Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

Top questions to help you think like a cyber criminal

ChrisCalvert ‎12-11-2013 03:16 PM - edited ‎07-07-2015 11:18 AM

The last post I wrote on “knowing your enemy” left me somewhat unsatisfied. Thinking like a cyber criminal requires you to both understand and empathize with an attacker to the level that is possible. This concept is more important than just a few paragraphs, so I thought to myself, “if I could sit down with a real cyber criminal and ask questions, what would I want to know?” Here is the list of questions I came up with and some context on why I want to know. In some cases I tried to add the types of data that might give us some clue to the answers without a cooperative bad guy to answer questions. This type of information is important to the complicated problems of attacker attribution, detection and calculated response.

Geography and Sociology:Most of this information can only come from open-source intelligence collected against specific groups and individuals.

  • What is the attacker’s background?
  • How did life and economic circumstances lead them to this outcome?
  • What region / country are they from?
  • What is their native language? What other languages do they speak? There are linguistic idiosyncrasies that can identify mother tongue and thus likely geographic origin.
  • How strong is local cyber law enforcement? International collaboration? Are they likely to be held accountable.
  • How important is anonymization tradecraft to this attacker?
  • How prevalent is local corruption? Is it a social norm or aberrant behavior? This can indicate whether to look for criminal psychologies or to expect purely rational action. Transparency international can give you a good sense of this once you know their geography.

Skill, capability and tradecraft: These are items that can be discerned by the observed actions of an attacker in log files across the breadth of an attack.

  • What are their technology focus areas? Specialization? There is a lot of information to be gained from their personal technology choices.
  • How important is being stealthy to them? Post breach lateral spread can be highly visible or very slow and stealthy.
  • What is their technical skill level? Tools only, systems, programmer or zero-day researcher. Age, education and experience can be seen here.
  • What technical mannerism do they have? Are these repeated or do they change during the attack, this can indicate kill chain specialists working together.
  • How much social engineering is involved in their methodology? This is always the weakest point to attack... "A resume is the most powerful hacking tool..." This also shows how important non-attribution is to them, as avoiding direct social engineering is a sign of a paraniod attacker or...
  • Do intangibles (observed personality) change from one attack stage to the next? Again this shows specialization…
  • What anonymization tradecraft do they employ? E.g.. Correlation with Tor exit nodes or bot hosts, etc...

Economics and Underground Market Dynamics:This information is likely only available to the focused investigator or someone in a position to understand the end-game monetization of the attack.

  • How do they plan to monetize? Hosts, accounts, bots, spam, credit card #’s, code, exploits… self-contained attack or within the larger underground marketplace?
  • How do they engage with their intermediaries both up and down stream?
  • What are their alternate career opportunities? Do they have a way out? Hackers within some organized criminal gangs are “employed for life”...
  • What resources are they likely to have access to? Test labs, high-end software, attack testing on purchased vs. stolen resources
  • How large is their immediate network of collaborators?
  • Where do their known associates exist in the underground marketplace?

Ideology and objective:This is visible in the overt or covert reason for the attack, and traditionally is called impact analysis.

  • What ideology or category of ideology are they advancing? Criminal, religious, nationalist, activist, anarchist, economic, social…
  • How committed are they? This can often be determined from the list above as certain motivations are more powerful than others.
  • What is their specific immediate objective?
  • How persistent will they be in the face of an active defense?
  • How much ego or bureaucracy (structure) can be observed? This can show how deeply they are integrated into a larger organization.

Personality:There are many indication of personality in attacks and these are the questions that can help understand the implications of that observed personality.

  • What might deter them?
  • What is their tolerance for risk?
  • What effect would a public statement to them have? Damage Assessment or psychological deterrence?
  • What criminal psychological deviations may be involved?

These questions have all kinds of ramifications for the defender and even informed guesses based on observed evidence can help you "think like a bad guy". For more information on how HP’s enterprise security products can help you defend your critical information, visit

0 Kudos
About the Author


27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all