What Motivates Adversaries?

System intruders value potential target assets based on the financial gain they can realize by compromising the asset. Markets are well established for buying and selling of compromised systems and data of all types. For financial transaction systems, the value of controlling wire transfer and ACH accounts can also be calculated. Non-financial asset compromise motives exist; however, those motives represent a continually decreasing percentage of the system compromise events. System intruders are now financially motivated, and thus the assets they will pursue and how much they will invest in pursuing the asset can be roughly predicted based on the financial return they will reap for their efforts, similar to the way an investor might calculate return on investment.

Non-Financial Motives
Non-financial factors were the impetus behind the majority of system compromises through the late 1990s. These motives included pursuit of forbidden knowledge, the game of system compromise, pranksterism, and reputation building.

In the 1960s and 1970s computer systems were physically and financially inaccessible to many who wanted to understand their inner-workings. Those hungry enough to explore the systems, who were not among the few authorized operators, gained access to the systems without authorization. College students attempting to get more time on systems developed many compromise techniques, such as Trojan software. John Draper, when asked about the techniques he developed for gaining operator access to phone systems, published in the October 1971 issue of Esquire Magazine, stated the hacker ethos of the time.

I don’t do that. I don’t do that anymore at all. And if I do it, I do it for one reason and one reason only. I’m learning about a system. The phone company is a System. A computer is a System, do you understand? If I do what I do, it is only to explore a system. Customers, systems, that’s my bag. The phone company is nothing but a computer. – From Secrets of the Little Blue Box by Ron Rosenbaum, Esquire Magazine (October 1971)

Pursuit of knowledge was the motive for Terminus and ultimately led to his arrest when, in February 1990, Secret Service questioned him in his home and confiscated his Netsys computer containing illicitly obtained software such as KORN SHELL and UNIX SV Release 3.1.[1]

System intruders build their reputation through penetration of previously uncompromised systems and through development of new compromise techniques. Proof of intrusion is better than just a story, so intruders often collected electronic trophies as proof of their compromises. In 1988, Prophet of Legion of Doom (LoD) compromised a BellSouth system, AIMSX. He did no damage to the system, just explored. In his probing of the system he discovered a file containing information related to administration of the 911 system (E911 document). Why did he download the file? It was a trophy – proof of his compromise of the system. Also, it was forbidden knowledge, and possession of forbidden knowledge was the currency with which reputation was bought.[2]

Some system compromises were simply to pull off a prank. In June of 1989 an intruder compromised a Southern Bell phone switch and redirected calls made to the Palm Beach County Probation Department to “Tina,” a phone-sex worker in New York State.[3]
[1] The Hacker Crackdown page 114-116
[2] The Hacker Crackdown page 112-113
[3] The Hacker Crackdown page 95

Threat Defined

An information system threat is a probable event that could result in harm to the owner of the information system. A threat is realized through successful execution of one or more attacks against a system. For example, the threat may be unauthorized access to web applications through theft of user authentication credentials. Attacks that may be used to realize the threat may include keystroke logger, phishing, pharming, network communications intercept, or social engineering.

Determining threat to systems is not always as obvious as it is for a bakery or an on-line gambling company. However, the dichotomy does emphasize the fact that a threat to one system owner may not be a threat to another. The significance of threat exposure to various systems is a core security decision factor. Threat analysis is the process of identifying threats, determining their significance to the system owner, and selecting the correct controls to address the attack methods through which the threat may be realized.

Introduction to Threat Analysis

A threat is an impending event that is harmful. Something that is impending and harmful to one entity may not be to another. A 6.0 magnitude earthquake is harmful. Whether an earthquake is impending or not is dependent on location. According the U.S. Geological Survey there is a 90% probability of a 6.0 or greater magnitude earthquake occurring in the San Francisco Bay region before 2037. There is a 0% probability of a similar magnitude earthquake occurring in Bismarck, North Dakota, during the same period. Earthquakes are a threat to those who live in San Francisco. They are not a threat to those who live in Bismarck.

Just as threat of earthquake varies by location, many threats to information systems vary by entity and by system. Consider the threat of Internet denial of service within the context of two organizations – an on-line gambling company and a local bakery. A denial of service attack against the Internet-facing gambling systems would negatively impact the owner’s revenue, particularly when approaching the time of a major sporting event. Denial of service is likely to occur to the systems as malicious actors know that they can often extort money from the system owners in return for not DoS’ing their systems. It is a threat to owners of on-line gambling systems because it is harmful and it is likely to occur.

Denial of service is not a threat to the owner of a local bakery whose revenue is not dependent on its Internet-facing systems. Were the attack to occur, the system owner would likely not notice the attack for an extended period of time. If she were to notice the attack, she would likely consider it an annoyance at most. Further, denial of service against her systems is not likely to occur because malicious actors have no rational motivation for doing so – no financial reward, no reputation reward.

Threat analysis is a method of determining the significance of various threats to your entity and your specific information systems and deciding how to address the threats.