Cybersecurity Research Overview Victor 1/6/2014 1 Outline Introduction Types of Research Systems Research Malware Analysis Botnets Digital Forensics Hacker Forum Research IRC Channel Research Conclusion 2 Introduction As computers become more ubiquitous throughout society, the security of networks and information systems is a growing concern. An increasing amount of critical infrastructure relies on computers and information technologies Advancing technologies have enabled hackers to commit cybercrime much more easily now than in the past. At the same time, accessibility to technologies and methods to commit cybercrime has grown (Radianti & Gonzalez, 2009) Availability of technologies and methods to commit cybercrime have become more available (Moore & Clayton, 2009) Legitimate services such as such as DNS servers and search engines have uses to promote cybercriminal activity 3 Introduction With growing importance of cybersecurity, researchers have taken interest in both areas of cybersecurity research Studies to improve system security and malware analysis techniques New research on observing and analyzing hackers within their communities Here we discuss the various forms of cybersecurity research Both technical- and hacker community-focused studies Including discussions of tools used to conduct your own analyses and research 4 Types of Research There are various forms of cybersecurity research ranging from technical research to sociological studies: Systems & Network Security Malware Analysis Botnet Research Digital Forensics Hacker Forums Hacker IRC Networks Traditional cybersecurity research has focused on technological challenges and improvements to mitigate cyberattacks (Hopper et al, 2009; Holt & Kilger, 2012) Systems and security research for purposes such as intrusion detection systems, autonomous networks, etc. (Garcίa-Teodoro et al, 2009; Dsouza et al, 2013) Improved malware analysis techniques to detect more advanced malware that may be obfuscated or previously unknown (Cova et al, 2010; Ismail & Zainal, 2012) Botnet tracking and identification (Lu & Ghorbani, 2009; Zhang et al, 2011) 5 Types of Research Such focus on technological improvements to enhance security has been largely dominated past cybersecurity research However, in comparison to more technical works, there is little research done to investigate hackers themselves and the human element behind cybercrime More research on black hat hackers, i.e. cybercriminals, would offer new knowledge on securing cyberspace against those with malicious intent (Siponen et al, 2010) Specifically, developing “methods to model adversaries” is one of the critical but unfulfilled research needs recommended in the “Trustworthy Cyberspace” report by the National Science and Technology Council. (National Science and Technology Council, 2011) 6 Types of Research As a result, many recent studies in cyber security have taken different paths to study cyber adversaries Hacker social media, such as forums and IRC channels, are important resources for many cybercriminals Content and topological analysis of hacker forums Observation of hacker Internet Relay Chat (IRC) chat interactions Since hacking knowledge is not typically found in formal education, the use of web-based resources to advance skills and knowledge is common among both black and white hats Hackers often utilize forums and IRC channels to disseminate hacking knowledge(Radianti et al, 2009; Motoyama et al, 2011) Forums and IRC channels also serve as black markets, where cybercriminal assets are traded and sold (Radianti et al, 2009; Holt & Lampke, 2010) Each type of research is valuable in and necessary to improve the overall security of cyber infrastructure 7 Systems Security Improving security mechanisms incorporated into systems and networks has been a traditional focus of security research Automated and integrated management of cyber infrastructure, including intrusion detection systems and autonomous networks (Chen et al, 2007; Aydin et al, 2009) Protocol-level security to mitigate known security vulnerabilities (Pervaiz et al, 2010) Research often consists of collecting data and performing experiments by simulating networks and systems For example, collecting network traffic data under normal operations and comparing it to network traffic data during simulated cyber attacks can help anomaly detection methods (García-Teodoro et al, 2009) Wireshark (http://www.wireshark.org/) is a tool commonly used for packet capturing and analysis 8 Systems Security Automated and Integrated Management (AIM) Methodology (Dong et al, 2003): Close Ports Change Policies Isolate router Monitoring Automated Semi