Christopher Ahlberg, CEO of threat intelligence company, Recorded Future told an audience at BlackHat Europe 2016 that trying to attribute hacking to someone specific is often based on “sloppy handle usage” investigations.
He jested, “no one can quite decide who is doing the hacking surrounding the US election - is it a 400lb guy in his basement in Utah or is it ‘Russia'.”
Ahlberg kicked things off by speaking about how often attribution is based on targeting of hacker forums, and the mapping of handles that those hackers use for the purposes of attribution.
Ahlberg explained, “hackers who might release vulnerabilities to one forum, might be running a successful hosting company on the side for an income.” He said this provides leads for investigation.
However, this isn't always accurate. Ahlberg said Recorded Future's researchers rose to the challenge by applying maths to the problem, calling it a “pattern of life analysis,” which is designed to show just how predictable human behaviour can become.
Drawing laughter from the crowd, he spoke of Uber's research into the best and worst times to get taxis on days like Valentine's Day, and discussed crime rates in Chicago over a 24 hour period. Ahlberg jested, “Surprise surprise, we found that criminals do actually go to sleep at one point. Burglaries peak at 9am, and kidnappings peak around the times children's schools let their students out.”
According to Ahlberg, this ‘pattern of life' can be applied to attribution. If a hacker uses a handle for activity on one forum, and another handle on another forum, their patterns of sleep and forum posting where one forum dies down and the other is busy can gives the game away.
So Recorded Future embarked on an experiment and collected all the handles they could get their hands on - all automatically - over a period of four years. This generated a total of 1.4 million handles, from 750 forums, in seven languages, and all are indexed and searchable. Ahlberg reported, “there was surprisingly little handle re-use, 96.6 percent had more than one.”
The researchers started to notice patterns in the data. Sleeping patterns differ from region to region, according to Ahlberg, Chinese hackers are most active during morning and lunchtime. During the celebration of Islamic revolution in Iran, Iranian hackers were inactive. And most hacking forums see a peak of activity in the daytime during Ramadan, which Ahlberg attributes to potential boredom and hunger from the fast, a “displacement activity.”
Ahlberg said, “we noticed distinct weekly patterns too and that some do break at the weekends.” Russians tend to be active during the night, which Ahlberg thinks are professionals who come home from a day of work to to hack by night. Ahlberg said they think Iranians are hacking during the day because they are a younger crowd - potentially students.”
Ahlberg added: “Patch Tuesday, drives exploit wednesday.” He added, “whenever patches are released for bugs, we noticed a spike in attempts of exploits.”
Once the data was collected, Ahlberg said Recorded Future's researchers began clustering patterns of life and turning them into blocks. That's where they started to ask, if two people's patterns are the same, are they the same person? Ahlberg says it is very difficult to fake and make it looks like you aren't the same person.
Concluding, Ahlberg said many of the handles they investigated were run by hackers whose forum activity on one website died down, while the other one lit up with posts. While Ahlberg recognises this is not very accurate, he said it provided a good picture of a hacker's way of life and what they might do next, which is a helpful lead in investigating online criminals.