The Psychology of Changing Attacker Priorities

The general priorities and goals of attackers have changed over time. I'm going to be speaking about trends and generalities, rather than absolutes. I see hacking as a series of epochs where the incentives and motivations of hackers change over time. Elements of each period flow into other periods and there aren't clear, hard transitions between periods of attacker priorities.

Understanding attacker goals and priorities is important for detection, hardening, and trying to predict where things will go in the future.

Pre-History

The first hackers were interested in things like:

• Free Access to Resources - Captain Crunch getting free phone calls, MIT hackers getting access to big machine time, hacking BBS's for file sharing.
• To Highlight Security Problems - The Morris Worm, The L0pht publications. Making big tech companies look bad. Lols.
• Destructive Mischief - The virus writers.

• Exploration - Learning about new systems, code, and the limits of hardware.

The psychology of this period was somewhat innocent and naive. Much of the time no harm was intended and it was comprised of curious people just trying to learn. The Morris Worm was intended to raise awareness about a security vulnerability, but due to a bug in the code, unintentionally caused damage to many organizations.

Security was somewhat obscure and underground and far from the awareness of the mainstream.

The Hunter Gatherer Era

Over time, the above priorities changed:

• Root Shells - One time in the early 2000s I got ~30,000 root shells over the course of a couple of days. That was great fun, but from a practical standpoint, didn't accomplish much. The goal at this time was just to prove you got administrative access to as many hosts as possible. I remember hearing Halvar Flake say something like "Why would you want a shell, if you need a shell you've probably screwed up" and really taking it to heart.
• Destructive Mischief - Website defacement. A site called Zone-H started tracking defacements, and hackers would build a reputation racking up points by hacking as many sites as possible, and replacing their content with memes, graffiti like images, and taunts.

• Making Security Researchers Look Bad - With the rise of anti-sec, pr0j3ct m4yhem, and others, hacking whitehat researchers and embarrassing them became a goal of some hackers.

The psychology of this time period was more about competition. Showing off your skills, winning against your target, and damaging your enemies. As tech grew in importance in the awareness of the mainstream, security grew as well. We saw the Masked Hacker on Tech Tv. Some worms were in the news. Metasploit was used in a Die Hard movie. Pentesting started to become a viable practice. Security conferences took off and grew massively in size.

The Industrial Revolution

Then came the period I call the monetization period. This was characterized by:

• Hackers selling exploits either on black markets or to government brokers.

• Hackers focusing on stealing credit card numbers, PII, and the rise of underground digital markets.
• The rise of a serious security industry that garnered real investment and began making a ton of money
• Underground blackhats were trading source code they stole from big tech companies for access, exploits, and tools.

Many previously public researchers went quiet because exploits and 0days became a commodity that was more valuable than simply as tools for building a reputation.

Modern Times

Now we reach the modern era which is defined by the following:

• Ransomware - Encrypting a victims files in order to extort money from them. I wrote what I thought was the first paper on this in 2005, but I think I was beaten to the concept by Dr. Adam Young and Dr. Moti Yung with the publication of their paper “Cryptovirology: Extortion-Based Security Threats and Countermeasures” Proceeding from the 1996 IEEE Symposium on Security and Privacy. This is a natural evolution to the monetization phase described above.

• Crypto-currency Thefts - A huge spike in hackers stealing crypto-currency in the modern era. Digital money is a clear target for monetizing hackers.

• Targeting MFA - Hackers are very focused on going after multi factor authentication in order to get access to organizations, especially infrastructure organizations such as cell phone companies, big tech, etc.

• Access to Cloud and Container Resources - Whether is to install crypto-miners, affect organization operations, or gain access to bandwidth resources for use in DDoS attacks, attackers are targeting cloud nodes and containers. A root shell is incidental if used at all.
• Warfare - While its been there all along, reporting on the use of hacking in warfare has been growing  in the media.

As each era of hacking passes, it carries with it elements of the era's that came before, while incorporating new priorities and an evolving focus.  

The Future

Here are a few things that I think may define the next area of attacker motivations and incentives:

• Access to Large Language Models for the purposes of generating money making tools as well as mass psychological influence.
• Modification or Poisoning of LLMs - There are many incentives to impacting the behavior of LLMs. I'll write a larger post about this at a later time.
• The high-profile destruction of critical infrastructure as conflicts escalate.
• The incorporation of hacking as an element of electronic warfare, especial in the area of drones, FPV and otherwise.
• New forms of monetization. (Maybe some combination of ransomware and social media, rather than simply encrypting files)

I think popping rootshells, website defacements, innocent exploration, and the publication of security vulnerabilities by individual researchers to affect big tech companies will become less and less common and relevant because there will be too much value in other efforts.

Thanks for reading,

A.