November 3, 2006

Inside the Hacker's Profiling Project

Author: Federico Biancuzzi

Imagine being able to preview an attacker's next move based on the traces left on compromised machines. That's the aim of the Hacker's Profiling Project (HPP), an open methodology that hopes to enable analysts to work on the data (logs, rootkits, and any code) left by intruders from a different point of view, providing them with a profiling methodology that will identify the kind of attacker and therefore his modus operandi and potential targets.

We discussed the project with co-founder Stefania Ducci, criminologist for United Nations Interregional Crime and Justice Research Institute (UNICRI). In mid-2004 Ducci began collaborating with Raoul Chiesa on what became the HPP.

NewsForge: What is the Hackers Profiling Project?

Stefania Ducci: The HPP is an international research programme aimed at developing an open methodology that -- when applied to log files or computer forensics dumps -- will enable analysts to identify the kind of attacker that performed the attack(s).

Most studies have been carried out by focusing on either the criminal analysis of the computer intrusion on one side and the technical analysis on the other side. In no cases we have seen a synergic approach. In this context, our research project aims to identify the actors' behaviours, helping in better identifying the reasons for IT/ICT attacks, thus determining better countermeasures.

Interdisciplinary is the new element of our research project. It puts together criminology and ICT security science with the aim of identifying the different categories of hackers considering: modus operandi (alone or in group), technical skills, motivations, purposes, targets, the adhesion or not to the so called "hacker ethics."

In a nutshell, the HPP is targeted at:

  • Analysing the hacking phenomenon in its several aspects -- technological, social, and economic -- through both technical and criminological approaches;
  • Understanding the different motivations and identifying the actors involved;
  • Observing the criminal actions "in the field";
  • Applying the profiling methodology to the gathered data;
  • Learning by the acquired knowledge and disseminating it.

The HPP started in September 2004, and became an official ISECOM project in June 2006. ISECOM, the Institute for Security and Open Methodologies, is an open source vendor-neutral collaborative community.

NF: Why do we need to study and create hacker profiles?

SD: In order to adopt countermeasures to make systems safer, and for identifying attackers more rapidly. If a potential target is aware of the type of attack it may be subject to and what kind of attacker may be at work, a sysadmin could adopt measures aimed at reducing the risk of a possible intrusion.

NF: How would this project help the sysadmins defend their networks?

SD: If you don't know your enemy, you can't know how to defend yourself. When HPP will bring the actual profile of the attacker -- based on logs and data, concrete and detailed, on the intrusion -- this profile will help sysadmins use their resources in a more effective way, based on the attacker goals and potential targets.

NF: What would the project concretely produce as final output?

SD: The final goal is a real and complete methodology for hacker profiling, released under GNU/FDL. This means that, at the end of our research project, if a company will send us its (as detailed as possible) logs related to an intrusion, we -- exactly like in the TV show C.S.I. when evidence is found on the crime scene -- will be able to provide a profile of the attacker. By "profile" we mean, for example, his technical skills, his probable geographic location, an analysis of his modus operandi, and of a lot of other, small and big, traces left on the crime scene.

This will also permit us to observe and, wherever possible, preview new attack trends, show rapid and drastic behaviour changes, and, finally, provide a real picture of the world of hacking and its international scene.

NF: Why should hackers collaborate with you?

SD: Because the purpose of this study is trying to describe objectively hackers' everyday life, providing the people that have a poor knowledge of the hacking scene and the digital underground with a clear vision, uninfluenced by mass media or personal prejudices, putting an end to all the stereotypes surrounding this world.

NF: How are you collecting the data for the profiling process?

SD: The data useful for outlining attackers' profiles will be collected through different threefold project stages, partly overlapped: an analysis of the existing literature on the topic, the distribution of a questionnaire, and honeynets.

The review of the literature has been carrying out since the beginning of the project and will continue until its end. Overlapped to this first phase it is the development and distribution of a questionnaire, currently ongoing. With the establishment of honeynets it will be possible to register and automatically collect information on the attacks and movements of hackers who are trying to penetrate the honeynets' systems. The elaboration of the criminal profiles of different types of hackers is based on the analysis of the correlations among the data collected through the questionnaire, the inputs from the honeynets, and from publications that deal with the topic.

