The Hacker Personas

Matt Fusaro 00:18
Hi.Jason Pufahl 00:20
So today I think we’re gonna spend some time dispelling the common myth of what a hacker is. So, this is where it’s hard for me, because if I had a video or PowerPoint, I’d put a picture up right now of, you know, maybe a guy in a hoodie. Maybe I put even some some fancy like matrix-style texts in the back, right and, and say, well, you know, this is what everybody thinks of. And certainly this is what TV teaches everybody that a hacker is, probably a 20 year old, right? We love 20 year olds in their basement, incredibly sophisticated, doing really fancy things.Matt Fusaro 00:53
12 screens.

Jason Pufahl 00:55
Tons of screens.

Steven Maresca 00:57
You can’t forget the text projecting onto their face, which for some reason, very important.

Jason Pufahl 01:01
Well, it makes them look sinister.

Matt Fusaro 01:02
Energy drinks everywhere. Mountain Dew.

Jason Pufahl 01:05
For sure, the more sugar the better. I mean, that is the TV and they can get into any organization in seconds.

Matt Fusaro 01:13
Every time.

Jason Pufahl 01:13
Oh, yeah, right, every time. In fact, the firewall, that firewall, and then I think you juxtapose that with I think what we would say would be the more common reality now, right? Not to say there’s not, you know, somebody who thinks it’s interesting and does in fact, wear a hoodie. But you know, the office building, the organized, you know, sort of business setting, cubicles with management, where they define what they’re going to do as an attack objective, and they execute against that.

Steven Maresca 01:19
Can’t forget the call centers too.

Jason Pufahl 01:37
I mean, that’s not tongue-in-cheek, legitimate call centers, right, for the ransomware stuff that we see. So much more, much more organized, much more driven by profit as a motivation for sure.

Matt Fusaro 01:58
Some kind of an economy, right? Whether it’s just like pure financial reasons, or a war machine, if you will. There’s lots of reasons why they form these groups now.

Jason Pufahl 02:08
So, I want the image, I want though, because I want to segue into the motivation even more, I think that at least a few motivators. I do want to make sure that people have in mind an organized entity, right, whether that’s an office building, or whatever you picture that, but not a random actor doing random things.

Steven Maresca 02:25
So, why do we have the image of a random actor though? I mean, it comes from somewhere, right?

Jason Pufahl 02:29
I mean, I feel like it comes from 1980, when people were saying, well, we’re gonna do some basic phone dialing, and it was, a little bit more born out of creativity seeking. Yeah, right. Like somebody was like, I just got my computer for the first time and I bought my 1200 baud modem, or whatever they might have at the time. And we’re doing creative things, and I think that’s where that came from, and it just sort of stuck.

Matt Fusaro 02:52
Yeah, these days, we kind of hate the term or how they’re using the term “hacker”. I mean, we internally usually refer to it as an attacker, not a hacker, right?

Steven Maresca 03:03
Right.

Matt Fusaro 03:04
Because that’s what they’re doing. They’re attacking, they’re not, when we think of hacking, we think of it as trying to learn how a system works. It’s the same reason the mechanic learns their trade by taking their engines apart, and putting them back together, right? It’s kind of the same thing for us, except our engines involve computers.

Steven Maresca 03:21
And actually, as a term, it started there, realistically. It shifted in the 80s and 90s, and then frankly, kind of shifted back. You know, hacking these days, at least, for many of the younger crowd, is a positive thing. It’s complex at the end of the day, the imagery is warranted in many cases. You know, it used to be that a hacker or attacker was trying to achieve notoriety, they were trying to have fame attached to their activities, they’re claiming a trophy, or they were trying to make a point. Those were individual actors a lot of the time.

Jason Pufahl 03:56
So, are we comfortable then right now saying, let’s not use the word “hacker” for the purposes of this discussion, because I think in a way you just described hacking as, and I think it’s reasonable, as a positive activity, right, trying to learn something through taking something apart and understanding it better.

Steven Maresca 04:12
I think it’s okay to have recognition that there are simply multiple definitions.

Matt Fusaro 04:16
Right.

Jason Pufahl 04:16
That’s fair.

Steven Maresca 04:18
That everything can be used positively and negatively, the negative connotation of the attacker is still reasonable. Everyone, you know, casually, colloquially, refers to hackers as attackers, that’s fine. I think that the motive is important, though. Like I said, notoriety fame, that was what it was at the time when they were, in fact, single actors. It’s shifted, it’s profitable now, to attack, therefore, it’s more organized, therefore, it’s more business-oriented and planful. That’s today’s reality. You know, we deal with ransomware incidents where it’s very obvious to us that the initial entry into some company happened with Group A. And then Group B walks in the door with wildly different tactics and tools to take the data or to encrypt system. They’re teams, and there are marketplaces attached to that.

