The Psychology of Changing Attacker Priorities

The Psychology of Changing Attacker Priorities
Fate and circumstance have returned us to this moment, when the teacup shatters.

The general priorities and goals of attackers have changed over time. I'm going to be speaking about trends and generalities, rather than absolutes. I see hacking as a series of epochs where the incentives and motivations of hackers change over time. Elements of each period flow into other periods and there aren't clear, hard transitions between periods of attacker priorities.

Understanding attacker goals and priorities is important for detection, hardening, and trying to predict where things will go in the future.


The first hackers were interested in things like:

  • Free Access to Resources - Captain Crunch getting free phone calls, MIT hackers getting access to big machine time, hacking BBS's for file sharing.
  • To Highlight Security Problems - The Morris Worm, The L0pht publications. Making big tech companies look bad. Lols.
  • Destructive Mischief - The virus writers.
Blaster Virus
  • Exploration - Learning about new systems, code, and the limits of hardware.

The psychology of this period was somewhat innocent and naive. Much of the time no harm was intended and it was comprised of curious people just trying to learn. The Morris Worm was intended to raise awareness about a security vulnerability, but due to a bug in the code, unintentionally caused damage to many organizations.

Security was somewhat obscure and underground and far from the awareness of the mainstream.

The Hunter Gatherer Era

Over time, the above priorities changed:

  • Root Shells - One time in the early 2000s I got ~30,000 root shells over the course of a couple of days. That was great fun, but from a practical standpoint, didn't accomplish much. The goal at this time was just to prove you got administrative access to as many hosts as possible. I remember hearing Halvar Flake say something like "Why would you want a shell, if you need a shell you've probably screwed up" and really taking it to heart.
  • Destructive Mischief - Website defacement. A site called Zone-H started tracking defacements, and hackers would build a reputation racking up points by hacking as many sites as possible, and replacing their content with memes, graffiti like images, and taunts.
Government Website Defacement
  • Making Security Researchers Look Bad - With the rise of anti-sec, pr0j3ct m4yhem, and others, hacking whitehat researchers and embarrassing them became a goal of some hackers.
ZF0 Ezine of Compromised Whitehats

The psychology of this time period was more about competition. Showing off your skills, winning against your target, and damaging your enemies. As tech grew in importance in the awareness of the mainstream, security grew as well. We saw the Masked Hacker on Tech Tv. Some worms were in the news. Metasploit was used in a Die Hard movie. Pentesting started to become a viable practice. Security conferences took off and grew massively in size.

The Industrial Revolution

Then came the period I call the monetization period. This was characterized by:

  • Hackers selling exploits either on black markets or to government brokers.