Cyber security professionals can be so invested in answering the “How?” or the “What?” that occurred in a cyber incident that they often forego the “Why?”. There are many reasons that a cybercriminal conducts malicious activity. In this briefing, VerSprite’s Threat Intelligence Team covers “Why Bad Guys do Bad Things?” using Maslow’s Hierarchy and explores why Threat Intelligence Analysts should know who threat actors are and what drives their criminality.
Not everything in cyber security must be a full analysis from the original idea of an attack to the post-attack investigation. For an analyst to see what catalysts and motivations are the drivers for the attack, having a knowledge base of this sort can assist an analyst in identifying the potential for a future incident. Let’s explore why they occur.
Maslow’s Hierarchy of Needs To Help Identify Cyber Threats
Maslow’s hierarchy of needs is a motivational theory in psychology comprising a five-tier model of human needs. The lower three tiers represent more of one’s “needs,” and the top two represent one’s “wants.” This is the base of a threat actor’s drive to commit these acts. Find that motivation and you can discover the indicators.
Survival is the most passionate need that exists in people. Not satisfying these needs means life or death for someone and those who rely on that person. Low-level crime is the primary example of this. Stealing food, housing, clothing, or methods for obtaining these things for immediate satisfaction through criminal acts are identified at this tier.
A threat actor could access a secured building, vehicle, or from the source of a victim using cyber means. From accessing a locked asset to causing chaos in a region from exploiting a populace’s lack of resources, some drivers don’t need to be directly tied to the needs of the threat actor, but from the disruption of others, the result of its scarcity, and the victims’ reaction to it.
Security is one of the needs that has been on many people’s minds over the last few years, with the pandemic and the current recession. One of the drivers for the welfare of families is the need to provide for one’s family or loved ones. Many try to fulfill those needs through financial security and protecting themselves or others from physical harm. Insider threats are one of the best examples of this tier of needs.
Insider threats can stem from a catalyst (lack of a promotion, potential layoffs), where that change in an employee’s environment can develop into motivation. When motivated, the insider threat will see a potential vulnerability in an organization’s security, or exploit their provided access, to achieve an intent. Sometimes the threat attempts to take something of financial gain, intellectual property, or sabotage which could cover their illicit activity. Security is a powerful motivator, usually exploited by first-time offenders or those who think of their actions as harmless, but certainly are not.
Belonging is an interesting motivator for cyber threats because people do not casually think of them as relating to such an emotionally-centric need. The thing that is forgotten is that wars and some of the most heinous crimes in the world are driven by passion, love, or lack thereof.
Analysts who study counter-terrorism and asymmetric threats are well-trained in this understanding because it is where “conscription” exists. Young people are most susceptible to feeling the need to belong to something outside their familial setting. Some join a cause, or a group, and some serve in some capacity. Yet sometimes, they are conscripted into criminal organizations, terrorist groups, and hacking groups under some misaligned ideology.
Another aspect of cybercrime that falls under this tier is “Cyber Stalking.” In recent examples, threat actors have used tech to target their victims through location trackers in apps and physical trackers placed on a person or property. The motivation for belonging can come from more habitual offenders and those who try to obfuscate this lifestyle to get closer to their victims. Many who have worked in cyber security have heard stories of these attacks, but may not associate the need for “belonging” as a motivator, as that belonging has a dark side called “obsession.”
Within Maslow’s hierarchy, importance is very dynamic, and it is difficult to gauge. The top two tiers fall into more “Want” than “Need.” The ability for an analyst to see indicators in this tier is due to threats originating from people unfamiliar or most familiar with the target. In the case of an unfamiliar threat actor, they are generally motivated by some desire (want) to have won against their perceived adversary.
To achieve their end state at this tier, the threat actor attempts to gain a victory over or at the expense of their target. Many novice threat actors are motivated to seek provocation from their victims and achieve a loss for their target. This is where many “Black Hats” or “Hackers” exist.
An important factor in these kinds of threats is anonymity. Anonymity makes people act differently. Anonymity creates deindividuation. Deindividuation creates Disinhibition.