Jason Pufahl 05:15
The economy I think.

Matt Fusaro 05:16
Right.

Steven Maresca 05:17
Right. It’s lucrative to break-in and then sell access to other groups. That’s today’s reality.

Jason Pufahl 05:23
And they can be efficient, because their whole job is to break in, right, they’re not trying to execute all their attacks.

Matt Fusaro 05:31
Right, yeah, yeah, then sell that access.

Steven Maresca 05:33
So there are a couple other contexts, you know, if the hacker, some are the hacktivists, that are trying to achieve some sort of social goal or good depending upon how you look at it, they’re exposing things that are shadowy, like the, you know, exposure of dark money in countries that are tax shelters, and things of that variety. There’s also the researcher. We, in our field, know a variety of them, but one of the most well-known is l0pht, spelled l0pht. This is a group of researchers that, you know, briefed Congress on some very, very important risks to the national security of the US, 20 years ago. Today, they’re grey, their long hair has been replaced by something clean cut and corporate, but you know, that’s another element of this. And honestly, cybersecurity is built upon the research of curious people trying to understand how systems are built.

Jason Pufahl 05:33
Right. Right. So, you know, Steve, you mentioned l0pht in the research space, any notable groups, would you tie towards say the, you know, the profit motivated, or maybe the activist motivated that, you know, if anybody wanted to look up, they could do a lot of research?

Matt Fusaro 06:33
Yeah, I’d say this industry would be decades back if we didn’t embrace that kind of culture, right? The culture of breaking things to fix them, right. And I mean, there’s tons of stuff that came out about Conti recently, you know, with everything that’s going on in Russia, there’s supposedly lots of Russian ties and communications that got leaked. So if you want to see the internals, supposedly, of a ransomware group, it’s probably the best information you’re gonna get, really, there’s not a ton that you’re going to be able to access. You’ll see some research reports from, you know, the usuals, like the Sophos, CrowdStrike, FireEye. They have reports that they, they blog about, you can go their blogs and search them and find out about certain actors, they post them quite often.

Steven Maresca 07:34
Right. I mean, other you know, topical groups of recent notoriety include lapsusS, which is, you know, a little different. It was portrayed in the news as being backed by a teenage mastermind, which is perhaps more of the traditional hacker that we’re trying to say is less common these days, but there was still a group, loosely organized, of course, but you know, the fact is that they were trying to achieve goals through coordinated action.

Matt Fusaro 08:06
So what kind of inspired this whole segment as we saw a story that came out yesterday, so May 16, from this recording, that the hacker was exported, or not exported, I keep saying that, a hacker was extradited from Venezuela. And turns out that he was a cardiologist in Venezuela. And he had made, he was associated with Jigsaw. So if anyone’s familiar with that, I think it’s an older ransomware group, but he had made software to support what a lot of these other groups have formed. He made software to encrypt and manage the attacks that were going on, touted that it was used by Iran and their hacking groups. I love the names that he used for himself too, that probably led authorities right to him, like Asclepius and the Sophos, and Nebuchadnezzar, all that.

Jason Pufahl 09:12
Yeah, I mean, there’s some good means.

Matt Fusaro 09:14
Health ones, health-related names.

Jason Pufahl 09:16
You know, going back to the very beginning, where we said, that traditional idea of an attacker or hacker is a 20 year old kid, I think that’s not the case here. This guy was 55 years old, I think. So dispelling that myth that everybody has to be, you know, some young person with lots of time on their hands, right. I mean, cardiologist, theoretically pretty busy and yet found a fairly lucrative side business.

Matt Fusaro 09:49
Yup, yeah, it definitely kind of breaks the mold of what you would naturally think of a hacker.

Jason Pufahl 09:54
Totally does. And, you know, interesting, the sort of difference when thinking about Lapsus, right, which is, in that case, it was that semi, theoretically, that 17 year old mastermind of the whole thing, right?

Steven Maresca 10:08
Right. But, you know, the cardiologist, you know, he was not a lone actor perse, he was building tools to facilitate others in their specialization to achieve greater impact.

Jason Pufahl 10:21
And training on his tools like providing service on the side.

Matt Fusaro 10:26
Oh yeah, these groups are whole service businesses, they have, like, SAS solutions that they’ve created, so it’s a whole marketplace.

Jason Pufahl 10:35
Yeah, it is really fascinating. So we talked a little bit about, you know, the idea of the profits, of the profit behind it, right, I think, maybe a little bit, sort of hacktivism space, you know, some of the politically motivated, or whatever the case might be, you know, there is, and I think with loss, right, maybe, to some degree, that concept of the white hat versus black hat, right, we didn’t really talk about sort of how the industry tends to think of these, you know, where the white hat is probably more the hacker who’s trying to identify a security flaw or some sort of security vulnerability for the purpose of responsible disclosure, and then hopefully getting it fixed, right?

