Exploring Malicious Hacker Communities: Predicting Imminent Cyber Threats

Cyber attacks don't come out of nowhere - although people still believe this chaotic scenario rules the security of cyberspace. Instead, those offensives are mainly derived from the exploitation of known software vulnerabilities that hackers knew were left unpatched on machines. The criminals just share the information on their preferred hacker community and get online help to troubleshoot obstacles. This is bad news for organizations that adopt a reactive security strategy since a mass of cyber-threats will be on the attacker side targeting vulnerable assets.

HubSpot Video

However, for organizations that adopt a proactive security strategy, this online hacker behavior is actually good. By looking in the right place at the right time, defenders can mine the interest of malicious hackers to anticipate their actions, protecting targeted assets before the attackers are able to breach their organization. This is where this book comes into play: it explains how organizations can build a proactive security stance using the hacker’s resources against them. Throughout the book, we use data provided by CYR3CON, which includes hacker discussions on forums and marketplaces from all layers of the web along with hacking-related information from social media platforms, Chan sites, paste sites, exploit archives, vulnerability databases, and bug bounty programs.

The studies conducted in this book are divided into two parts. The first part, formed by Chapters 3, 4, and 5, focuses on understanding the threat actors creating and distributing malicious code online to identify credible threats. Specifically, Chapter 3 addresses the key-hacker identification problem, where we analyze the activity, expertise, knowledge transfer behavior, structural position, influence, and coverage of forum members to develop their profiles, aiming to understand which features characterize key-hackers. As this select and reputable group of hackers foment a promising vulnerability exploitation threat market, providing profitable resources that are more attractive to other hackers, it forms a natural lens through which security alert systems can look to predict cyber-attacks, as illustrated in Figure 1.


Figure 1. Key hackers are highlighted in a network of threat actors.

 Next, as hackers use online communities to advertise, showcase, and recruit collaborators, attracting low-skill-level individuals who aim to improve their hacking skills, Chapter 4 analyzes forum engagement by predicting where and when hackers will post a message given their recurrent interactions with other hackers. By modeling hacker adoption behavior, we build a crowdsourced sensor to gain insight into future users’ activities that may lead to cyber-attacks, such as hacktivist campaigns, purchase of particular hacking-related products/services (see Figure 2), or mass adoption of cyber-threats.

Figure 2. Hacker adoption analysis of cyber-threats.

Chapter 5 demonstrates whether vendors of malware and malicious exploits organically form hidden communities on online marketplaces – see Figure 3, using for that the similarity of their product offerings. By finding vendors with similar expertise, defenders can anticipate subsequent product offerings if at least one of the community members had been already confirmed as offering a similar exploit online, helping organizations with surveillance of imminent cybercriminal activities. 


Figure 3. Hacker communities revealed.

 In the second part of the book formed by Chapters 6, 7, 8, and 9, we focus on directly measuring the risk of cyber-attacks, either by predicting exploits-in-the-wild, anticipating cyber-incidents at particular enterprises, or conducting an assessment of threats to particular systems. Specifically, Chapter 6 predicts whether malicious exploits are going to be used in the wild targeting specific software vulnerabilities. Although only a small ratio of the large number of published vulnerabilities is actually exploited in the wild, current standard risk assessment systems, such as the CVSS score, appear to fall short of security expectations, making organizations allocate their limited resources on the wrong threats. This study combines resources from online hacker communities (forums and marketplaces), vulnerability databases, and security advisories to accurately identify the IT targets of malicious hackers, as illustrated in Figure 4.

Figure 4. Targeted software vulnerability being identified.

 Chapter 7 describes a temporal logical framework to learn rules that correlate malicious hacker activities – mentioned vulnerabilities on forums and marketplaces - with real-world cyber-incidents, leveraging these rules for predicting enterprise-targeted external cyber-attacks (see Figure 5). The challenge here is more than identifying the existence of an exploit in the wild. Instead, we generate security warnings precisely predicting when a cyber-attack is likely to occur given the current hacker discussions. The predictions are transparent, allowing human experts to completely understand the reasoning behind them.

Figure 5. Correlation between malicious hacker activity and real-world cyber-attackers.

With the same prediction goal of chapter 7, Chapter 8 brings social network analysis to aid in cyber-attack prediction. Here, I measure network features and user/thread posting statistics to hypothesize that the interaction dynamics focused on a set of forum users – the highlighted experts in Figure 6 - and the attention broadcast by them to others can be relevant to generating cyber-attack warnings.

Figure 6. Hackers being differentiated while their activities are correlated with cyber-attacks.

Finally, Chapter 9 looks at online hacker discussions to identify platforms, vendors, and products likely to be at risk, gathering indicators regarding the hacker capability of targeting systems. The approaches proposed in Chapters 6, 7, and 8 to predict cyber-threats only consider discussions that have explicit software vulnerability mentions, which comprise a small portion of them. Here, we analyze all collected hacker discussions from forums and marketplaces to identify at-risk systems, looking for platforms, vendors, and products that might be of interest to malicious hackers.


Figure 1. Platforms, vendors, and products are being monitored for the identification of at-risk systems.

In summary, this book is intended to give an overarching view into how to explore malicious hacker communities to achieve proactive cyber-threat intelligence. After introducing those communities and giving general information on the cybersecurity domain in Chapter 1 and Chapter 2, we conduct a series of studies that demonstrate how artificial intelligence, machine learning, and social network analysis techniques can be used to make sense out of large quantities of hacker community data for security purposes. Table 1.1 summarizes the two main parts of this book.


Table 1. The two main parts of the book

We hope you've enjoyed these last few posts from our guest author, Dr. Ericsson Marin. CYR3CON helps teams prioritize vulnerabilities and prevent breaches. Contact us today to learn why we have become the most accurate, peer-reviewed, predictor of weaponized exploits. 

About our guest author: Dr. Ericsson Marin is an assistant professor of Computer Science at California State Polytechnic University, Pomona. He is the director of the Cyber Adaptive Learning Systems Laboratory (CALSys Lab) with research that combines AI, Machine Learning, Social Network Analysis, and Cybersecurity. Currently, Dr. Marin is investigating proactive cyber-threat intelligence, where intelligence is mined from the darkweb to predict future cyber-threats against organizations. He has authored an excellent record of scientific publications, including two books on threat intelligence published by Cambridge University Press. His work has been acknowledged with best paper, best presenter, and travel grant awards, receiving a considerable number of citations. He also has had an impact in industry, presenting at cybersecurity industry and federal agencies conferences/meetings such as ONR, ISC2, and FBI, among others. Dr. Marin holds an M.S. from the Federal University of Goias, Brazil and a Ph.D. from Arizona State University.