Exploring Malicious Hacker Communities: Introduction

Welcome guest author Dr. Ericcson Marin to the CYR3CON blog! We're excited to share a few details from the upcoming publication: Exploring Malicious Hacker Communities

With the large number of cyber-attack incidents, such as those recently experienced by Facebook, Dow Jones, and U.S. Customs and Border Protection, cybersecurity has become a serious concern for organizations. A security bulletin published by Kaspersky Lab noted that about 2,672,579 cyber-attacks were repelled daily by the company in 2019 (30 per second), reflecting the average activity of criminals involved in the creation and distribution of cyber-threats.

Exploring Malicious Hacker Communities Introduction

A credible explanation for this threatening scenario is that malicious hackers are increasingly using the internet to share knowledge and achieve their criminal goals. It is continuously reported by researchers and security firms how threat actors rely on online hacker communities to (1) identify software vulnerabilities, (2) create or purchase exploits, (3) choose a target and recruit collaborators, (4) obtain access to the infrastructure needed, and (5) plan and execute the attack, making what was once a hard-to-penetrate market accessible to a much wider population. Nowadays, no operating system, application, or hardware seems to be immune to cyber offensive operations. Worldwide, cyber-attacks cost organizations an estimated U$600 billion in 2017 (0.8% of global income), and U$5.2 trillion in additional costs and lost revenue are expected until 2024.

To make the cyber scenario even more threatening, according to the National Cyber Security Alliance, 60% of small and midsized businesses that are seriously hacked go out of business within six months, which strengthens the security specialists’ claim towards prevention compared to remediation. For instance, consider the WannaCry ransomware attack carried out in May 2017, when more than 300,000 computers across 150 countries had their hard-drive data encrypted (see the WannaCry’s home screen in the image below). For cases like these, remediation-only methods are useless because the damage produced cannot be undone unless the hacked company pays a ransom, which is an action not advised by the FBI.

WannaCry home screen

WannaCry’s home screen with instructions for victims of the cyber-attack.

 It is notable then how a more proactive approach that could predict and stop cyber-attacks before the infections occur would directly impact the security of organizations. With that said, the question that emerges is: how to build something like that? Well, the answer is not easy, but we can state that without visibility into the offensive industrial base, defenders do not know what is in the production pipeline and cannot be properly prepared. As usual, they only react to cyber offensives, trying to mitigate damages that range from unavailability of services until a loss in reputation, revenue, or data.

Now, think about this other question. What if we use the hacker’s resources against them? That is our main insight here. Although the current online hacker behavior helps to produce a huge amount of malware, it also provides intelligence for defenders, as the information shared by hackers can be leveraged as precursors to various types of cyber-attacks. For instance, consider the two case studies shown in the table below. By following the timelines, the reader can observe what is exactly being shared, and how this information can be valuable for security professionals. The same sharing pattern was observed for more notorious hacks such as the WannaCry and NotPetya ransomware and the Mirai botnet, which together result in billions of dollars in damages. From the defender’s perspective, the hackers’ digital traces existing in those environments yield valuable insights into evolving cyber-threats and can signal a pending offensive operation well before malicious activity is detected on a target system.

Timeline of software vulnerabilities

In this context, by shifting the attention from the defender environment to the attacker environment, this book proposes models, techniques, and frameworks to enhance cyber-defense based on threat intelligence that underpin the underground cyber-world: the malicious hacker communities. After introducing those communities and giving general information on the cyber-security domain, we conduct a series of studies that demonstrate how artificial intelligence, machine learning, and social network analysis techniques can be used to make sense out of large quantities of hacker community data for security purposes.

In the first part, we focus on scrutinizing the threat actors creating and distributing malicious code online and getting knowledge about dynamic reputation systems, user engagement, and highly specialized groups of hackers that can aid in the identification of credible threats.

In the second part, we leverage those techniques to effectively predict future cyber-threats, either by identifying exploits-in-the wild, predicting enterprise-targeted external cyber-attacks, or finding at-risk systems. Those attack predictions, in turn, can lead to a variety of strategic decisions to avoid infections, including prioritizing certain patches, discontinuing the use of a piece of software, purchasing or developing software, and segregating certain computers from the rest of the network. In a nutshell, this book provides computer network defenders with techniques to better understand their adversaries while analyzing assets, capabilities, and interests of malicious hackers, contributing to a new security paradigm called “proactive cyber threat intelligence”.

 CYR3CON helps teams prioritize vulnerabilities and prevent breaches. Contact us today to learn why we have become the most accurate, peer-reviewed, predictor of weaponized exploits. 

About our guest author: Dr. Ericsson Marin is an assistant professor of Computer Science at California State Polytechnic University, Pomona. He is the director of the Cyber Adaptive Learning Systems Laboratory (CALSys Lab) with research that combines AI, Machine Learning, Social Network Analysis, and Cybersecurity. Currently, Dr. Marin is investigating proactive cyber-threat intelligence, where intelligence is mined from the darkweb to predict future cyber-threats against organizations. He has authored an excellent record of scientific publications, including two books on threat intelligence published by Cambridge University Press. His work has been acknowledged with best paper, best presenter, and travel grant awards, receiving a considerable number of citations. He also has had an impact in industry, presenting at cybersecurity industry and federal agencies conferences/meetings such as ONR, ISC2, and FBI, among others. Dr. Marin holds an M.S. from the Federal University of Goias, Brazil and a Ph.D. from Arizona State University.