Targeted personal attacks

Sometimes hackers can do more good in local communities and civil society than agitating about national policy.

I’ve been thinking lately about different threat models, especially those where an adversary focuses on a particular target. Frequently, discussions around “advanced persistent threats” (APTs) get lost in marketing FUD or military policy discussions. My previous research on the incident types shows clear differences, though. The typical TTPs (tactics techniques and procedures) associated with targeted incidents, especially those with an espionage motive, vary significantly from those carried out by attackers with a financial motive. Much of these differences stem from the targeted nature of these attacks.

This “targeted vs opportunistic” dichotomy in infosec applies to incidents involving individuals too, not just organizations. The typical advice given about online safety focuses on opportunistic attackers with a financial motive. If advice to individuals is based on hardening their defenses just enough not to present the easiest target, it misses quite a bit. Telling somebody they don’t have to run faster than the bear, just faster than the next person, makes assumptions about the bear. Those assumptions - the bear just wants the nearest meal, the bear will be satisfied with only one victim, only one bear is giving chase - may not hold up under close examination.

As a more concrete example, think about the threat models of stalkers, abusers, or harassers. In these types of cases, victims find themselves with entirely different types of impact. Sometimes that means financial losses, like fraud or flat-out theft. All too often, it leads to physical trauma and emotional abuse or even murder.

Targeted attacks from relative “insiders” such as intimate partners or family members change the model considerably. The attacker may have unrestricted physical access to a device, know the answer to personal security questions, or coerce the target using other forms of abuse. These factors mean that typical advice like “choose a strong password” and “avoid open WiFi” does little to help victims. In my own experience talking with shelters and counselors, I hear more and more about compromised mobile devices due to these “trusted adversaries”. This issue has started to get mainstream attention.

As professionals, though, we have a lot to offer here. We just need to reconsider our threat models against these sorts of adversaries. Smart folks have already done great work in this area. We can find more ways to help with this problem using the tools and skills we already have. I’ve started trying to catalog the available resources.

I’d love to see more of my fellow hackers and infosec professionals doing work in this area. That might mean talking to the staff at a counseling center for abuse victims, or writing & improving guides on mobile security. It might mean educating folks like me who are trying to find ways to help, too. Ping me on Twitter and let’s talk about it.