Automated Actions Feature Selection Cyberinfrastructure Risk and Impact Analysis Aggregate and Correlate Anomaly Behavior Analysis Systems Security Distribution of Normal vs Abnormal System Calls for Anomaly Detection (Qu et al, 2005) Fault Injection Point Time Abnormal Transaction Normal Transaction SysCall 10 Systems Security Systems security research is becoming increasingly important as computers become more prevalent throughout society Security concerns over SCADA systems, or systems that control the electric grid, water distribution, and other industrial systems, is growing as these systems are increasingly reliant on cyber infrastructure (Goel, 2011) Cloud services and infrastructure have grown rapidly in recent years, necessitating increased security practices (Ramgovind et al, 2010; Rong et al, 2013) In particular, these areas present a new set of challenges for security researchers SCADA systems often run custom firmware or other software requiring specialized knowledge or new skillsets for researchers Cloud services and service-oriented architecture (SOA) are of great concern due to their exposure on the Internet and necessity to remain online Port scanners such as NMAP (http://nmap.org) are often used in security audits on such systems 11 Systems Security Growing interest in further developing: Resilient systems that can automatically mitigate and circumvent cyber attacks (Dsouza et al, 2013) Moving Target Defense, or evolving defenses that can counter changing and improving cyber attacks (Carvalho et al, 2012) While improving system and network security can help cyber infrastructure mitigate and recover from cyber attacks, research in other areas of security would be fruitful Understanding more about the malware deployed against cyber infrastructure could aid in development of effective cyber defenses 12 Malware Analysis To improve systems security, some researchers are interested in developing better defenses against malware (Shabtai et al, 2011; Sahs & Kahn, 2012) Increasingly advanced malware variants appearing in the wild Affecting servers, computers, mobile phones, etc. Two forms of malware analysis (Willems et al, 2007; Ismail & Zainal, 2012) Dynamic analysis - Executing malware and observing run-time behaviors, system calls, registry edits, etc. Static analysis – Studying malware source code or opcode (operation code) without malware execution 13 Malware Analysis By its nature, dynamic analysis will lead to malware infection of computers used for analysis Conversely, static analysis does not require malware execution Requires controls and security measures to avoid malware spread on network Can be time and resource intensive May miss hidden execution behaviors if malware does not execute full source code Source code or opcode can be analyzed without malware execution Full malware source can be analyzed, revealing code that could be hidden and only executed under special circumstances However, code that is obfuscated can be difficult to analyze and understand Both techniques are equally useful in different contexts, complementing each other well 14 Malware Analysis Data is often collected through the use of honeypots Honeypots are computers or clients that are setup with the purpose of attracting and logging cyber-attacks in real time Often emulate or are exposed to live security vulnerabilities in order to capture malware and monitor cyberattacks Can be used to better understand threats “in the wild” Two types of honeypots exist (Zhuge et al, 2008; Cova et al, 2010): Low-interaction honey pots: Emulate known vulnerabilities to capture malware payloads and hacker behavior. Honey pot machine is not actually compromised, and thus only a limited amount of data is captured. Multiple low-interaction honeypots can be hosted simultaneously on one machine. High-interaction honey pots: Allow full operating system to be compromised in order to gather more data on cyberattacker patterns. Can reveal previously unknown exploits as honeypot does not rely on emulating already known vulnerabilities. However, real infection increases security risks, and more computing resources are required for highinteraction honeypots. 