The Recorded Future Blog

Chasing Foxes by the Numbers: Patterns of Life and Activity in Hacker Forums

Christopher Ahlberg at Security Analyst Summit

“Pattern of life analysis” is an effective counter terrorism technique that can be applied to cyber threat intelligence. Using patterns to classify adversary behaviors rather than relying on distinct Internet handles, like “UglyGorilla” or “Hassan20,” cyber threat analysts are able to look across multiple handles, posts, forums, and social media sites to identify signals of malicious activity.

During the recent Kaspersky Security Analyst Summit Recorded Future CEO Christopher Ahlberg shared why we should organize the Web for analysis rather than search.

“Attribution,” he explained, “is many times based on sloppy handle usage.” What if a threat actor is cautious? “Handle hopping,” the act of switching between user names, is easy for the threat actor who is conscious of leaving a trail of Internet breadcrumbs. In traditional searching, where the username trail dies off, the lead to the threat actor or group does also.

Putting patterns to work, Recorded Future conducted a sample analysis across 500 hacker forums to find interesting signals. We used natural language processing to identify posts around vulnerabilities and exploits.

Interestingly, we found that in 98.8% of over 742,000 posts, the handles used were unique (even though it’s likely hackers used multiple handles to cover their tracks, and groups of hackers working together each had distinct handles).

While it’s easy to change handles, it’s less easy to change behavior. By clustering patterns, we were able to find similar behaviors among various handles and identify groups working around a particular vulnerability or exploit. Focusing on pattern analysis across user handles allowed us to see the pods who share similar interests and actions online.

To learn more about this research, watch Christopher’s talk below and learn how Recorded Future uses a hard analytic capability to proactively identify more indicators of threat activity.