Researchers from the Edward E. Whitacre Jr. College of Engineering and the Department of Psychological Sciences wanted to find out how the mind of a hacker works, why hackers make the decisions they do and more.
When you read about someone hacking into a company's system and stealing thousands of credit card numbers and other sensitive data, it's hard not to picture the stereotypical stock photo image. A seedy-looking person is wearing a hoodie, hunched over a laptop, decimating the livelihoods of their victims.
So why does someone decide to launch these cyberattacks? That's one of the questions researchers in Texas Tech University's Edward E. Whitacre Jr. College of Engineering and the Department of Psychological Sciences are trying to answer.
Akbar Siami-Namin, an associate professor of computer science; Keith Jones, an associate professor of human factors psychology; and engineering graduate students Moitrayee Chatterjee, Prerit Datta and Faranak Abri, published two papers, "Launching Stealth Attacks Using the Cloud," and "Cloud as an Attack Platform." The group will present their papers virtually at the Institute of Electrical and Electronics Engineers Computer Society annual Computers, Software and Applications Conference (COMPSAC 2020) July 13-17.
These papers, supported through a grant from the National Science Foundation (NSF), discuss cybersecurity, using the cloud to commit cyberattacks and how developing a "mind map" is essential to producing countermeasures against those attacks.
"It is critically important to understand how cyberattackers make decisions," Jones said. "Armed with that knowledge, one can develop better countermeasures. For example, in understanding how cyberattackers exploit cloud services, one has a head start on trying to prevent attacks. Also, one can better train cyberdefenders, who are in critical demand these days. Cyberdefenders must be able to think like cyberattackers in order to perform their duties well."
To conduct their research, the group recruited 75 professional hackers from hacking conferences DEF CON and Black Hat.
"DEF CON and Black Hat are different from regular tech conferences," Datta said. "People with a variety of expertise participate and share the latest nitty-gritty in cybersecurity, which in turn helps practitioners to hone their skills and protect people online. Participating in these conferences provided a really wonderful experience to see people so enthusiastic to share their knowledge."
The group presented the participants with random scenarios. Each hacker selected one scenario, then described to the group how they would handle the problem. The results, Siami-Namin said, were surprising.
"We noticed that 9 out of 10 participants answered saying they would use the cloud to launch the attack," he said. "Then, we did some research to understand why they're interested in the cloud. We noticed the cloud environment provides some free resources for the attackers, such as not having to provide any personal identification. You remain anonymous all the time. Some of the resources asked for a credit card number, but there are some websites that actually create dummy, yet valid, credit card numbers. This way, the attackers are able to create an account on the cloud without even exposing their own identity."
Abri stated that coding the data was imperative to the research.
"After analyzing the interviews in a series of group meetings, we noticed that most of the interviewees mentioned cloud abuse to conduct their malicious activities," she said. "It was quite a surprise to observe such patterns in the data we collected, and it certainly shows the importance of coding survey data. Employing a proper coding scheme certainly helped in discovering such an important pattern in the data."
Chatterjee clarified that no personal information was collected from the hackers.
"We did not collect any demographic data during recruiting participants," she said. "It had a drawback that we cannot tell apart an ethical hacker/penetration tester (pen-tester) or malicious hackers, but the participants were unguarded about their responses. Also, at a conference like DEF CON, participants don't have name tags. We all got a tag that said 'human.' But, interestingly, recruiting participants was not easy. They were very scared of the possibility of us 'social engineering' them. Some of them even thought we were stealing biometric data when we offered them a pen to scribble down their thoughts using diagrams."
Cyberattackers also are able to use features designed for professional developers provided by certain cloud services, like Amazon Web Services, to create their own virtual machine, Siami-Namin said.
With their anonymity secured, hackers then can launch their attacks.
"As soon as the attack is launched and they get the sensitive information they're looking for, they remove that computing virtual machine, things they have created on the cloud, to erase any trace evidence," Siami-Namin said. "This way, we noticed it is possible to actually launch what we call a 'stealth attack,' which means the attackers are able to do whatever they want without ever being exposed to the general public."
Siami-Namin notes that the cloud infrastructure itself is interesting from many aspects because there isn't a specifically assigned Internet Protocol (IP) address, the numeric address given to a computer connected to the internet, that can be blocked.
"Anytime attackers are actually launching an attack, they would constantly be assigned a new IP address," he said. "So, it's just not possible to block their IP address from attacking you."
This constantly changing IP address isn't always used for nefarious reasons, though. Some ethical hackers who use their skills for activism – sometimes called "hacktivists" – can use it to report on what's happening under a dictatorial government, Siami-Namin said.
Benefits of the research
Siami-Namin said this research would aid in creating more useful educational models for students who want to learn how to prevent cyberattacks and be able to predict the moves of cyberattackers.
"The first benefit of these kinds of research is that we can understand what is going on in the mind of the attackers," he said. "This research is called cognitive attack analysis, which means you need to actually speak to the experts and see how you're dealing with the day-to-day problems and how the experts think. So, that mind map is actually full of information with respect to the better flow of information in building a better defense system.
"This kind of information can be beneficial for many people, including educators, to actually create instructional modules, which are very to the point and don't waste the students' time learning something that is not useful. It can be very beneficial for the defense as a means of reference to predict if you're under attack or not. It also can be useful for other researchers to see if it is possible to apply a monitoring strategy, or artificial intelligence-based strategy, to track activities on the cloud."