15 Malware Analysis Many honeypot tools are developed and made available by The Honeynet Project - http://www.honeynet.org/ All projects are open sourced and available for free International team of volunteer security researchers and practitioners Investigate cyberattacks, discover new exploits Develop to improve Internet security Low-interaction and high-interaction honeypots Tools for other security applications Open source tools provided by the Honeynett Project, as well as other sources, can be utilized to implement honeypot systems 16 Malware Analysis To build a low-interaction honeypot with malware capturing capabilities, deploy the following tools simultaneously on a Linux-based machine: Tool Name Description URL Argus A layer 2+ (i.e. OSI model) auditing tool which helps in collecting network flow information. Can help with network traffic analysis. http://nsmwiki.org/index.php?title =Argus#Introduction Dionaea A honeypot which emulates various services with the aim of trapping malware and shellcode, malicious code remotely executed through security exploits. Captured payloads can be further analyzed for research. http://dionaea.carnivore.it/ Kippo SSH honeypot meant to trap, view, and record malicious activity. Can allow hackers to log into a simulated SSH environment where attempts of more advanced operations may be observed. http://code.google.com/p/kippo/ p0f Tool to passively fingerprint different attackers behind TCP/IP communications. May help reveal advanced persistent threats (APTs) http://lcamtuf.coredump.cx/p0f3/ Snort Network intrusion detection system, allows for detailed network packet capture of cyberattacks http://www.snort.org/ 17 Malware Analysis Unfortunately, high-interaction honeypot tools are scarce Popular high-interaction honeypot packages: Capture-HPC Much more complicated than low-interaction honeypots Require significantly more resources to implement and maintain Strict safeguards must be built around honeypot to ensure network security Developed by the Honeynet project Problem: last updated in 2008 Runs virtual machines as honeypot systems, but has trouble interfacing with latest virtualization software (e.g. VMWare, VirtualBox) due to lack of recent updates One can build their own high-interaction honeypot by deploying vulnerable machines with system-level logging System-level logging generally requires operating system kernel hooks Difficult to implement for most individuals Many researchers and practitioners opting for low-interaction honeypots with malware capture capability 18 Malware Analysis Preliminary study presented at IEEE Intelligence and Security Informatics, 2013 (Benjamin & Chen, 2013) Both low-interaction and high-interaction honeypots can be configured to capture shellcode samples used by cyber attackers When deploying several honeypots, potential to capture large volume of shellcode samples Can become difficult to analyze samples as volume increases We collected nearly 4,000 malicious source code and shellcode samples from a exploit-sharing website Four distinct attack vector categories: local memory attacks, remote code execution attacks, web application exploits, and denial of service Several shellcode samples similar to potential honeypot captures Motivated to develop automated technique to classify samples by attack vector category 19 Malware Analysis Program loads library for network communications Shellcode Low-level instructions to access vulnerable application’s memory space An example of a Perl exploit that attempts a remote buffer overflow attack on a popular enterprise Windows and Unix mailserver software. Malicious code such as this can be difficult for researchers to interpret in their explorations. Automated static analysis tools can help in such scenarios. 20 Malware Analysis Research cites feature selection for malware analysis is difficult We utilize a hybrid-GA approach by pairing a genetic algorithm with a classifier to select features based on their helpfulness to accurately classify samples Features based semantic contents of sample files Samples are run through a series of classification experiments Compared SVM and C4.5 decision tree algorithms for classification using a series of experiment configurations; accuracy averaged 86% Experiment could be extended to include true honeypot shellcode samples, more robust GA or feature selection technique 21 Botnets Malware captured by honeypots can sometimes reveal botnets Outbound network traffic generated by malware may be connecting to a botnet command and control (C&C) channel These channels are used by cybercriminal “botmasters” to give commands to collections of malware-infected computers that covertly join the IRC channel and wait for instruction. 22 Botnets C&C identification techniques have generally utilized honeypots Honeypots are systems that are configured to simulate computer systems with software vulnerabilities Can allow wild malware to intentionally exploit honeypot vulnerabilities; malware behaviors can be captured and studied in a sandboxed environment (Rajab et al, 2006; Lu et al, 2009). All code execution, system changes, and network traffic are tracked and logged within a honeypot (Mielke & Chen, 2008; Zhu et al, 2008). By observing outbound network traffic generated by malware, researchers may potentially reveal botnet C&C channels and other hacker-related web addresses. 