NF: Could you tell us more about the questionnaires?

SD: The questionnaire is divided into three modules. Module A is about personal data (gender, age, social status, family context, study/work). Module B deals with relational data (relationship with authorities, teachers/employers, friends/colleagues, other hackers). Module C regards technical and criminological data (target, hacking techniques and tools, motivations, ethics, perception of the illegality of their own activity, crimes committed, deterrence). All the questions allow anonymous answers.

Raoul Chiesa and I, with the helpful assistance of psychologist Elisa Bortolani, have developed two questionnaire typologies: a "complete" version where all the fields of modules A, B, and C are compulsory, and a "compact" version with only some fields of the three modules. The latter is available online. The complete version of the questionnaire will be distributed exclusively to the persons who we are sure belong to the hacker underground. This group will act as a control group toward those who have filled out the compact version. In order to avoid false answers, we will also compare the data from the questionnaires with the ones obtained through a honeynet of new generation, with the aim to verify if the single hacker typologies identified through the questionnaires have the technical features, modus operandi, skills, targets, and motivations proper to the category.

The questionnaire should yield a profile of hackers who practice hacking in their spare time and without professional purposes. It is unlikely that cyber-warriors, industrial spies, governmental agents, and military hackers, who practice hacking professionally, will fill out the questionnaire, due to the obvious prudence required by their activities. Therefore, this questionnaire's gap will be bridged thanks to the data generated by the honeynet.

NF: Looking at the data you have collected so far, what can you say?

SD: Generally speaking, it comes out that hackers are usually brilliant, inventive, and determined. They generally feel anger and rebellion towards authorities and narrowmindedness, seen as a menace for civil liberties. Hacking is conceived as a technique and a way of life with curiosity and to put themselves through the hoops, or as a power tool useful for raising awareness among the general public about political and social issues. Normally, they are driven by the love for knowledge. Nevertheless, there are also hackers who have profit purposes and, therefore, practice phishing/pharming, carding, or industrial espionage. Their preferred targets are military and governmental systems, as well as information systems of corporations, telecommunication societies, schools, and universities, but also end users and SOHO.

The bulk of hackers (with low technical skills) are discouraged from systems difficult to violate: they prefer "easy" OSes such as Linux or Windows. By contrast, high-level hackers are stimulated only by systems considered "invulnerable" (*BSD, Solaris, HP/UX, VMS, IOS, Symbian) and by protocols. Usually, they shift the fault for their attacks onto sysadmins (or software designers) for the fact they have not been able to protect the system properly (or to project/define a safe protocol or standard).

It emerged from the questionnaires that so-called "ethical hackers" inform sysadmins of vulnerabilities on violated systems (or contribute to fix security flaws), but usually only after having informed other members of the underground. It came out also that they do not crash systems (if this happen it is accidental and due to inexperience), and neither steal nor delete nor modify data. Their aim is to improve the systems' security and raise sysadmins' awareness and attention.

Finally, we have recognized the existence of a new category -- military hackers. They are former elite hackers who are employed permanently by armed forces, for possible future information warfare.

I am quoting here a part of a filled questionnaire in order to let the readers have a "taste" of the kind of replies we are collecting:

Q: Do you obey to the hacker's ethics? If not, why?
A: I obey my ethics and my rules, not ethics in general. I don't like to obey what other people are obeying. Ethics are like rules and laws -- other people are writing them for you and even if sometimes they sound fair and correct, always behind the sweet and hypnotic words there is a trap for personal freedom. I am not a sheep to follow rules ethical or legal in general.

Q: How do you perceive your hacking/phreaking activity: legal or illegal?
A: I don't accept the terms legal and illegal, because accepting these terms means that I have the same point of view as people who have nothing common with me. For me, my activities are legal.

NF: Who is working on the project, and how could other people help you?

SD: We have a group of technicians, among which I have to mention Alessio Pennasilico, who created the Web site.

Considering the huge work that has to be carried out, we are looking for collaborators, especially experts in criminology, sociology, psychology, and information technology. Till now we have financed ourselves, but we are open to sponsorships.


  • Security
Click Here!