Identifying Key Expert Actors in Cybercrime Forums Based on their Technical Expertise

TL;DR

This paper identifies key expert actors in cybercrime forums by analyzing their technical expertise and community structures, revealing that a small percentage of actors possess significant attack pattern knowledge, which is crucial for cyber threat intelligence.

Contribution

It introduces a novel method combining CVE, CAPEC, community detection, and criminological frameworks to identify technically expert cybercriminal actors in forums.

Findings

Key actors constitute about 4% of the population.

Community structures reveal groups interested in similar attack patterns.

Approximately half of the actors are amateurs with limited expertise.

Abstract

The advent of Big Data has made the collection and analysis of cyber threat intelligence challenging due to its volume, leading research to focus on identifying key threat actors; yet these studies have failed to consider the technical expertise of these actors. Expertise, especially towards specific attack patterns, is crucial for cybercrime intelligence, as it focuses on targeting actors with the knowledge and skills to attack enterprises. Using CVEs and CAPEC classifications to build a bimodal network, as well as community detection, k-means and a criminological framework, this study addresses the key hacker identification problem by identifying communities interested in specific attack patterns across cybercrime forums and their related key expert actors. The analyses reveal several key contributions. First, the community structure of the CAPEC-actor bimodal network shows that there exists groups of actors interested in similar attack patterns across cybercrime forums. Second, key actors identified in this study account for about 4% of the study population. Third, about half of the study population are amateurs who show little technical expertise. Finally, key actors highlighted in this study represent a promising scarcity for resources allocation in cyber threat intelligence production. Further research should look into how they develop and use their technical expertise in cybercrime forums.