The End of the Sony Hack: Taxonomy of a Hacker
Alec Pallin, '17
Cyber security planning may be finally coming together. The national government has revamped the Department of Defense with a focus on increased cyber security, the private sector has slowly begun to place cyber security issues at the forefront of their public relations campaign, and we have even seen the public and private sectors begin to work together. I believe the catalyst that led to these events was the Sony hack in 2014. A private entertainment company was hacked over a movie portraying the death of a world leader, their entire system’s worth of data was then dumped onto Buzzfeed, the FBI later discovered that the anonymous group was North Korea, and a feud between The Interview’s producer Scott Rudin and Angelina Jolie developed around a conflict I still don’t understand. Honestly, this sounds more like a movie script then real life. Like any good movie script (or a Michael Bay film) the Sony hack left open the possibility for a sequel that follows the story a few months later. The FBI was rather clear about who was responsible for the incident. However, many believe that the hack was a public relations campaign to draw movie-goers into theaters. As this tale goes, Sony knew The Interview would flop, and thus hacked their own system, bought off the FBI, and pinned the event on North Korea. While those in the cyber community view this as ridiculous, it is difficult to understand for those who do not have an understanding of the steps it takes to attribute a hack. The literature focuses the technical aspects of attribution, while I will make the case for creating a more accessible system of attribution.
Simplifying the attribution of a hack
The Sony hack provided an area of need for research. According to various Internet forums, the skepticism around the Sony hack begins with the United States’ response to the hack. The United States did not announce a single responsible person, but instead blamed the entirety of North Korea and did not proceed with punishments outside of harsh rhetoric and sanctions. If the FBI was able to determine the attacks originated in North Korea, why was this the extent of the response? In short, attribution is difficult. While the source of the hacking activity can be traced back to North Korea, it may be impossible to locate the specific computer responsible for the hack. If it is, connecting the computer to the programmer creates a new set of issues. If a hack was conducted on a United States asset, citizen, or corporation from a source outside the United States, such as the Sony hack, retaliatory actions are difficult. The computer that the hack originated from may be found, but linking it to the coder calling the shots requires delving into international law. Without the host nation’s agreement to find and turn over the perpetrator, many hackers are left to go free under a government’s protection. To address this complication, I hope to create a system that connects code or a given malicious program to an expected profile for the hacker.
Defining a taxonomy of hackers
The prospect of finding a non-technical solution to the technical process of attribution is overwhelming, but hacking isn’t only a technical pursuit. Try as they might to avoid it, programmers do end up exhibiting human behavior. The literature has mostly skirted around this fact, focusing on the code instead of the programmer. I have searched high and low for information on the behavioral patterns of hackers, and found that, in 2006, Marcus Rogers published a taxonomy of hackers that broke down the craft into nine different types of programmers. These range from a novice to someone expected to be on the FBI’s most wanted list. Mr. Rogers then proceeded to call upon the cyber community to build off of his research. Yet, the community moved away from a focus on the individual and instead created a taxonomy for the different tools used by hackers, such as viruses, worms and other forms of malware. A novice hacker was assigned to using stock viruses copied off of the internet, for example. This is effective to an extent, but we could learn more by connecting behavior, programing ability and basic demographics (location, age, sex, race) to these categories of hackers.
Identifying hackers’ distinct behavioral patterns
This research will be divided into two major phases. The first will be to create profiles within the hacker categories defined by Roger’s taxonomy in 2006. Since then, Roger’s 9 categories have evolved along with the hacking community, and need to be adjusted. Through interviews with professionals, I hope to build a new taxonomy based on skill level, purpose, and the personal interest/incentives of the hacker. These categories could allow for automatic sorting of hackers through the analysis of their code.
This process doesn’t seek to be a method of sorting code but a way to help attribution by examining the programmer. The second phase uses the sorted code to evaluate the behavioral patterns and demographics of the programmers. The goal of this project is to be able to predict general information about the programmer from the taxonomy. Hackers follow distinct behavioral patterns that can be traced. If patterns can be drawn between the categories created from the code and the characteristics of the hacker, a profile of expected characteristics can be created. These characteristics can be used, even by a novice, to attribute attacks and to evaluate attribution claims, enabling those not privy to the technical details to determine whether an explanation for a high-profile hack is believable.