Inside the mind of a hacker: understanding cybercriminal psychology, with Jesse Tuttle

I think the one thing I took away is: you don’t know what you don’t know. We took several MSP owners to DEFCON with us, and we’ve consistently seen the shock and awe in MSP owners because they thought things were different than what they really are.

They did not understand some of the tools out there. They thought every cybercriminal or threat actor is the same. They didn’t understand the evolution of tactics, tools and motivations because they typically see a narrative from the news, and most vendors are catering to solutions based on what is popular in the news, not necessarily what’s truly happening out there.

I was a teenage kid in the mid 1990s. The internet was on the horizon. I was on dial-up BBS and then IRC—internet relay chat—and on AOL in 1994 right as all these other tools were starting to emerge.

I could go to my local computer store and buy software, or I could just download it and not need to use the registration key. And suddenly that curiosity hits me: why is that? How did someone remove the registration key function?

I started hanging out with software crackers and that curiosity grew. Then I wanted to help distribute software, so I became a distro. For this you need a top site, which is a super-fast site that you can host software on and move it. Government, military systems and universities had some of the best connections. So I started hacking and using them to seed pirated software to build a reputation.

The curiosity evolved even further. I became a website defacer for what would be considered an early APT (advanced persistent threat) group, HackWeiser, and that led into a vigilante streak and becoming a hacktivist.

Then in the spring of 2001 the US was involved in a global incident that I watched unfold on the news. This is when I made the shift to use my skills and talents for good. I want to be a good guy, but I was going about it in all the wrong ways, resulting in billions of dollars of damage globally

During this initial cyberwar, I had a knock on the door from the FBI, and that was the start of a major pivoting point. I still was involved in HackWeiser, but I lived a dual life as an intelligence asset, working with a division of the FBI, helping them fortify government and military systems while keeping my reputation. Then 9/11 unfolded and I found myself immersed into a national security incident, hunting the al Qaeda Cyber Army, and a second cyberwar.

And that was where that vigilante-hacktivism side of me was used. Law enforcement gave me the opportunity to take what I wanted to do, how I wanted to do it, and use it for the better, for society and mankind.

The first one is persistence, no matter the threat actor. But there are some distinctions.

Hackers tend to not be financially motivated. They could be driven by curiosity or attention seeking, perhaps by defacing websites. They could be a hacktivist who’s driven by a cause.

A scammer is someone that’s financially driven and motivated, they may use hacker tools but their lack of morals and drive for financial gain is what fuels them.

Spammers are not typically intending to cause harm, but they’re delivering unsolicited mass messages and unintentionally cause problems.

Hacktivists are mission-driven, and a nation-state actor is driven by typically government- or military-based objectives.

All these different types of threat actors are extremely persistent. You don’t get a cause and a passion to do something and then just drop it overnight.

Every criminal cybercriminal is also highly adaptive. They can shift their methods. They look for upcoming technologies. They will use something as long as it works, and as soon as it stops working, they shift.

Understand each type of threat actor and how they’re motivated. Hacktivists often believe they’re acting for the better of society. Whether to expose corruption, find censorship or promote a cause, they aim for visibility and impact more than stealth.

Sometimes these are the people that are defacing large websites, and unfortunately sometimes the people that are taking over hospitals or government agencies and holding them ransom. Not necessarily a financial ransom, but to make a statement. They get the media attention – the more attention they get, the more it fuels them.

With scammers, they are 100% profit driven. They seek quick, repeatable wins with minimal risk. They use proven tactics. They rely typically on social engineering. They do ransom hacks, they blackmail, they extort, and typically they’re the least technical. They act as a business. They will have a sales team, a leads team, and a recon team.

If you’re working in government agencies, military subcontractors or critical infrastructure, you’re probably going to see nation-state actors more, but most businesses are going to see “spray and pray” campaigns from scammers and spammers.

Here is a magic question that everyone always misses!

At DefCon, I was walking past one of the villages and there was a sponsor—who didn’t know who I was—and he said, “Imagine you’re a threat actor and you breach, what’s the first thing you’re going to do?” I say, “Well it depends on my target. But for most threat actors, which spray and pray, they’ll observe and understand the landscape, establish persistence, and start to exfiltrate”. And he goes, “Wrong! You would sit back and watch for weeks or months to understand how to blend in before establishing any persistence or anything else”.

It showed that vendors—even those trying to tap into hacker culture—don’t always get it. This guy missed the mark because most threat actors are what I would call spray and pray. Most of them are sending out mass campaigns and emails, text messages, voice calls or doing SEO poisoning or abusive browser notifications. It’s huge.

As soon as something sticks, they’ll take what they can get. Then they move to the next phase of establishing a persistent presence and exfiltrating data so that they have it as ransom, or whatever the case may be.

When they understand how it works and they learn it, they become more capable. And that is where you start seeing more sophisticated attacks.

What most MSPs are missing is understanding the human side, the low-tech side, the manipulation, the phone call, the deep-fakes, emails, text messages, voice calls. Most threat actors think, “Hey, what tools are at my disposal?”

MSPs are the gateway to technology for the entire world. They need to be able to deliver training that’s not just compliance-based awareness training, security awareness training or threat actor training.

In my opinion, awareness training means something different to what most providers call it. Because most providers are taking a template based on, say, a 2012 Netflix scam campaign, and rinsing and repeating, making this as obvious as possible so people don’t click on it, because failure is scary.

But failure is how you move forward. Delivering a phishing simulation once a year or once a month is crazy because the threat actors are delivering to your users every hour of every day. Stop penalizing users when they click on extremely real emails that are simulations. Because without that learning opportunity, the company is set up to have a breach. Awareness training is supposed to teach you the threats out there, basic standard security steps, how threat actors think.

MSPs need to understand the different types of awareness training out there, the different methodologies, and what works best for your clients. I think having a positive atmosphere where we can celebrate the learning opportunities and have a high fail rate so that people create muscle memory is better. These teach you to think like the adversary.

Most threat actors enter through endpoint devices—cell phones, tablets, laptops. And a lot of the time it’s a phone call. It’s a text message. It’s an email. It’s a social media message.

That endpoint device is no longer tied to an office. Everyone has their workstation walking with them. Most people now are remote or hybrid. People need to understand that their device that they’re carrying with them is the gateway to everything.

You need endpoint security, and you need awareness training. Without both, you are a sitting duck.

Should people be delivering malware and other attacks to steal data or hold it for ransom? No, not at all! But will they? Yes. And we need to acknowledge that, and plan for it. Awareness training and proper endpoint security are both mission critical.

When my daughter was growing up, I had people being extorted for money coming to me saying, “Hey, I looked you up because you’re Hackah Jak. Can we meet?” The questions were always the same, “What do I do? How do I navigate this? How do I explain this to my significant other? How do I keep this from happening to my staff? How do I keep this from happening to my friends and family?” To this day, we get those questions every week.

And we get to help in all that. As a former threat actor, my drive was always curiosity. It was never financially driven. It was not about destroying lives. I saw lives being destroyed when I was taking down a human trafficking network as part of my work with the FBI. I’ve always been passionate about that personal connection and keeping people positive and healthy. That’s the most important thing out there.

And it’s exactly what MSPs want to do. They want to create a healthy atmosphere for their clients to grow. But you also must understand that there’s bad guys out there. They don’t care about anything. That’s why you have to have that adversarial mindset. You need to have the right tools to combat it and the right training to understand it. You need to engage the right people to help.