23 Botnets There are two common techniques used to collect IRC chat data, but both involve logging of real-time chat. Several strategies can be taken to effectively use bots and ensure comprehensive data collection (Fallmann et al, 2010): Logging IRC chat in real-time manually or using automated bots. (Fallman et al, 2010) Scraping IRC packet contents generated by a honeypot’s local network traffic (Lu et al, 2009) Swap strategy – Some IRC channels will automatically disconnect users who appear idle. Thus, it can be useful to occasionally rotate bots into different IRC channels for logging, avoiding some problems with idling Use of multiple bots in the same channel can be used to help ensure comprehensive collection in case some bots get disconnected Packet scraping requires the use of network traffic analyzer software Wireshark can be used for this purpose 24 Botnets Different forms of analysis should be used depending on research goals and data. For example, the goals and methods used for analysis would be different in: Botnet research with data from command & control channels Research on IRC channels affiliated with hacker forums or acting as social hubs The simplest method of analysis, much like hacker forums, is to manually sift through data (Franklin et al, 2007; Fallmann et al. 2010; Motoyama et al. 2011) Automated content and network analyses could be extended to IRC datasets as well when studying hacker IRC channels Can reveal emerging threats, popular tools and methods May help with attack attribution 25 Botnets For botnet C&C channels, there common themes for analysis Characterizing botmaster activity Paxton et al, 2011 investigate the different operational styles used by botmasters by computing some usage statistics per botnet master Mielke & Chen, 2008 use clustering to identify potential collaboration between botmasters based on their participation across different known C&C channels Identifying botnets based on network traffic Much research is spent analyzing honeypot captures and network logs to develop new techniques to combat evolving botnets (Lu et al, 2009; Choi & Lee, 2012) Botnets are becoming increasingly more sophisticated in evading detection 26 Botnets Published in IEEE Intelligence and Security Informatics, 2008 (Mielke & Chen, 2008) A botnet monitoring group, the ShadowServer Foundation, provided the AI Lab with logs from multiple botnet IRC command & control channels. Text mining techniques were used to differentiate bot masters from connected zombie computers Bot master names were tracked across all channels Several names appeared frequently across the data set By clustering bot masters according to their channel participation, potential collaboration between bot masters can be identified The roles of individuals within each group, and the overall operational style of each group can be identified by further analyzing C&C logs Additionally, logs could be used to identify C&C activity patterns; this could help automatically identify future C&C channels 27 Digital Forensics As increasingly complex malware and cyber attacks are deployed by individuals and groups, advancements in digital forensics becomes necessary to investigate computer crime Digital forensics entails identification of security failures within a system, and also the prevention of future incidents (Hay et al, 2011, Sridhar et al, 2012) Conducting “postmortem” analysis on cybercrime Can reveal information concerning cyber attackers Usually paired with other malware and botnet analysis techniques 28 Digital Forensics Often requires examining file systems, RAM\volatile memory, and network traffic for for traces of data pertaining to cyber attack Recovered data often used in persecution of cybercriminals or to identify advanced persistent threats Research opportunity: there exist only a few standards and benchmarks for existing digital forensics investigations (Yates & Chi, 2011) Increase of computing platforms has lead to lack of standard practices, no established “science” for forensics on newer operating systems and cyber infrastructure Growing importance in cloud, mobile, and SCADA systems Emerging challenges due to growing usage of complex encryption and data obfuscation techniques Much research focuses on new practices and standards 29 Digital Forensics For hands-on experience, SANS Institute offers a version of Linux preloaded with digital forensics tools (http://computerforensics.sans.org/community/downloads) Other tools: Name Platform URL Blacklight Windows/Mac https://www.blackbagtech.com/ EnCase Windows https://www.encase.com/ DumpZilla Windows/Linux Mozilla Browsers (e.g. Firefox) http://www.dumpzilla.org/ The Sleuth Kit Linux/Windows http://www.sleuthkit.org/ 30 Hacker Forum Research Hackhound.org Hacking tool interface Description of code functionality Hacker’s Reputation Score Embedded sample of code Attached Hacking Tool Unpack.cn Left: A cybercriminal on hackhound.org publishes the latest version of his hacking tool meant to help others steal cached passwords on victims’ computers Right: A hacker of the Chinese community Unpack.cn posts sample code demonstrating how to reverse engineer software written in the Microsoft .NET framework 31 Hacker Forum Research Hacker forums can be useful to researchers for various reasons: Asses emerging threats and their prevalence in hacker social media Observing black market activity Tracking the cybercriminal supply chain and how assets move throughout the global hacker community Allow researchers to study hackers across different geopolitical regions Unfortunately, hacker forum data is hard to obtain as many hacker communities employ anti-crawling features (Fallman et al, 2010; Goel, 2011) No hacker forum datasets available to researchers Anti-crawling measures, such as bandwidth monitoring or detection of bot-like behaviors, prevent many researchers from using automated techniques to build a dataset Thus, most current studies utilize manual data collection (Holt, 2010; Yip 2011). 32 Hacker Forum Research To employ automated collection, anti-crawling measures must be circumvented Reduce bot-like behaviors during collection Practice identify obfuscation We may also want to mask our true identity Reducing crawling rate is useful for circumventing anti-crawling measures that monitor bandwidth usage or page views To mask our identity, we can utilize proxy servers or peer-to-peer networks to route traffic through Lets us even regain access to forums than ban us via IP bans Stand-alone web proxies can be used for traffic routing and identity obfuscation Peer-to-peer networks, such as the Tor Network, offer similar services as standalone web proxies with added capabilities 33 Hacker Forum Research Traditional proxy server configuration 34 Hacker Forum Research 35 Hacker Forum Research 36 Hacker Forum Research 37 Hacker Forum Research Various screenshots of the graphical Tor controller Vidalia. Left: A map allows users to view the locations of all published Tor relay nodes Middle: A real-time log of Tor network events allows users to monitor Tor activity. The Tor client automatically handles many Tor networking functions Right: A basic interface that allows Tor users to quickly assume a new identity by routing traffic through a new circuit. Applications such as web browsers and crawlers can utilize the Tor network by routing their network traffic to the local Tor client. 38 Hacker Forum Research Proxy Servers Tor Network The Tor network client (~9MB) Requirements None Protocol Typically HTTP or SOCKS SOCKS only Usage Send local network traffic to proxy server for re-routing to destination server Tunnel local network traffic to local Tor client; Tor client automatically handles peer-to-peer networking and routing traffic to the destination server Assuming a new identity? A new proxy server must be used in replacement of current the current proxy Tor client can automatically select new relay nodes when a new identity is needed Finding new servers? Lists of public proxy servers exist across various websites that can be identified through keyword searches (e.g. “public proxies”) The Tor client will automatically find new relays for the user. Selection parameters can be used to only use or exclude relays from specific countries What does hacker community server see? Proxy server IP address IP address of the last Tor relay used to route your message to the destination server 39 Hacker Forum Research After hacker forum contents are collected, they can be analyzed using traditional social media techniques Can make use of commonly used text mining tools Content analysis would be useful for understanding the discuss and information inside hacker social media Topological analyses often aim to observe hacker forum structure and the relationships between forum participants (Motoyama et al, 2011, Holt et al, 2012) 40 Hacker Forum Research Description of attached hacking tutorial Password to open attached file Password-protected file containing tutorial documents Hacker forum reputation system Iranian hacker forum participant ‘elvator’ is