A Hacker’s Hierarchy of Operational Needs
Maslow’s Hierarchy of Needs
All humans have a basic set of needs which they work to satisfy – as described by Maslow in his seminal, “A Theory of Human Motivation.” Maslow did not create a true hierarchy. He describes how there are sometime competing and/or complementary needs. Instead of a strict hierarchy, these needs form dominating preferences or priorities.
It made me question whether there was a cyber operational equivalent: a set of hierarchical needs or requirements necessary for the adversary/hacker to meet their goal. Like Maslow, I do not believe that this hierarchy is necessarily serial in nature but rather inform priorities and dominate preferences. Nor do I believe that they must necessarily be satisfied in order, serially.
For instance, a hacker may create a capability and then sell that capability, or their skills to use the capability, to an organization thereby gaining funding for the rest of the operation. However, while the capability was the first achieved in the chain, it was a vehicle to achieve a more base need: funding.
Basic Necessities: Obviously those things which allow a person to live and work effectively
Funding: Even the most basic funding is required for equipment (computer(s)) and/or purchasing other things like connectivity to the Internet and the like.
Connectivity: A hacker must be connected to a network to which s/he can reach potential targets
Target Vulnerabilities: A hacker must have a set of vulnerabilities and exposure upon which they can exploit to achieve their goals
Capabilities/Infrastructure: I believe these are both equally important but both are a requirement for operations – the capability to achieve their effect, and the infrastructure to deliver the capabilities to the target victims
Targets: A hacker must have a one or more targets of which they can use to achieve their intent
Access: A hacker must have access to the target to achieve any effects and ultimately achieve a positive outcome
Outcome: The successful exploitation, attack, etc. of which was the entire intent of the hacker
Reward: The reward for their successful operation (fame, fortune, notoriety, etc.)
So, what do you think? Do they map to your understanding of the hierarchy for the operational needs of a hacker? How would you use this model?
Pete Cap
I think this is pretty interesting. The topic of what incentivizes people in this industry has come up numerous times in the past few weeks, for example: the bounties paid by Google or Tipping Point do seem to encourage people to find bugs, but not every…uh…”researcher” has access to those opportunities. We also grind our teeth constantly over how much good intel the AV community could put out if only they were a little less focused on pushing signatures. It’s definitely a good topic to investigate.
Maureen
This is a good model of intruder motivation. It would also work for the other side, for the network defenders. If we change the term “Targets” to “Communicants” and change the term “Target Vulnerabilities” to “Communicant Protection” then this hierarchy seems to apply equally as well.
How would we use these models? We could use them to identify the weakest link in order to correct it. For example, if the weakest link in the hacker hierarchy is infrastructure, then supply expanded distributed infrastructure; and if the weakest link in the defender hierarchy is reward, then supply better reward to defenders.
Likewise, we could study the opponent position using these models, and work to undermine their pillars. For example, if the hacker adversary has known points of connectivity, then work to cut that connectivity. If the defender adversary has heavy dependency on funding, then work to cut that funding.
irul
All have different needs, though born a twin brother was not likely the same needs. The more mature a person, the need will increase. Because it must be coupled with the ability and expertise to fulfill that need. The most important is the ability of communication, without communication people may not be able to live
Sam Mammen (@sammen89)
A related but defensive perspective on this.
The Cyber Security Analyst’s Hierarchy of Needs
http://www.realcybercrime.com/the-analysts-hierarchy-of-needs/