Disinhibition can be increased by:
Anonymity makes people act differently or more extreme than usual. It creates disinhibition, lowering the perception they will face consequences. Anonymity may produce an experience of deindividuation, reduced consciousness of oneself as an individual. Deindividuation refers to a person’s tendency to lose awareness and restraint when in groups.
Factors of deindividuation:
Those familiar with their intended targets come in the form of self-important people who attempt to sabotage their intended targets for personal gain. An achievement in this concern is motivated by their want to seek a “win” at their target’s “loss.” The threat actor can see their target as the source of all their “ills” and can only gain status at the expense of others who have what they want. White-collar crime is a great example of this.
The use of cybercrime in this form may come via obfuscation of evidence of their own crimes and placing blame on another, who is seen as being a hurdle in their attainment of status. Achieving their goal of accession to wealth or status can come from a catalyst similar to belonging but absent of a desire to be loved by any particular person.
In Maslow’s hierarchy, self-actualization is perceived as the ultimate achievement of one’s desire to be an authority. This tier is seen as realizing a threat actor’s ideological philosophy through malicious activity. To attain greatness through the fulfillment of their greatest desire. The end state they seek is seen through how they afflicted many victims to achieve results similar to the other tiers but on a mass scale.
Counter-terrorism analysts study this area, as terrorist leaders are motivated to inspire others to follow them. International terrorist groups attempt to provoke fear or terror to achieve political or religious aims. While domestic terrorists attempt to further ideological goals that influence domestic aims that are political, religious, but also social, racial, or environmental.
In recent history, cyber security experts have seen the threats that come from self-described “ideological pariahs.” Cybercriminals at this tier can include such figures as co-founder of LulzSec (Hector Xavier Monsegur), also known by the online pseudonym “Sabu,” or cyber anarchist member of “AntiSec,” Jeremy Hammond.
Some other notable figures at this tier indicate their ideology, which can appear more self-righteous. For example, Julien Assange, founder of WikiLeaks, offered insight into his motivation through his persona’s handle, “Mendax.”
Julien’s mother was an avid literature reader, and Julien was familiar with stories like one of Horace’s 50 daughters, who were forced to marry. Horace planned for his daughters to kill their new husbands. One chose to let her husband live and turned on her father. Therefore, she was called “Spendide Mendax.” Meaning Splendidly False. Julien saw himself as a revealer of truth at any cost, which presented himself as a figure to be admired. Yet, his true motivation was to destroy those organizations or public figures he saw as evil or powerful.
Edward Snowden had a similar indicator of his philosophy and the motivations behind his actions. His persona had the handle of “Verax,” which meant “Truth Teller.” Many see his actions as a “necessary evil” in the pursuit of revealing the activity of some governments or public figures. In reality, his actions gave threat actors knowledge of classified information he had access to through the trusted relationship and clearance given to him by the US government.
Cyber threats have many aspects and motivations which stem from their wants and needs. There is a pattern of temporal relevance when discussing a catalyst and the motivation of a threat actor. That time can assist cyber security experts in their proactive efforts to mitigate the next major cyber incident. Threat actors give both behavioral and digital indicators that security professionals can identify, but the behavioral indicators can be first observed using Maslow’s Hierarchy.
In today’s climate of rampant cyber threats, this kind of knowledge and caution can be crucial to limiting a company’s exposure to malware attacks. Some increasingly take advantage of vestigial access privileges that employees and security staff may have forgotten. Others come in pure chaos and destruction to those who rely on the services and trust given to organizations that possess our information. There is always an indication that someone is motivated to conduct these attacks before pulling their chair up to the computer. This understanding of root causes is a tool that cyber security experts should possess if they seek to take proactive steps in mitigating the next cyber threat.
VerSprite leverages our PASTA (Process for Attack Simulation and Threat Analysis) methodology to apply a risk-based approach to threat modeling. This methodology integrates business impact, inherent application risk, trust boundaries among application components, correlated threats, and attack patterns that exploit identified weaknesses from the threat modeling exercises.