sharing a tutorial on shellcode, which refers to cyberattack payloads that grant hackers unauthorized access over compromised machines. This hacker has gained a total of 20,305 reputation points from his peers over 1,641 messages posted, which is above average for Ashyane.org. 41 Hacker Forum Research Hacker forum reputation score Screenshot of vulnerability scanning tool Tool download link Participant explicitly asks others to give him reputation points A forum participant of the Russian hacker forum Xekapok.net shares a vulnerability scanning tool with others. This participant’s message is relatively “media rich” compared to other forum posts due to the usage of images, font styling, and attachments. Additionally, they possess high reputation and thus appear to be well-established in the Xekapok.net community. 42 Hacker Forum Research Preliminary hacker reputation study presented at IEEE Intelligence and Security Informatics, 2012 (Benjamin & Chen, 2012) Collected two hacker communities from the United States and China to examine the mechanisms in which key actors arise within forums Both communities featured reputation systems How did hackers earn high levels of reputation among their peers? Found that hackers who participated frequently and contributed the most towards the cognitive advance of their community had the highest reputation 43 Hacker Forum Research Main challenges in hacker forum research are: Identifying data sources Collecting complete datasets If not a security expert, some subject matter may be difficult to interpret After collection of data, hacker forum research can utilize the same text mining techniques as traditional social media research Topic modeling Forum participant analysis Social network analysis Etc. 44 IRC Channel Research Internet Relay Chat (IRC) is a protocol for real-time, multi-user text chat IRC channels are used by hackers to communicate in real-time through text chat (Mielke & Chen, 2008, Motoyama et al, 2011) IRC is comprised of three major components: Sometimes affiliated directly with hacker forums Other times are independent communities only accessible through IRC Contents can be analyzed through traditional text mining techniques IRC Networks (i.e. servers) Chat channels existing within IRC networks IRC Clients, or users Understanding these three components is important for developing data collection methods 45 IRC Channel Research IRC Networks Usually defined by an address such as irc.domain.com An IRC network is generally comprised of one server, or a network of servers directly connected to one another Servers share information with one another such as user information, existing channels, chat information, etc. New servers can be added to an existing network to scale-up network capacity Different IRC networks are completely independent of one another Every IRC channel exists within an IRC network 46 IRC Channel Research Public vs Private networks Network accessibility has many implications for data collection If hackers decide to host their channel on a public network, it is theoretically possible to collect data from that channel by volunteering a server to support the network; many public networks are entirely volunteer-run One limitation to volunteering a server to a public IRC network is that public IRC networks often require very significant bandwidth capacity (hundreds of GBs of transfer per month) Conversely, if a hacker-related IRC channel is hosted within a private network, it is unlikely that we will be able to volunteer a server to the network. Client-bots can be used to collect data from such channels 47 IRC Channel Research IRC Channels IRC Channels are usually times separated by topic Channel naming convention is #ChannelName Each channel exists within a single IRC network Two channels with the same name but different networks are two different channels Two channels within the same network cannot share the same name A list of all users connected to a particular channel is provided to each channel participant User-chat is broadcasted to everyone within a channel 48 IRC Channel Research An example of a hacker IRC channel. A list of users, their messages, and timestamps for each message can be seen. The participants are discussing sqlmap, a tool for automated SQL injection and database hijacking, as well as programming concepts. The top header also includes links to other IRC channels affiliated with this one. 49 IRC Technical Information IRC Users Connect to IRC servers, can join multiple channels simultaneously Can broadcast messages to all other users within channels Can initiate private messages with other users that are hidden from all