There is only this space, completely familiar, in which there are no surprises.
It is fully lit, every inch is under supervision.
But beyond the perimeter there is such impenetrable darkness that you can’t see anything even a meter away.
And hands reach out from this darkness. Armed hands. With one goal - to destroy all this light.
And then a pistol appears from the darkness. It is well known what he looks like and what he is capable of. Desert Eagle.
But how can you tell whose hand is holding it?
Is it a mercenary who won't even blink an eye before being shot, or a preschooler who can barely hold a gun and the shot from which will kill him?
It seems that the introduction turned out to be much more interesting than the article itself.
Let me try again, less literary.
Work on mistakes
Five years ago, when I was writing my thesis, my thesis supervisor suggested a topic on the classification of security violators. At that moment, it seemed to us that the topic was too small for a diploma, but some of the developments still went into use.Years have passed, but some of the questions that were raised in my diploma still concern me.
I am more than sure that I missed a lot in the classification of violators and would like to see your thoughts on this matter in the comments.
Now it's definitely the beginning
Can security attacker classifications be used other than to create a security attacker model?My diploma was in particular about the fact that yes, it is possible.
But first, let's look at the definitions.
Instead of the long phrase “security attacker,” I will use “hacker.” After all, we are not an academic journal to use bureaucratically verified formulations.
At first I thought that the classification should be based on the “strength” of the hacker. But then we had to define what “hacker power” is. The result was something along the lines of “Strength is the amount of damage that a hacker can inflict on the system.” Then we would have to talk about how we determine the damage: in monetary costs to eliminate the consequences of the attack, in downtime or elimination time, or some other equivalent.
But I made a Solomonic decision and moved away from force altogether and classify hackers according to the danger to the system being attacked. Well, decide for yourself what you mean by danger here.
Let's classify?
So, we have come to classify hackers according to the danger to the system. Well, how can you classify? Yes, you can take three gradations: “low danger”, “medium danger” and “high danger”.That's it, we figured it out. Thank you for reading my little article, I'm glad you took the time to read it.
In fact, we are slowly approaching the problem that worries me: is it possible to automatically classify hackers?
So first let's see what we have now.
I managed to find two main approaches:
- by resources;
- by knowledge.
Now let's see what I don't like about them.
Classification by resources
This classification can be found at FSTEC. To be more precise, they do not classify the violators themselves, but their potential:- Violators with basic (low) potential.
- Violators with basic increased (average) potential.
- High potential offenders.
The violators of the third category include “Special services of foreign states (blocs of states).”
In essence, the classification tells how many people, time and money a hacker (or a hacker group) can spend on an attack. Intelligence services can afford to spend almost unlimited financial resources, and hire entire scientific institutes to develop penetration methods.
And here the question arises: how can hackers be classified automatically? And it turns out that there are few opportunities for this, because you cannot ask a hacker “how much money are you willing to spend to hack me?”
Unless you can use some anti-APT solutions that can analyze something and attribute the recorded attack to some international hacker group that has been labeled “government”.
Or, during the investigation of the incident, using an expert method, determine how much effort and money was spent and how many people participated in it.
Classification by knowledge
This classification usually looks something like this:- Script kiddie.
- Hackers.
- High level hackers.
The gradation is roughly clear: script kids do not write exploits themselves, they steal someone else’s stuff, hackers can already customize something for themselves and use pentest tools tolerably well, and high-level hackers look for vulnerabilities and write exploits to suit their needs. Depending on the author of the classification, the definitions (and names) of the categories may be different - what I wrote is a very average and abbreviated version.
So what's the problem?
The problem is that you cannot let the attacker write some kind of Unified State Examination.Under conditions of uncertainty, it is difficult to infer knowledge. Even under more controlled exam conditions, conclusions may be incorrect.
Detect tools?
Well, you can try. But there is no guarantee that a high-level hacker will not use simpler tools. Especially if he is not familiar with some technology. In his attempts, he can even descend to the level of a script kiddie, which will not make him any less dangerous, because after he passes a difficult section for him, he will again return to the third level of danger. Also, do not forget that all tools are sold or leaked into the public domain. Using a high-level tool may increase the chances of "success" and will make the person using it more dangerous in the short term, but overall nothing will change.That is, in essence, I am saying that such a system is subject to errors of both the first and second types (both overestimation of danger and underestimation).
Maybe it's easier?
There is also a method that I used in my thesis - using CVE, or more precisely, CVSS.In the description of the CVSS vulnerability there is such a line as “difficult to exploit.”
The correlation is quite simple - if a vulnerability is difficult to exploit, then the person who was able to exploit it is more dangerous.
It seems ideal: we look at what vulnerabilities the hacker is exploiting, look for them in the database and assign the hacker a danger rating. So what don’t I like here?
The exploitation of the vulnerability is assessed by an expert. But he may make mistakes in his assessment, he may have his own interest (intentionally underestimate or overestimate), and anything else, because he is a person.
In addition, an exploit for the vulnerability can be purchased. Sometimes the implementation can be so aimed “at the buyer” that all that remains is to press the conventional “hack” button and the complexity of operation for a hacker drops to approximately zero.
Instead of conclusions
Having thought about solving this problem, I realized that, in general, I could not solve it - I did not have the necessary knowledge.Perhaps Habr will tell you by what criteria hackers can be classified? Perhaps I missed an obvious approach?
And most importantly, is this necessary at all?
Perhaps this post will be useful to students who are choosing a topic for their diploma.
Despite the extremely simple formulation of the question (“how to determine the level of a hacker?”), the answer is not at all obvious.
Somewhat similar to computer vision and pattern recognition.
Only much more boring.
