On Tue, 20 Jul 2004 12:36:06 PDT, Andrew Latham said: > 1. Boredom - more brains than hobbies > 2. Needs > - burstable bandwidth - downloads > - knowledge > - bragin rights > 3. Challenges > 4. Other You're equating "black hat" with one subset thereof, more or less. It's a lot more complicated in the real world... I'd posit that the goals and motivations of the black hat can be classified in three wide ranges, with totally different threat models: 1) "type of target" - you don't care who's box it is - you want "any suitable zombie", "any suitable Windows/IIS server", "any suitable Solaris box". 2) "identity of target" - The target has been selected because it's a server for company X, or you want to deface the webpage for organization Y, or it's payback time for black-hat Z. 3) "monetary/related gain" - you really don't care who the target is, it's all about the paycheck - whether it's 500K zombies created by a virus-for-pay, or a hacking run against a server that has credit card numbers on it... Notice that there can be overlap - a black hat engaging in (2) or (3) may very well want to pick up a collection of type (1) stepping-stone machines to launch the attack from. Also, a target can be in different categories at the same time - it can be probed by a script kiddie looking for zombies, while at the same time it's being targeted by a disgruntled ex-employee and a professional criminal. Understanding the differences is important - a defense sufficient to stop the random probing (1) won't slow down either of the other two. However, the professional criminal is more likely to nail you with a 0-day - but will move along if they decide the risk/payoff ratio is bad (they see you have enough network monitors to nail their ass in court, they're outta there ;). The disgruntled ex-staffer may not have a 0-day - but they may well decide it's a personal issue and *keep* attacking when a professional would move on...
Attachment:
pgp00048.pgp
Description: PGP signature