other chat participants Such private messages cannot be collected with the client-bot method of collection They can be collected when hosting a server, though many public IRC networks have privacy rules that prohibit server operators from such behavior 50 IRC Channel Research Data must be captured in real-time as chat data is not archived Can use automated bots to monitor and log IRC channels Unlike forums, IRC is not a medium that supports natural archiving of data If a message is not received by your client at the moment the message was transmitted, that message is unrecoverable Perl Object Environment Bot - http://poe.perl.org/?POE_Cookbook/IRC_Bots Supybot - http://irc-wiki.org/Supybot Bots can support features such as: Auto-rejoining channels if connection is lost Automated usage of proxy servers and peer-to-peer networks (e.g. Tor) Monitoring multiple channels simultaneously 51 Conclusion Many branches of cybersecurity research exist Hacker forum and IRC channels are relatively unexplored compared to other forums of social media What insights can be gained from studying such communities? What similarities and differences exist in hacker communities from different geopolitical regions? Honeypots also provide ample opportunities for research Ranging from social media analytics to more technical works Interdisciplinary problem Provide data for attack pattern and malware classification studies Honeypot captures can be cross-referenced with hacker social media: can any insights be gained by combining data sources? Cybersecurity is a challenge of growing importance 52 References Abu Rajab, M., Zarfoss, J., Monrose, F., & Terzis, A. (2006). A multifaceted approach to understanding the botnet phenomenon. Proceedings of the 6th ACM SIGCOMM on Internet measurement - IMC ’06, 41. Akhoondi, M., Yu, C., & Madhyastha, H. V. (2012). LASTor: A Low-Latency AS-Aware Tor Client. 2012 IEEE Symposium on Security and Privacy, 476–490. Benjamin, V., & Chen, H. (2012). Securing Cyberspace : Identifying Key Actors in Hacker Communities. IEEE Intelligence and Security Informatics. Binde, B. E., Mcree, R., & Connor, T. J. O. (2011). Assessing Outbound Traffic to Uncover Advanced Persistent Threat. SANS Technology Institute. Cova, M., Kruegel, C., & Vigna, G. (2010). Detection and analysis of drive-by-download attacks and malicious JavaScript code. Proceedings of the 19th international conference on World wide web - WWW ’10, 281. Crandall, J. R., Forrest, S., & Ladau, J. (2011). The Ecology of Malware. Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, 99–106. Dholakia, Uptal M.; Bagozzi, Richard P.; Pearo, Lisa Klein. A Social Influence Model of Consumer Participation in Networkand Small-group-based Virtual Communties. International Journal of Research in Marketing. 2004. Dolfsma, Wilfred; Soete, Loe. Understanding the Dynamics of a Knowledge Economy. Edward Elgar Publishing. 2006. Emerson, R. M. (1976). Social Exchange Theory. nnual Review of Sociology, 2, 335–362. Fallmann, H., Wondracek, G., & Platzer, C. (2010). Covertly Probing Underground Economy Marketplaces. Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment (DIMVA), 101– 110. Franklin, J., Paxson, V., Perrig, A., & Savage, S. (2007). An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants. Proceedings of the 14th ACM conference on Computer and communications security, 375–388. Fu, X., Ling, Z., Yu, W., & Luo, J. (2010). Cyber Crime Scene Investigations (C2SI) through Cloud Computing. 2010 IEEE 30th International Conference on Distributed Computing Systems Workshops, 26–31. 53 References Fuller, R. M., & Valacich, J. S. (2008). T HEORY AND R EVIEW M EDIA , T ASKS , AND C OMMUNICATION P ROCESSES : MIS Quarterly, 32(3), 575–600. Geer, D. (2005). Malicious Bots Threaten Network Security. IEEE Computer Society, 38(1), 18–20. Goel, S. (2011). Cyberwarfare Connecting the Dots in Cyber Intelligence. Communications of the ACM, 54(8), 132. Hall, Angela T; Blass, Fred R; Ferris, Geral R; Massengale, Randy. Leader Reputation and Accountability in Organizations: Implications for Dysfunctional Leader Behavior. The Leadership Quarterly. Volume 15. Issue 4. August, 2004. Holt, T. J. (2010). Exploring Strategies for Qualitative Criminological and Criminal Justice Inquiry Using OnLine Data. Journal of Criminal Justice Education, 21(4), 466–487. Holt, T. J., & Kilger, M. (2012). Know Your Enemy : The Social Dynamics of Hacking. The Honeynet Project, 1–17. Holt, T. J., & Lampke, E. (2010). Exploring stolen data markets online: products and market forces. Criminal Justice Studies: A Critical Journal of Crime, Law, and Society, 23(1), 33–50. Holt, T. J., Strumsky, D., Smirnova, O., & Kilger, M. (2012). Examining the Social Networks of Malware Writers and Hackers. International Journal of Cyber Criminology, 6(1), 891–903. Hopper, L., Hopper, R., & Womble, P. (2009). Identifying network attacks from a social perspective. 