which was created to identify and prevent cyber intrusion activity. It encompasses a seven-step process that should help the analyst studying a cyber attack to understand the tactics, techniques, and procedures of the attacker. The seven steps include reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on objectives. Each of these stages has a different focus and is trying to identify patterns, which I plan to compare to the criteria found based on empirical research about the hacker groups. The second framework used in this thesis is the typology of hackers, which includes specific models, that can benefit the categorization of hackers and help organizations, for example, to enhance their security systems. I presume, the most suitable model would be the weighted arc circumplex model by Ryan Seebruck. This updated model addresses not only technical information, but also social relationships between the hacker groups. His update of the circumplex model should be able to help with different motivations of hackers, since in the typical circumplex models there are only four quadrants, each representing a single motivation. Seebruck argues, that it is not enough, and the motivations of modern hackers could be more complicated. Therefore, he believes there are not only small nodes in single sectors, but the archetypes are depicted by an arc that could cross multiple sectors at once and in this way show multiple motivations. The thesis will use both these concepts as a framework to be tested via two cases, the Shadow Brokers and Fancy Bear. Thesis will pick a specific attack by these groups and test the applicability of the Cyber Kill Chain model first comparing it to previously outlined criteria that would be used in social sciences. Secondly, it is going to address the hacker groups from the perspective of typology of hackers. The findings from the applicability test will be used to adapt the concept of Cyber Kill Chain and prove which typology of hackers model and framework works the best amongst the modern hacker groups. Empirical data and analytical technique This thesis will be conceived as a conceptually driven comparative analysis. By using two cases of modern hacker groups Fancy Bear and the Shadow Brokers, it will test the existing concepts outlined above and try to adapt them, if necessary, to create a new conceptual framework to study the hacker groups in security studies. My motivations behind picking these two groups are that they emerged recently, and both have very interesting modus operandi or alleged connection to Russian state, which is important for my thesis, because it encompasses ideological motivations as well as creating phenomena popular amongst researchers both in the IT field of study and the security studies. Their sophistication played another factor for picking them. I hope that by picking a sophisticated actor, the contribution of my analysis to security studies would be of a greater benefit. To the first research question “How can the Cyber Kill Chain concept be used/adapted to the studied topic?” I plan to use secondary qualitative data about different hacker groups from different authors to help me come up with the criteria most suitable to study modus operandi, how does my case operate, but still in the boundaries of social sciences. I than plan to use these criteria and run a test of Cyber Kill Chain concept by using the case of the Fancy Bear hacker group to find out what did I learn from that process. Finally, I plan to compare these findings with the previously derived criteria and asses if and how could the concept be adapted to better suit social sciences. The data for this first part are going to be collected from secondary sources, case studies of different hacker groups on the topic of their modus operandi, so I can create an ideal set of criteria, according to which the cases would be studied. Furthermore, since I am a social scientist and am not able to decode the technical data by myself, I will collect data from cyber security experts’ studies, who have researched the Fancy Bear group and use these data to follow the steps outlined in Cyber Kill Chain concept. In this part, based on the concept, I will focus mostly on: - how does the group identify their targets, whether that is from harvesting email addresses, identifying employees via social media networks, collecting documents such as press releases, conference attendee lists etc, or discovering internet-facing servers; - how do they prepare the operation, if they obtain a weaponizer in-house or through public or private channels, if they set up backdoor implants, plant a decoy document or design mission ID; - how do they launch the operation, via email, USB stick, social media interactions, etc.; - how do they gain access to the victim, is there a software, hardware, or human vulnerability, do they acquire or develop zero day exploits, do they rely on victim clicking on malicious link; - how they install the implants; - if they remotely control the implants; - and if they achieved missions’ goal. This information will be gathered via different attacks of the groups, which should, according to the concept, find overlapping indicators and similarities, which would later help the defenders shed light on how the attacker works to than prevent another attack. For the second part of the thesis, I will be using the framework of typology of hackers and the previous authors’ categorization techniques. I plan to find out the best model from this framework to study the hacker groups’ motivations by using the case of Shadow Brokers. I picked this group mostly because of their complexity, sophistication, and the mystery surrounding them. I plan to collect qualitative data from various authors debating the group’s motivation, but most notably, the cyber security researcher, who conducted a study and created a website for publishing it, with the whole archive of Shadow Broker’s actions. This data I will run through existing models finding out if there are enough factors evaluated to study modern hacker groups and which of them is the most suitable for the job. My thesis is therefore a process-based analysis, which uses two important questions popular in social sciences research for their ability to provide complex analysis of an issue. The first question targeting the modus operandi, how do the groups work. The second covering their motivations, why do they do what they do. My thesis also strives to connect IT methods with methods used in social sciences, which could be of a benefit to security studies. |