[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200407202005.i6KK5FYY005884@turing-police.cc.vt.edu>
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Motivations... (was Re: IE now on-topic
On Tue, 20 Jul 2004 12:36:06 PDT, Andrew Latham said:
> 1. Boredom - more brains than hobbies
> 2. Needs
> - burstable bandwidth - downloads
> - knowledge
> - bragin rights
> 3. Challenges
> 4. Other
You're equating "black hat" with one subset thereof, more or less. It's a lot
more complicated in the real world...
I'd posit that the goals and motivations of the black hat can be classified in
three wide ranges, with totally different threat models:
1) "type of target" - you don't care who's box it is - you want "any suitable
zombie", "any suitable Windows/IIS server", "any suitable Solaris box".
2) "identity of target" - The target has been selected because it's a server
for company X, or you want to deface the webpage for organization Y, or it's
payback time for black-hat Z.
3) "monetary/related gain" - you really don't care who the target is, it's all
about the paycheck - whether it's 500K zombies created by a virus-for-pay, or a
hacking run against a server that has credit card numbers on it...
Notice that there can be overlap - a black hat engaging in (2) or (3) may very
well want to pick up a collection of type (1) stepping-stone machines to launch
the attack from.
Also, a target can be in different categories at the same time - it can be
probed by a script kiddie looking for zombies, while at the same time it's
being targeted by a disgruntled ex-employee and a professional criminal.
Understanding the differences is important - a defense sufficient to stop the
random probing (1) won't slow down either of the other two. However, the
professional criminal is more likely to nail you with a 0-day - but will move
along if they decide the risk/payoff ratio is bad (they see you have enough
network monitors to nail their ass in court, they're outta there ;). The
disgruntled ex-staffer may not have a 0-day - but they may well decide it's a
personal issue and *keep* attacking when a professional would move on...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040720/20ad5d6f/attachment.bin
Powered by blists - more mailing lists