Steven Maresca 11:20
Yeah, these come from, you know, traditional symbols like white horse, black Horse type of origin. The white hats are pure academic researchers, they’re intending to stay within the full realm of benign law, not stray over any red lines and produce meaningful research for consumption by others. Maybe to improve the overall common good, but by building labs, not by testing out their theories in public and things of that. The other end of that spectrum, the black hat, their motives are usually far more tainted with malice. They may justify them based on some sort of improvement or hacktivism, or social good, but the truth is that they are not obeying laws, they are attacking other organizations, they are trying to make a point. Gray hats, they’re the middle ground. You know, they’re folks who generally have positive tendencies, are trying to improve things, but maybe demonstrate the point by attacking systems publicly in a way that doesn’t impact them negatively.

Matt Fusaro 12:29
Yeah, I mean, I can’t remember the exact scenario, but I know that there was a few people that were actually going and upgrading ISP routers, and leaving messages inside of them, like, hey, there’s a huge flaw here. We fixed it for you. So I’m sure they would consider themselves a gray hat. I gotta be honest, you don’t really hear that terminology too much anymore.

Jason Pufahl 12:52
Not a lot.

Matt Fusaro 12:52
It’s kind of gone from the industry. I think there’s a lot of reasons why.

Steven Maresca 12:56
Yeah, absolutely.

Matt Fusaro 12:57
But yes, if you hear them, you know, that will be the difference, but, it’s not used too much anymore. So I think the intention of this, of this discussion, you know one, I think we thought it was interesting reading about the cardiologist or, you know, attacker/hacker. But I think the other is really to dispel that myth that, you know, hackers, are these lone actors just doing things, you know, for fun, or to be a little devious, right? I think we really do want to change that mindset so that people think of it as a profit-based exercise because I think too often we’re engaged in conversations where our clients will say things like, why do we, we don’t have data that makes us an attractive target, for example, and in the profit motivation, it isn’t about finding classified data from the government to rebuild airplanes in Russia, that of course exists, but it is very much can we impact or hamper a business’s productivity such that they’ll pay us the money to get productivity back?

Steven Maresca 14:00
Or, you know, to extend that point, break into a company that has no data, that has no systems, that has no speedy connection to the internet, but does have trust in another industry so that they can be impersonated. That’s sufficient to achieve other attacks. So, it’s more complicated and textured than merely, “Hey, I have something of value” and that point is really critical when talking about I don’t have anything that was worth being attacked. That’s just not the case in most organizations, because, you know, trust is central to cybersecurity. And if it can be abused in any capacity, it is as impactful as theft of data, or interruption of revenue, for that matter, right.

Matt Fusaro 14:44
And most of those places are probably selling themselves short. I mean, you’re in business for a reason, you’re in something valuable. There’s probably something to be exploited there.

Jason Pufahl 14:50
Right. And, you know, even if it’s just the fulfillment business, right, shipping and receiving, and they can bring that down like you’re done until you can fix it.

Steven Maresca 14:59
So backing up, why do we care about the definition of a hacker? Personally, when we’re dealing with an incident, it matters to us to understand the motives because it means that we know potentially what systems are being targeted, what data is being extracted. If we can divine that, there’s a better sense of our ability to convey that attack to outside entities as well as defend an organization again in the future.

Matt Fusaro 15:28
Yeah, it’s the same reason why the FBI went down the behavioral path, you know, what was that 20 years ago or so? And it produced good results. We do the same thing, we try to identify behaviors that attach to a group, attribute those types of attack.

Jason Pufahl 15:44
Make your investigation more meaningful, and make the discussions you’re having with the victim more meaningful, right, because it gives them some sense of, why us and what was the potential impact?

Matt Fusaro 15:54
Yeah.

Jason Pufahl 15:56
So yeah, I think that seems like a reasonable place to wrap up, right? It’s just you’re trying to drive home that there’s a bunch of different motivators out there for sure, profit really probably being the biggest one that we see today. And that it isn’t just that individual, right, these are pretty well orchestrated attacks, typically aimed at making some money in there. And frankly, there’s an entire underground economy, you have, maybe for lack of a better term, of surrounding these things. And you don’t want to bury your head in the sand and pretend you’re not going to be a potential victim, and here’s why we talk about things like security fundamentals, and some of the technical controls and programmatic improvements that we discuss all the time. So with that, you know if anybody wants to chat a little bit more about the general sort of cybersecurity or you know, the hackerspace. Here, we have a fair amount of experience here through a lot of the instant response work that we’ve done. Reach out to us at LinkedIn at Vancord or Vancordsecurity on Twitter, and we’ll help you keep the conversation going. And with that, we hope somebody got some value out of this and found it interesting and we appreciate everybody listening.

17:08
Stay vigilant, stay resilient. This has been CyberSound.