2009 IEEE Conference on Technologies for Homeland Security, 511–515. Hutchins, Eric M, Michael Cloppert, R. A. (2011). Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. Lockheed Martin Corporation, (July 2005). II, C. J. M., & Chen, H. (2008). Botnets, and the CyberCriminal Underground. IEEE International Conference on Intelligence and Security Informatics 2008, 206–211. Imperva. (2012). Imperva Hacker Intelligence Intitiative. Monthly Trend Report #13. doi:10.1002/ana.23759 Lampe, Klaus Von; Johansen, Per Ole. Organized Crime and Trust: On the Conceptualization and Empirical Relevance of Trust in the Context of Criminal Networks. Global Crime. Volume 6. Issue 2. 2004. Jang, D., Kim, M., Jung, H., & Noh, B. (2009). Analysis of HTTP2P Botnet : Case Study Waledac. IEEE 9th Malaysia International Conference on Communications, 15–17. 54 References Kshetri, N. (2006). The Simple Economics of Cybercrimes. IEEE Security & Privacy, Jan-Feb, 33–39. Leavitt, N. (2009). Anonymization Technology Takes a High Profile. IEEE Computer Society, (November), 15–18. Ling, Z., Luo, J., Yu, W., & Fu, X. (2011). Equal-Sized Cells Mean Equal-Sized Packets in Tor? 2011 IEEE International Conference on Communications (ICC), 1–6. Lu, W., & Ghorbani, A. a. (2008). Botnets Detection Based on IRC-Community. IEEE GLOBECOM 2008 - 2008 IEEE Global Telecommunications Conference, (1), 1–5. Lu, W., Tavallaee, M., & Ghorbani, A. a. (2009). Automatic discovery of botnet communities on largescale communication networks. Proceedings of the 4th International Symposium on Information, Computer, and Communications Security - ASIACCS ’09, 1. McCusker, R. (2006) Transnational organised cyber crime: distinguishing threat from reality. Crime, Law and Social Change. 46 (4-5), 257-273. Motoyama, M., McCoy, D., Levchenko, K., Savage, S., & Voelker, G. M. (2011). An analysis of underground forums. Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference - IMC ’11, 71. Moore, T., & Clayton, R. (2009). Evil Searching : Compromise and Recompromise of Internet Hosts for Phishing. Financial Cryptography and Data Security, 256–272. Muller, Paul. Reputation, Trust and the Dynamics of Leadership in Communities of Practice. Journal of Management and Governance. Volume 10. Number 4. November, 2006. Radianti, J. (2010). A Study of a Social Behavior inside the Online Black Markets. 2010 Fourth International Conference on Emerging Security Information, Systems and Technologies, 88–92. Radianti, J., Rich, E., & Gonzalez, J. J. (2007). Using a Mixed Data Collection Strategy to Uncover Vulnerability Black Markets. Workshop for Information Security and Privacy. Radianti, J., Rich, E., & Gonzalez, J. J. (2009). Vulnerability Black Markets : Empirical Evidence and Scenario Simulation. 42nd Hawaii International Conference on, 1–10. Rieck, K., Trinius, P., Willems, C., & Holz, T. (2011). Automatic Analysis of Malware Behavior using Machine Learning. Journal of Computer Security, 1–30. 55 References Spencer, J. F. (2008). Using XML to map relationships in hacker forums. Proceedings of the 46th Annual Southeast Regional Conference on XX - ACM-SE 46, 487. Tschorsch, F., & Scheuermann, B. (2011). Tor is unfair — And what to do about it. 2011 IEEE 36th Conference on Local Computer Networks, 432–440. Turrini, Elliot. (2010) Cybercrimes: A Multidisciplinary Analysis. Springer Publishing. Yadav, S., Reddy, A. K. K., & Reddy, A. L. N. (2010). Detecting Algorithmically Generated Malicious Domain Names Categories and Subject Descriptors. Proceedings of the 10th ACM SIGCOMM conference on Internet measurement. Yip, M. (2011). An Investigation into Chinese Cybercrime and the Applicability of Social Network Analysis. ACM Web Science Conference. Yip, M., Shadbolt, N., & Webber, C. (2013). Why Forums ? An Empirical Analysis into the Facilitating Factors of Carding Forums. ACM Web Science, May. Zhang, L., Yu, S., Wu, D., & Watters, P. (2011). A Survey on Latest Botnet Attack and Defense. 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications, 53–60. Zhu, Z., Lu, G., Chen, Y., Fu, Z. J., Roberts, P., & Han, K. (2008). Botnet Research Survey. 2008 32nd Annual IEEE International Computer Software and Applications Conference, 967–972. Zhuge, J., Holz, T., Song, C., Guo, J., & Han, X. (2008). Studying Malicious Websites and the Underground Economy on the Chinese Web. Workshop on the Economics of Information Security, 225–244. 56