Tracking malicious hackers’ early activities using open source intelligence can offer substantial clues about the likelihood of their becoming a persistent threat in the future, two university researchers claimed in a report this week.
That knowledge can help guide early intervention efforts to nudge fledgling hackers off their criminal trajectories, they noted.
Christian Howell, assistant professor in the Department of Criminology at the University of South Florida, and David Maimon, a professor at Georgia State University’s Department of Criminal Justice & Criminology, recently tracked 241 new hackers engaged in website defacements for a period of one year.
Early Intervention for Fledgling Hackers
Howell and Maimon identified hackers as new for their study based on information the individuals posted on Zone-H, a platform that malicious actors widely use to report website defacements. Hackers basically upload evidence of their attack, including their moniker, the defaced website’s domain name, and an image of the defaced content to Zone-H. Once administrators there verify the content, they post the information to the archive, where it is publicly viewable. Zone-H currently maintains records of more than 15 million attacks that have resulted in website defacements over the years.
The two researchers tracked each of the hackers for a period of 52 weeks from their first disclosed website defacement on Zone-H. Because many attackers use the same online aliases across platforms to establish their reputation and status, the researchers were able track them across multiple environments, including social media channels such as Facebook, Twitter, Telegram, and YouTube.
“Based on a hacker’s behavior in the first few months of their career, you can predict where they are going to be further on in their career,” Maimon says. “We can definitely nudge these actors away from a life of cybercrime,” by intervening early, he adds.
Maimon points to previous research that he was part of, along with Howell and another researcher, that showed early intervention can have an impact on budding criminal behavior. In the study, the researchers — purporting to be hackers themselves — sent direct messages to a selected group of hackers about alleged lawenforcement efforts targeting those involved in defacement activity. The messages prompted many of those who received them to cut back their defacement activity, apparently out of concern about law enforcement tracking them down, he says.
Four Distinct Trajectories
They collected information about the total number of attacks that each hacker carried out during the one-year period, analyzed the content of their website defacements, and gathered open source intelligence about the hackers from social media and underground sites and forums.
The data showed that 241 hackers defaced a total of 39,428 websites in the first year of their malicious hacking careers. An analysis of their behavior revealed that new hackers follow one of four trajectories: low threat, natural desisting, increasingly prolific, and persistent.
A plurality of the new hackers (28.8%) fell into the low-threat category, which basically meant they engaged in very few defacements and did not increase their attack frequency through the year. Some 23.9% were naturally desisting, meaning they began their careers with substantial velocity but then appeared to lose interest quickly. Hackers in this category included politically motivated hacktivists who likely lose sight or got bored of their cause, the researchers surmised.
Hackers in the more troublesome categories were the 25.8% who engaged in an increasing number of attacks over the course of the year and the 21.5% in the persistent category who started with a substantial number of attacks and maintained that level through the year.
“Increasingly prolific hackers engage in more attacks as they advance in their career, while persistent threats continually engage in a large number of attacks. Both are problematic for system admins,” Howell says. He notes that it’s hard to say for sure what percentage of the hackers in the study engaged in other forms of cybercrime besides website defacements. “But I found several selling hacking services on the Dark Web. I suspect most — if not all — engage in other forms of hacking.”
The two researchers found that hackers who had a high level of engagement on social media platforms and reported their website defacements to multiple archives tended to also be the more persistent and prolific actors. They also tended to disclose their aliases and ways to contact them on sites they defaced. Howell and Maimon chalked the behavior up to attempts by these actors to establish their brand as they prepared for a long-term career in cybercrime.
Often, these actors also indicated they were part of broader teams or became part of a broader group. “New hackers are typically recruited by existing teams with more sophisticated members,” Howell says.
The study showed that cyber intelligence from publicly available sources is useful in forecasting both threats and emerging threat actors, Howell says. He notes that the focus now is on developing AI algorithms that can help improve these forecasts going forward.