Trading in Attack Data

By: Amit Rechavi

Scientific research is based on a theory and on data that can refute or corroborate the theory. When data emerge that refute the dominant theory, we bear an obligation to formulate a new theory that embodies an explanation for the new data that have emerged. According to Kuhn (1962), this is the manner in which modern science develops and is shaped. What happens, though, when we have a theory but do not have data to check it? In such instances, we use indirect data that measure the phenomenon we are investigating. Examples of the informed use of this approach can be found in the field of physics, and we adopt the same method in our current study into hacker networks.

Due to its inherently illegal nature, the world of hacking is a concealed one in which the players, the methods used, and sometimes even the motives behind actions all remain unknown. Indeed, it is commonly argued that even the outcomes of the actions of the very best hackers remain concealed; in other words – the object of the attack is unaware that an attack took place. Examples of such cunning attacks include the changing of data in information systems without the change being detected; clocking certain data or data sources so that they do not reach their intended destination; altering algorithms used to take decisions in an undetectable manner; attacks on computer resources that prevent them from realizing their true capacity, and so forth.

The study, by Dr. Amit RechaviDr. David Maimon and Dr. Tamar Berenblum, examined trade in attack data between different countries. By using “honey traps” (computers deliberately planned to be hacked in order to expose the hackers’ behavior), we found that different countries (or more accurately – identified attackers from various countries) choose to attack computer sites in different ways. Some of the attacks employ brute force, when hackers (or bots) attempt without any sophistication to enter information systems by means of submitting thousands of attempted combinations of user names and passwords. Another type of attack is characterized by entry to information systems and the execution of various malicious actions (as mentioned in the previous paragraph).

We discovered that some hackers (and, by way of a generalization, some of the countries where such actions were identified) prefer to use robots to secure the user name and password for the information system, while others hackers (and countries from which hacker entries were discovered) actually penetrate the systems. So far, the whole story sounds relatively simple. The question we asked was whether and how the information is transferred from the hackers that concentrate on accessing the user names and passwords to those who specialize in entering the information systems and executing actual actions in them. In other words, we assumed that methods exist that permit this transfer of information, but since actions in the field of trade in usernames and passwords are illegal, it is impossible to identify whether and how this important transfer is executed. However, since we were able to identify how many attempts were made in each attack before the hacker guessed the correct user name and password, we could locate all the hackers who entered a system on the first attempt using precise identification. Since the chances that a hacker could guess the correct username and password on the first attempt are virtually zero, we were able in our study to identify these hackers as ones who operated in other countries and secured the user names and passwords to these specific information systems.

According, we used our analysis to map a global network (on the individual and country level) linking hackers of the first type, who secure user names and passwords, and those of the second type, who execute malicious actions in the systems they enter. As explained above, we could not monitor or identify these interactions directly, since they take place in a covert manner, in all probability by means of the Darknet. However, by tracking the traces of these actions (as explained in the previous paragraph), we managed to map the global network of actions between hackers of different types. It emerges that this network functions in a manner that optimizes the dissemination of information, and is based on a small core of experts who maintain contacts with a diaspora that makes malicious use of this information. Mapping this network is the first step toward any actions to confront it.